ECDSA signatures are pairs (r,s) where r=(kG).x mod n, and s = (m + rx)/k mod n, where x is the secret key, k is the random nonce, and m is the message.

If you have two s values s1 and s2 for the same secret key and with the same nonce k (and thus the same value r), the following holds:

• s1 = (m1 + r*x)/k
• s2 = (m2 + r*x)/k

From that we can derive:

• s1 * k = m1 + r*x
• s2 * k = m2 + r*x
• (s1 - s2) * k = m1 - m2
• k = (m1 - m2) / (s1 - s2)
• x = (s1 * (m1 - m2) / (s1 - s2) - m1) / r
• x = (m1*s2 - m2*s1) / (r*(s1 - s2)) (all mod n)

So not only did you make it trivial to detect signatures with the same nonce (they have a recognizable r value), there is a trivial formula to compute the private key once someone sees two signatures.

This kind of attack has been known and actively exploited on the Bitcoin network since at least 2013: https://bitcointalk.to/index.php?topic=271486.0 . Don't reuse k values. Use RFC6979 to deterministically but securely generate them.

Also note that it's not sufficient that the nonces are different. They also can't be related in a known way. For example, you can't use k for one signature, and k+1 for the next work.