Impact of ROCA (CVE-2017-15361) in subkey vs. private key?

Damien Goutte-Gattat dgouttegattat at
Sun Oct 29 23:08:28 CET 2017

On 10/29/2017 07:18 PM, Shannon C wrote:
> Assuming that the secret key was generated outside of an Infineon
> chip, but that subsequently subkeys were generated by a chip with the
> ROCA vulnerability, does that compromise the main private key, or
> only the subkey?

There is no mathematical link between a primary (or master) key and a 
subkey. A subkey is linked to a primary key only through a "subkey 
binding signature".

If a subkey is compromised (meaning an attacker somehow managed to know 
the private key, be it through the ROCA vulnerability or any other 
method), this has *no impact* on the primary key. The attacker won't be 
able to infer any information about the primary key.

This is also true the other way around: knowing the primary private key 
does not allow to deduce the private subkey(s).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list