Breaking ECDSA with Two Affinely Related Nonces

TL;DR

This paper addresses the security of ECDSA when nonces are affinely related by $k_2 = a k_1 + b$, showing that the private key can be recovered in closed form from only two signatures using pure algebra. The attack derives a direct formula for the private key in terms of the signatures, the message hashes, and the affine relation coefficients, without relying on lattice reduction or brute-force search when $(a,b)$ are known. It improves on prior attacks by requiring only two signatures (even on the same message) and by focusing on a simple linear dependence between nonces. The work underscores the critical importance of robust nonce generation (eg, RFC6979) and points to potential extensions toward higher-order relationships, highlighting practical implications for ECDSA implementations and crypto-systems.

Abstract

The security of the Elliptic Curve Digital Signature Algorithm (ECDSA) depends on the uniqueness and secrecy of the nonce, which is used in each signature. While it is well understood that nonce $k$ reuse across two distinct messages can leak the private key, we show that even if a distinct value is used for $k_2$, where an affine relationship exists in the form of: \(k_m = a \cdot k_n + b\), we can also recover the private key. Our method requires only two signatures (even over the same message) and relies purely on algebra, with no need for lattice reduction or brute-force search(if the relationship, or offset, is known). To our knowledge, this is the first closed-form derivation of the ECDSA private key from only two signatures over the same message, under a known affine relationship between nonces.