Nonce Reuse Attack
Imagine you want to sign this transaction:
tx
The Schnorr signature equation is:
S = k - h(R, P, tx) * x
Don't worry, we'll explain it step by step!
Step 1: Breaking down the equation
S = k - h(R, P, tx) * x
- P → Your public key
- x → Your private key
- tx → The transaction you are signing
- h(...) → A hash function
- k → The nonce you choose randomly
Step 2: Signing the transaction
Now we have all parameters needed to sign the transaction:
S = k - h(R, P, tx) * x
When you sign a tx, you choose
k randomly, that’s your nonce.But let’s say you have a new transaction
tx2, and you accidentally reuse the same nonce k:S2 = k - h(R, P, tx2) * x
Step 3: What happens next?
An attacker (or anyone observing both signatures) can compute:
S - S2 = h(R, P, tx) * x - h(R, P, tx2) * x
Rearrange to recover your private key:
x = (S - S2) / ( h(R, P, tx2) - h(R, P, tx) )
⚠️ All of the ingredients on the right-hand side are public:
S,S2are published in the signaturesh(...)values can be computed fromR,P,tx,tx2
So your private keyxis leaked if the samekis reused.
❌ DON'T REUSE NONCE
Even reusing a single nonce across two signatures leaks your private key. Use a fresh random nonce (or deterministic nonces derived correctly) for every signature.
Read more about Nonce Reuse Attack https://bitcoindevs.xyz/decoding/nonce-reuse-attack