# DSA - reusing NONCE

A crypto module computing digital singatures with DSA was infected with a malicious program. It caused two signatures to be generated from two different messages using the same NONCE k. Compute the value of the private key, given the public parameters (p, q, g), public key y, messages m_1, m_2 and signatures (r_1, s_1) a (r_2, s_2), where the hash function is SHA-1 and:

In [1]:
import hashlib

In [2]:
p = 130858654869791629821164827405704486808484325400695017176436089171363953174803169341783555373215075614114465991900855153261492152633662438773188376262979282101753394454977993579816854383830900528351206089343265102338373900869810884532342186375732537448146335182616800945419546009892443656248994289078702932401
q = 1145453138964420393547388172384121951637470359533
g = 4510475759927193526244850661638601201466195136403848318403359059899867868318147275934379724895322117241223218798069129765949195037342214140393033814169823170684197166558267035082959568504164187769201853006016871456716631831496741971210395589377317000612633487892357425274282531110618387991431638379437562001
m_1 = "IOU $1000"
m_2 = "Merry Christmas"
r_1 = r_2 = 916128381002192237330415624031916695461722389304
s_1 = 1016140177410528212949844490506968808343879600370
s_2 = 767135282992918681484216676594223285185365265436

In [3]:
def H(msg: str) -> int:
    binary_digest = hashlib.sha1(msg.encode()).digest()
    return int.from_bytes(binary_digest, byteorder='big')

In [4]:
k = pow(s_1 - s_2, -1, q) * (H(m_1) - H(m_2)) % q
print(f"Nonce: {k}")

Nonce: 290906610810690179972018179239952193088672167188


In [5]:
x = (s_1 * k - H(m_1)) * pow(r_1, -1, q) % q
print(f"Private key: {x}")

Private key: 555336883567305608284725219102191211489862726405
