I see the distinction you are making Carlton Banks. It is my understanding that no one has found any "short cuts" that reduce the entropy of bitcoin's secp256k1 ECDSA regardless of the number of signatures made public, so long as the nonce values are chosen truly at random when calculating the signatures (otherwise we get the Andrion RNG problem). This is despite a diligent and ongoing search by top cryptographers across the globe.
In general DSA is pretty lame— there are attacks on DSA with reduced computation compared to solving the DLP given multiple signatures with nonces that happen to have certain properties relative to each other. The cases where the attacks are made possible are themselves unlikely enough that its not a practical concern, but its not correct to say that ECDSA is as strong as ECDLP as far as we know. Instead we know its not, but not concerningly so.(Schnorr signatures are better in almost any way you can pick— better security proofs, ability to do efficient multisignature, etc. but their creator patented them and so pretty much no one has used them except academics.)
I don't consider increased cryptographic risk from pubkey reuse or disclosure of the pubkey (keep in mind: until you spend using a key the first time the public doesn't even know the EC pubkey you're using, they know its hash!) against real, hypothetical, or quantum attacks to be a major consideration. ... but I suppose you could say that it's just one more reason to not reuse addresses.
Thanks for the info gmaxwell. I see my request for someone above my pay grade to help answer this worked out
Is it possible to put some hard numbers to this? Let's say I've made 2^10 signatures with my private key using truly random nonce values. Can we say anything definitive about the loss of entropy? The entropy is obviously now equal to or less than 256 bits, but is it 246 bits, 255 bits, or 200 bits now?
