14 Dec
2013
14 Dec
'13
8:23 p.m.
On 14 December 2013 14:51, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
For example if you follow DSA's:
k = G(t,KKEY) mod q
then you've leaked your x after a series of signatures, so you need to know that you generate a large-than-required value before reducing mod q. The whole DLP family is just incredibly brittle, a problem that RSA doesn't have.
This is different from the normal 'repeated/non-random k leads to private key', is it not? Is there a paper/reference I can read more about this attack? -tom