On 5/17/14, Conrado P. L. GouvĂȘa <[email protected]> wrote: > 2014-05-16 3:52 GMT-03:00 Robert Ransom <[email protected]>: >> And if an attacker compromises a party's ephemeral keys in signed DH, >> the attacker can not only decrypt the session, but also learn that >> party's long-term signing key. > > Sorry if this is a stupid question, but how does this happen?
The Schnorr and DSA signature schemes use an ephemeral key in each signature, and anyone who knows a signature and the discrete logarithm of the ephemeral key used for that signature can easily calculate the long-term signing secret key. Modern implementations of those signature schemes usually generate those ephemeral secret keys deterministically by applying a PRF to the message being signed, but a protocol's security does not depend on that implementation detail of the signature scheme. Robert Ransom _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
