[tahoe-dev] Down with ECDSA
Paul Crowley
paul at lshift.net
Wed Aug 19 10:55:49 PDT 2009
[I'm not on this list so please include me in Cc's - thanks!]
Zooko Wilcox-O'Hearn wrote:
> Could you please post your note to tahoe-dev at allmydata.org?
I recommend against the use of ECDSA in new systems. It is widely used
and has survived many years of cryptanalysis, but for a public key
primitive that's a rather low bar to set. What one wants is a tight
reduction to a problem that is believed hard. We can often place more
trust in a relatively new scheme that has such a reduction than an older
scheme that lacks one; in many cases, we can infer from the proofs that
any attack which breaks the newer scheme necessarily leads to an attack
that breaks the older scheme, but not vice versa.
I have a couple of recommendations, depending on your needs. If what
you need is short signatures, the second scheme in this paper ("A
Signature Scheme Based on the DDH Problem") has a many appealing properties:
http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf
Given a group of size 2^q and a security parameter k, the scheme
produces signatures of size q + k bits; it is secure if the Decisional
Diffie-Hellman problem is hard in the chosen group. Generating
signatures requires two exponentiations, checking them needs three, and
public keys consist of three group elements, though there may be a way
to reduce that to two if this is important. Like DSA, you can do the
bulk of the work of signing before the message arrives, though this
makes the reduction very slightly less tight. There is also a much
looser reduction to the discrete log problem.
If large signatures are acceptable but verification time must be
minimized, I recommend this scheme:
http://cr.yp.to/sigs.html
This scheme has *extremely* fast probabilistic verification, and -
unlike for example RSA - a tight reduction to the difficulty of
factoring large integers.
If you have other needs that neither of these schemes meet, let me know
and I'll see what else I can find - thanks!
--
[][][] Paul Crowley
[][] LShift Ltd
[] [] www.lshift.net
More information about the tahoe-dev
mailing list