On Fri, Feb 25, 2011 at 03:39:10AM +1300, Atom Smasher wrote: > if an attacker has two messages signed with DSA, and they happen to > use the same value of "k" then it's trivial to recover the private > key. > > a random "k" is the achilles heel of DSA and elgamal (and their ECC > derivatives). if "k" is truly random (and reasonably large), the > chances of getting a duplicate "k" approaches zero... if "k" is not > reasonably large or there's a bias that can produce duplicate "k"s > with the same value, you're hosed.
Found this: http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/ I've learned something new today. Thank you very, very much! -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
