Nonce Reuse

Nonce reuse is one of the most dangerous failure modes in digital signatures, including the ECDSA and Schnorr schemes Bitcoin uses. Every signature requires a secret one-time random value, the nonce. If a signer ever produces two signatures over different messages using the same nonce and the same private key, an observer can recover that private key with simple algebra. The funds protected by that key are then trivially stealable.

The Math of the Leak

In Schnorr signing, each signature has the form s = r + e·x, where r is the nonce, x is the private key, and e is a per-message challenge hash. Two signatures sharing the same r over different messages give two equations with only two unknowns. Subtracting them cancels the nonce and yields x = (s1 - s2) / (e1 - e2) modulo the curve order. There is no brute force involved; the key falls out directly.

Bitcoin's Defenses

BIP340 hardens Schnorr signing against this by deriving the nonce from a tagged hash of the private key, the message, the public key, and fresh auxiliary randomness. The spec stresses that the nonce must be unpredictable and never partially leaked. It also warns that mixing RFC6979-deterministic nonces across different signing schemes with the same key can itself cause a cross-protocol reuse leak. Even a slight statistical bias in nonces, given enough signatures, can be enough to recover the key.

This is why the Schnorr signature standard mandates careful nonce derivation, and why interactive aggregate protocols add extra rounds, as discussed under signature aggregation.