Rebuilding the private key from signatures

Aaron Toponce aaron.toponce at
Thu Feb 24 22:33:16 CET 2011

On Fri, Feb 25, 2011 at 03:39:10AM +1300, Atom Smasher wrote:
> if an attacker has two messages signed with DSA, and they happen to
> use the same value of "k" then it's trivial to recover the private
> key.
> a random "k" is the achilles heel of DSA and elgamal (and their ECC
> derivatives). if "k" is truly random (and reasonably large), the
> chances of getting a duplicate "k" approaches zero... if "k" is not
> reasonably large or there's a bias that can produce duplicate "k"s
> with the same value, you're hosed.

Found this:

I've learned something new today. Thank you very, very much!

. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL: </pipermail/attachments/20110224/376e3828/attachment.pgp>

More information about the Gnupg-users mailing list