Rebuilding the private key from signatures
Atom Smasher
atom at smasher.org
Thu Feb 24 15:39:10 CET 2011
On Thu, 24 Feb 2011, Aaron Toponce wrote:
> However, I was in a discussion with a friend, and the topic came up that
> it is theoretically possible to rebuild your private key if someone had
> access to all your signed mail. We debated the size of signatures and
> mail that would need to be collected for this to be probable.
>
> Is it?
=================
if an attacker has two messages signed with DSA, and they happen to use
the same value of "k" then it's trivial to recover the private key.
a random "k" is the achilles heel of DSA and elgamal (and their ECC
derivatives). if "k" is truly random (and reasonably large), the chances
of getting a duplicate "k" approaches zero... if "k" is not reasonably
large or there's a bias that can produce duplicate "k"s with the same
value, you're hosed.
http://www.the-fifth-hope.org/hoop/5hope_speakers.khtml#panel037
http://en.wikipedia.org/wiki/Digital_Signature_Algorithm
http://en.wikipedia.org/wiki/ElGamal_signature_scheme
--
...atom
________________________
http://atom.smasher.org/
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-------------------------------------------------
"To consider yourself an environmentalist
and still eat meat is like saying you're
a philanthropist who doesn't give to charity"
-- Howard Lyman
More information about the Gnupg-users
mailing list