I'd like to see some technical details about the attack, if they can be
made available. The ElGamal signature formulas are:
r = g^k mod p
s = (H-rx)/k mod q
The latter comes from rx+sk=H mod q.
I gather from what Werner has said that choosing small x and k in this
formula is unsafe. This looks similar to a lattice problem where there
are relatively efficient articles for finding "small" vectors. But I
am not that familiar with the mathematics.
Incidentally, in trying to research this I found that the attack by
Bleichenberger on poorly-chosen random numbers in DSA signatures had never
been published. I'm not sure if that was a lattice based attack or not.
It would be good to see these results made available because they might
turn out to be applicable to other types of keys that we might consider
in the future.
Hal Finney