Sure, a signer can recuperate their very own nonce.

Be z a hash of a message to signal, d a personal key, G the generator level of secp256k1, n the integer order of G. An ECDSA signature {r, s} is generated as follows:

1. Choose a random integer nonce ok from [1, n-1]
2. Calculate its curve level (x₁, y₁) = ok × G
3. r = x₁ mod n
4. s = ok^-1(z + rd)

Because the {z, r, d, s} are recognized to the signer, the signer can recuperate the ok from their very own signature.

1. ok = s^-1(d × r + z)

The signer is now offered with a overseas signature {r,s₂} for the hash of a second message z₂ that makes use of the identical r as their very own signature. Since r derives instantly from ok, the opposite signature will need to have been created utilizing the identical nonce ok because the signer used.

Utilizing this, they’ll calculate the personal key used within the different signature, given the general public info {r, s₂, z₂} and their personal information of ok:

1. s₂ = ok^-1(z₂ + rd₂)
2. ks₂ = z₂ + rd₂
3. rd₂ = ks₂ – z₂
4. d₂ = r^-1(ks₂ – z₂)

Utilizing a nonce one other consumer has used earlier than, leaks your personal key to the opposite signer. Word that underneath regular circumstances it’s infeasible to randomly generate the identical nonce, so both a non-random nonce has to have been used within the first place, or the nonce was shared between the 2 signers.