2
I know it is well understood that it is not a good practice to use the same nonce while generating the signatures, but I am not getting the math right.
Assume I have some UTXOs that are controlled by my private key Q. Say I have spent two of the UTXOs using nonce 'N' to generate my signature. Now the (R,S) components of the signature are public and the transactions are public so everyone has access to them.
S1 = N^(-1)*[hash(m1) + Q*R] mod p
S2 = N^(-1)*[hash(m2) + Q*R] mod p
S1 - S2 = N^(-1)*[hash(m1) - hash(m2)] mod p
Even though we know S1, S2, m1 and m2, isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
Possible duplicate of How do you derive the private key from two signatures that share the same k value?
– MCCCS – 2019-03-29T15:44:33.667Not necessarily. My question asks further expansion of the answer derived from that question, asking how solving for N^(-1) is not finding a solution to the discrete logarithm problem. – Ugam Kamat – 2019-04-01T07:24:12.213