No, under the assumption that both signature were generated securely. The main reason, and the short answer, for this is you still have three unknowns and two equivalence. The system is:
$$ sk \equiv h + rd \pmod{n} \\ s’k \equiv h’ + rd’ \pmod{n}$$
thus it is underdetermined. If you can’t understand it here it is recommended to go for longer answer below.
ECDSA Recap
During signature you choose two secret scalars $d$ the secret key and $k$ the ephemeral secret key. Such that $k, d \in [1, n-1]$, where $n$ is order of subgroup.
Then you calculate the ephemeral public key using scalar multiplication: $k.G = R$ where $G$ is the generator. You set variable $r$ as $r = \mathtt{x-coordinate}(R)$
Then you take the message you want to sign and hash it using a cryptographic hash function $H$. And set the variable $h$ as $h = H(\mathit{message})$.
Once you have all these things you calculate signature as follows:
$$s \equiv k^{-1}(h+rd) \pmod{n}$$
After doing so you broadcast the public key $Q = d.G$ along with your message and $(r, s)$.
A person who is verifying calculates
$$(hs^{-1})G + (r s^{-1})Q = P$$
checks if the $\mathtt{x-coordinate}(P) = r$. If it matches then a signature is valid, if it doesn’t then it is not valid.
OR ALTERNATIVELY
If you broadcasted your $R$ too then the signature is valid if $\mathtt{x-coordinate}(P) = \mathtt{x-coordinate}(R)$. But we do not do that for a lot of security reasons. However, if you started doing that you can use any random integer in range $[1, n-1]$ as $r$. To know why see this Wikipedia piece
Why you cannot recover private key in your setting?
There is a reason I called $r, h, s$ variables. In reality a signature, precisely its components, has nothing to do with the notion of “public” or “private” key. They just represent an algebraic relation modulo $n$ which is :
$$s \equiv k^{-1}(h+rd) \pmod{n}$$
and since $n$ is a prime every nonzero element is invertible and you can choose any $k$ to get a specific $d$. Your correct $d$ is part of all those possible pairs of $(k, d)$.
Since $r$ is merely a variable and recall my Or Alternative scenario. We can say that the same signature, $(r, s)$ for hash $h$, has finitely many $(R, Q)$ public points on curve for which the signature verifies as true.
Now we can revisit your question again. So if you pick up any three random variables as $(r’, s’)$ and $h’$ in range $[1, n-1]$ and decides that they must verify for $R$ you can calculate $Q’$ in following manner:
$$d’ = (s’r’^{-1})k - (h’r’^{-1}) \\
Q’ = (s’r’^{-1})R - (h’r’^{-1})G $$
And this $Q’$ is valid for some $d’$ such that $d’.G = Q’$.
If you pay attention that if you only had one signature you can always find total of $n-1$ signature of same nonce (or ephemeral public key $R$) for some different private key (or public key $Q$).
It’s vice-versa is also true that if you only had one signature you can always find a total of $n-1$ signature of same private key (or public key $Q$) for some different nonce (or ephemeral public key $R$).
Recovery in certain cases
- However you can recover private key in only one case. If you knew any other independent relation between two keys. For instance knowing $i$ such that $i.d = d’$
- You can also recover private key if you have two nonces are shared between two keys whose method is described here and a demonstration is here
