1

Can multiple signatures of the same message with the same private key (different nonces) lead to a private key trace?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Topolino
  • 11
  • 1

1 Answers1

3

In case leak was meant where the question has “trace”: in ECDSA, signing the same message twice with different nonces does not leak the private key or otherwise jeopardize security, including when message and public key are available to adversaries.

The same holds for any signature system secure under EF-CMA or stronger definitions of security.

From the description of signing operation in ECDSA, we see that changing the nonce $k$ changes $R$, $x_R$, $y_R$, $r$, $s$ (not $H$, $e$); thus including both components of the signature $S=(r,s)$.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • Thank you, I’m only a newbie trying to understand the theory: so which other parameter changes from one sign to the next except the nonce? – Topolino Nov 18 '21 at 18:22
  • but in the description of signing operation in ECDSA 3 k seems to be the private key... where can I find the exact definitions in that document? it seems to me they change notation in every chapter... – Topolino Nov 19 '21 at 18:39
  • @Topolino: $k$ is not the private key. The private key is $d_U$. $k$ is a secret random integer in $[1,n)$, and can be called an ephemeral private key. As far as I can tell the notation in the whole of sec1v2 is consistent, and for sure things do not change arbitrarily within the section on ECDSA. Wikipedia's ECDSA article uses $d_A$ and $Q_A$ where sec1 uses $d_U$ and $Q_U$, and assimilates integers to bitstrings, but is close. – fgrieu Nov 19 '21 at 19:31