gmaxwell:
Then, what causes the privkey to be revealed? (What this thread is about)
What I have understand, is that if the nonce are reused in a ECDSA signature, the privkey can be calculated, given that you know that the 2 nonces are equal, even if the nonce is unknown, since you simply solve a equation to get the privkey?
Two things can happen, given two distinct messages with the same unknown K you can recover K, or Given K you can recover the private key. (also, knowing fairly small amounts of K in several signatures can also allow you to recover the key through more complicated techniques)
If the nonce is H(message||secret) then if you have identical data being signed you will get a completely identical signature and learn nothing (otherwise I could crack any key by just writing another copy of the same transaction down!
). If you have non-identical data being signed you will have non identical nonces.