Nonce Reuse AttackNonce Reuse Attack

Imagine you want to sign this transaction:

tx

The Schnorr signature equation is:

S = k - h(R, P, tx) * x

Don't worry, we'll explain it step by step!

Step 1: Breaking down the equationStep 1: Breaking down the equation

S = k - h(R, P, tx) * x

• P → Your public key
• x → Your private key
• tx → The transaction you are signing
• h(...) → A hash function
• k → The nonce you choose randomly

Step 2: Signing the transactionStep 2: Signing the transaction

Now we have all parameters needed to sign the transaction:

S = k - h(R, P, tx) * x

When you sign a tx, you choose k randomly, that’s your nonce.

But let’s say you have a new transaction tx2, and you accidentally reuse the same nonce k:

S2 = k - h(R, P, tx2) * x

Step 3: What happens next?Step 3: What happens next?

An attacker (or anyone observing both signatures) can compute:

S - S2 = h(R, P, tx) * x - h(R, P, tx2) * x

Rearrange to recover your private key:

x = (S - S2) / ( h(R, P, tx2) - h(R, P, tx) )

⚠️ All of the ingredients on the right-hand side are public:

• S, S2 are published in the signatures
• h(...) values can be computed from R, P, tx, tx2
  So your private key x is leaked if the same k is reused.

❌ DON'T REUSE NONCE❌ DON'T REUSE NONCE

Even reusing a single nonce across two signatures leaks your private key. Use a fresh random nonce (or deterministic nonces derived correctly) for every signature.

Read more about Nonce Reuse Attack https://bitcoindevs.xyz/decoding/nonce-reuse-attack