[tahoe-dev] (are you?) Down with ECDSA

Zooko Wilcox-O'Hearn zooko at zooko.com
Wed Aug 19 20:07:50 PDT 2009


Dear Jack Lloyd:

I like good Devil's Advocacy, and yours was good, but surely you  
would agree that an algorithm that comes with a proof of its security  
predicated on some standard problem such as discrete log is *less  
likely* to get cracked than one that hasn't such a reduction?  :-)

Anyway, I think the issue is moot (though fun and interesting),  
because there isn't any competitor to ECDSA for our performance  
requirements (small public keys, fast keypair generation).  Well,  
actually there is hector, which is way better than ECDSA on those  
performance measures:

http://bench.cr.yp.to/graph-sign/amd64-molecule.png

But, hector isn't really even implemented in a usable way, and I have  
no idea if it has good proofs of security predicated on some other  
standard problem and so on:

http://allmydata.org/trac/tahoe/ticket/217#comment:50

By the way, here is a paper about security proofs for ECDSA:

http://citeseer.ist.psu.edu/old/brown00exact.html

and a paper that includes a criticism of that proof:

http://citeseer.ist.psu.edu/stern02flaws.html

I haven't read either.

Regards,

Zooko


More information about the tahoe-dev mailing list