On Wed, May 14, 2008 at 11:12:26PM +0000, brian m. carlson wrote:
Also, DSA absolutely requires a good random number generator for every signature. If the nonce is not chosen randomly, it will leak bits of the key. This is true for all discrete logarithm algorithms. Therefore, anyone who had a DSA key has had it compromised, and RSA is just as good a choice for a new key.
I apologize. Using the same nonce more than once or revealing the nonce does not leak bits of the key; it immediately and trivially reveals the private key. See Applied Cryptography, page 492. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Description: Digital signature