It is crucial to select different k for different signatures, otherwise the equation in step 4 ([Calculate s = k − 1(z + rdA)(mod n).]) can be solved for dA, the private key: Given two signatures (r,s) and (r,s'), employing the same unknown k for different known messages m and m', an attacker can calculate z and z', and since s − s' = k − 1(z − z') (all operations in this paragraph are done modulo n) the attacker can find k = {z-z'}/{s-s'}. Since s = k − 1(z + rdA), the attacker can now calculate the private key dA = {s k - z}/{r}.