Sure. The equation that connects the private key, the nonce, the message representative and the signature is a simple one, and knowing any three of the four values gives you the fourth. The equation is
$$
s = k^{-1} (h + r d) \mod n
$$
where
- $n$ is the group order;
- $d$ is the private key;
- $k$ is the nonce;
- $h$ is the message representative (hash of the message, projected onto the curve);
- $(r,s)$ is the signature.
Thus the nonce can be calculated as $k = s^{-1} (h + r d) \bmod n$.
To analyze an ECDSA implementation, first check if it always outputs the same signature when the key and the message are the same. That is deterministic ECDSA and it's secure. You don't need to calculate the nonce to validate an ECDSA implementation functionally: just check that its output is the same as another implementation that you trust, for the same curve, hash function, key and message.
If the implementation is non-deterministic, then it's vital that the nonce $k$ must be uniformly random. If an adversary can guess some bits of the nonce, it tends to add up across signatures. For example, if an adversary have access to a set of secp256k1 signatures and they can tell for each signature whether the top bit is 0 or 1, then they can recover the private key with a large enough number of signatures. (As of early 2025, as far as I know, the number of signatures is still impractical, but attacks have been improving steadily, so I expect practical attacks with a single bit of leakage within the next few years.) This can happen if the implementation chooses $k$ badly with the top bit always set to $0$, or if adversary can see how long the signature operation takes and the timing depends on the top bit. With multiple bits of leakage, the leakage does add up, for example 9 known bits on a 521-bit curve allows private key recovery at a high probability with 60 signatures, compared to a theoretical 56 if you just add up the number of leaked bits.
