[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)

On Wed, May 14, 2008 at 11:12:26PM +0000, brian m. carlson wrote:
Also, DSA absolutely requires a good random
number generator for every signature.  If the nonce is not chosen
randomly, it will leak bits of the key.  This is true for all discrete
logarithm algorithms.  Therefore, anyone who had a DSA key has had it
compromised, and RSA is just as good a choice for a new key.

I apologize.  Using the same nonce more than once or revealing the nonce
does not leak bits of the key; it immediately and trivially reveals the
private key.  See Applied Cryptography, page 492.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to: