Rebuilding the private key from signatures
Aaron Toponce
aaron.toponce at gmail.com
Thu Feb 24 22:33:16 CET 2011
On Fri, Feb 25, 2011 at 03:39:10AM +1300, Atom Smasher wrote:
> if an attacker has two messages signed with DSA, and they happen to
> use the same value of "k" then it's trivial to recover the private
> key.
>
> a random "k" is the achilles heel of DSA and elgamal (and their ECC
> derivatives). if "k" is truly random (and reasonably large), the
> chances of getting a duplicate "k" approaches zero... if "k" is not
> reasonably large or there's a bias that can produce duplicate "k"s
> with the same value, you're hosed.
Found this:
http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
I've learned something new today. Thank you very, very much!
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL: </pipermail/attachments/20110224/376e3828/attachment.pgp>
More information about the Gnupg-users
mailing list