On 05/18/2014 02:37 AM, Robert Ransom wrote: > On 5/17/14, Conrado P. L. GouvĂȘa <[email protected]> wrote: >> > 2014-05-16 3:52 GMT-03:00 Robert Ransom <[email protected]>: >>> >> And if an attacker compromises a party's ephemeral keys in signed DH, >>> >> the attacker can not only decrypt the session, but also learn that >>> >> party's long-term signing key. >> > >> > Sorry if this is a stupid question, but how does this happen? > The Schnorr and DSA signature schemes use an ephemeral key in each > signature, and anyone who knows a signature and the discrete logarithm > of the ephemeral key used for that signature can easily calculate the > long-term signing secret key.
Terminology clash: 'ephemeral key' could refer to either the DH secret exponent or the DSA k value. I was also puzzled how the former would affect DSA's long-term key. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
