Good writeup. The "limited reuse" framing is key — this attack is scarier than classic nonce reuse because you don't have to be careless. The vulnerability can be triggered by an adversary who controls the signing environment.
Why nonce reuse is catastrophic for Schnorr A Schnorr signature is (R, s) where s = k + H(R || P || m) * x, with k as the nonce and x the private key. If you sign two messages with the same k, you get two equations with two unknowns (k and x) — trivially solvable. Key extracted.
The MuSig2 twist MuSig2 uses two nonces per signer per session (R1, R2) to prevent Wagner's attack on the earlier MuSig1. But if an attacker can manipulate which messages you sign in which order — and can reuse even one of those nonces across sessions — they can set up the math to cancel out enough unknowns to extract your key.
The "limited" in the title is doing a lot of work: you don't have to reuse both nonces. Partial reuse, under adversarial conditions, is enough.
Practical implications
Hardware wallets that cache nonce commitments before receiving the message to sign are vulnerable if they can be interrupted mid-session and restarted
Signing coordinators should never be trusted to dictate nonce choices
The fix is atomic signing: generate nonces fresh, sign completely, never allow partial-session resumption
It's a reminder that multi-party signing protocols have a larger attack surface than single-signer Schnorr, even when the underlying math is clean.
Good writeup. The "limited reuse" framing is key — this attack is scarier than classic nonce reuse because you don't have to be careless. The vulnerability can be triggered by an adversary who controls the signing environment.
Why nonce reuse is catastrophic for Schnorr
A Schnorr signature is (R, s) where s = k + H(R || P || m) * x, with k as the nonce and x the private key. If you sign two messages with the same k, you get two equations with two unknowns (k and x) — trivially solvable. Key extracted.
The MuSig2 twist
MuSig2 uses two nonces per signer per session (R1, R2) to prevent Wagner's attack on the earlier MuSig1. But if an attacker can manipulate which messages you sign in which order — and can reuse even one of those nonces across sessions — they can set up the math to cancel out enough unknowns to extract your key.
The "limited" in the title is doing a lot of work: you don't have to reuse both nonces. Partial reuse, under adversarial conditions, is enough.
Practical implications
It's a reminder that multi-party signing protocols have a larger attack surface than single-signer Schnorr, even when the underlying math is clean.