[tahoe-dev] (are you?) Down with ECDSA
Zooko Wilcox-O'Hearn
zooko at zooko.com
Wed Aug 19 20:07:50 PDT 2009
Dear Jack Lloyd:
I like good Devil's Advocacy, and yours was good, but surely you
would agree that an algorithm that comes with a proof of its security
predicated on some standard problem such as discrete log is *less
likely* to get cracked than one that hasn't such a reduction? :-)
Anyway, I think the issue is moot (though fun and interesting),
because there isn't any competitor to ECDSA for our performance
requirements (small public keys, fast keypair generation). Well,
actually there is hector, which is way better than ECDSA on those
performance measures:
http://bench.cr.yp.to/graph-sign/amd64-molecule.png
But, hector isn't really even implemented in a usable way, and I have
no idea if it has good proofs of security predicated on some other
standard problem and so on:
http://allmydata.org/trac/tahoe/ticket/217#comment:50
By the way, here is a paper about security proofs for ECDSA:
http://citeseer.ist.psu.edu/old/brown00exact.html
and a paper that includes a criticism of that proof:
http://citeseer.ist.psu.edu/stern02flaws.html
I haven't read either.
Regards,
Zooko
More information about the tahoe-dev
mailing list