On 14 December 2013 14:51, Peter Gutmann <[1]pgut001@cs.auckland.ac.nz>
   wrote:

   For example if you

     follow DSA's:
     k = G(t,KKEY) mod q
     then you've leaked your x after a series of signatures, so you need
     to know
     that you generate a large-than-required value before reducing mod q.
     The
     whole DLP family is just incredibly brittle, a problem that RSA
     doesn't have.

   This is different from the normal 'repeated/non-random k leads to
   private key', is it not? Is there a paper/reference I can read more
   about this attack?
   -tom

References

   1. mailto:pgut001@cs.auckland.ac.nz