[curves] Mutual-auth Ace (was Re: MQV)

Samuel Neves sneves at dei.uc.pt
Sat May 17 18:53:49 PDT 2014

On 05/18/2014 02:37 AM, Robert Ransom wrote:
> On 5/17/14, Conrado P. L. Gouvêa <conradoplg at gmail.com> wrote:
>> > 2014-05-16 3:52 GMT-03:00 Robert Ransom <rransom.8774 at gmail.com>:
>>> >> And if an attacker compromises a party's ephemeral keys in signed DH,
>>> >> the attacker can not only decrypt the session, but also learn that
>>> >> party's long-term signing key.
>> >
>> > Sorry if this is a stupid question, but how does this happen?
> The Schnorr and DSA signature schemes use an ephemeral key in each
> signature, and anyone who knows a signature and the discrete logarithm
> of the ephemeral key used for that signature can easily calculate the
> long-term signing secret key.

Terminology clash: 'ephemeral key' could refer to either the DH secret exponent or the DSA k value. I was also puzzled
how the former would affect DSA's long-term key.

More information about the Curves mailing list