[curves] Mutual-auth Ace (was Re: MQV)

Robert Ransom rransom.8774 at gmail.com
Sat May 17 18:37:53 PDT 2014


On 5/17/14, Conrado P. L. Gouvêa <conradoplg at gmail.com> wrote:
> 2014-05-16 3:52 GMT-03:00 Robert Ransom <rransom.8774 at gmail.com>:
>> And if an attacker compromises a party's ephemeral keys in signed DH,
>> the attacker can not only decrypt the session, but also learn that
>> party's long-term signing key.
>
> Sorry if this is a stupid question, but how does this happen?

The Schnorr and DSA signature schemes use an ephemeral key in each
signature, and anyone who knows a signature and the discrete logarithm
of the ephemeral key used for that signature can easily calculate the
long-term signing secret key.

Modern implementations of those signature schemes usually generate
those ephemeral secret keys deterministically by applying a PRF to the
message being signed, but a protocol's security does not depend on
that implementation detail of the signature scheme.


Robert Ransom


More information about the Curves mailing list