[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] NSA supercomputer



On Sun, Apr 7, 2013 at 4:31 PM, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
> However, it would be interesting to have some benchmarks for high-bit
> ECC implementations. It seems to me they should still be faster than
> modular exponentiation at the same bitwidth, no?

For signing, â If you are willing to have large amounts of data:  (and
you can almost always move public key bytes into the signature by
making the "public key" a hash of the real public key).

(1) You can use merkle signatures, which have stronger security
properties than the common asymmetric schemes (simply because they
already all use a hash function in a way that a second pre-image is a
complete break on the signature). They're also stupid fast, and as a
class generally secure against hypothetical quantum computers.

and/or

(2) You could use multiple schemes e.g. RSA && Ed25519 && merkle &&
lattice such that the composition is no less secure, ... and even if
all of the schemes can be attacked the cost of building the distinct
attacks may be powerful.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk