Score:1

Signing same message 2 times with ECDSA

ng flag

Can multiple signatures of the same message with the same private key (different nonces) lead to a private key trace?

Maarten Bodewes avatar
in flag
Hi Topolino, please [edit] the question and explain what you mean with "trace". Do you mean "expose", "track" or something different?
kelalaka avatar
in flag
And, what is the origin of this question, what have you tried?
kelalaka avatar
in flag
Hint, two-equation more than one unknowns.
Gilles 'SO- stop being evil' avatar
cn flag
What do you mean by “private key trace”? Do you mean allowing to recover the private key? Or do you mean revealing that the same private key was used each time? Or something else?
ng flag
Yes I mean recover the private key, sorry
Score:3
ng flag

In case leak was meant where the question has “trace”: in ECDSA, signing the same message twice with different nonces does not leak the private key or otherwise jeopardize security, including when message and public key are available to adversaries.

The same holds for any signature system secure under EF-CMA or stronger definitions of security.


From the description of signing operation in ECDSA, we see that changing the nonce $k$ changes $R$, $x_R$, $y_R$, $r$, $s$ (not $H$, $e$); thus including both components of the signature $S=(r,s)$.

ng flag
Thank you, I’m only a newbie trying to understand the theory: so which other parameter changes from one sign to the next except the nonce?
ng flag
but in the description of signing operation in ECDSA 3 k seems to be the private key... where can I find the exact definitions in that document? it seems to me they change notation in every chapter...
fgrieu avatar
ng flag
@Topolino: $k$ is not the private key. The private key is $d_U$. $k$ is a secret random integer in $[1,n)$, and can be called an _ephemeral_ private key. As far as I can tell the notation in the whole of [sec1v2](https://www.secg.org/sec1-v2.pdf) is consistent, and for sure things do not change arbitrarily within the [section on ECDSA](https://www.secg.org/sec1-v2.pdf#subsection.4.1). [Wikipedia's ECDSA article](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) uses $d_A$ and $Q_A$ where sec1 uses $d_U$ and $Q_U$, and assimilates integers to bitstrings, but is close.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.