[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] NSA supercomputer

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] NSA supercomputer
From: Gregory Maxwell <gmaxwell@xxxxxxxxx>
Date: Mon, 8 Apr 2013 12:50:19 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 08 Apr 2013 15:50:32 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=oa7hqTXAHa171q8OGjyD/ywTi9rlbjDSbJ9PIxkcwTI=; b=Bdo+jT3eSWYf/LQCcg0wJhpJCAWBn8TKqg+nXR7SKn9742Z0gT2kd7IjzIfxr7VUFT QHt+Cqv9ljj/PzIKgPPV+OxLdUsKAOlvqLT7hvvtuQqW33yZPjdpYyPk300dTnaHeKwi VIpUlW+sETUjDGSxYpRE/h2nNQHy3TYg70QbMJqVdz/jDrsws64CDLkimyjKk6gW1/zR ACwIyIIEyQjt/djzR2cZZeGUEhlKk7UChAGjgeIr25uv+ojxwZcKLgHm1h6riikuSL1V H65qBDa1Sm/IjC9XGjHj+2TL+JF+Zn1GeCvUcMzjhFp3fCF+NqFOUdBT6qwp+M+h5fbF bHcA==
In-reply-to: <20130407233154.GE11182@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <0wpiettdamlg76bjqn8pb4ky.1365069110984@xxxxxxxxxxxxxxxxx> <CAKDKvuw7YpM1ikH4Z1wo3J0YQpA5Wwc9y9DHVJc2sTUUEjz9Ow@xxxxxxxxxxxxxx> <1461818.5496ncUi8M@caracal> <20130407233154.GE11182@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On Sun, Apr 7, 2013 at 4:31 PM, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
> However, it would be interesting to have some benchmarks for high-bit
> ECC implementations. It seems to me they should still be faster than
> modular exponentiation at the same bitwidth, no?

For signing, â If you are willing to have large amounts of data:  (and
you can almost always move public key bytes into the signature by
making the "public key" a hash of the real public key).

(1) You can use merkle signatures, which have stronger security
properties than the common asymmetric schemes (simply because they
already all use a hash function in a way that a second pre-image is a
complete break on the signature). They're also stupid fast, and as a
class generally secure against hypothetical quantum computers.

and/or

(2) You could use multiple schemes e.g. RSA && Ed25519 && merkle &&
lattice such that the composition is no less secure, ... and even if
all of the schemes can be attacked the cost of building the distinct
attacks may be powerful.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] NSA supercomputer
  - From: Bernard Tyers
- Re: [tor-talk] NSA supercomputer
  - From: Nick Mathewson
- Re: [tor-talk] NSA supercomputer
  - From: cmeclax
- Re: [tor-talk] NSA supercomputer
  - From: Mike Perry

Prev by Author: Re: [tor-talk] NSA supercomputer
Next by Author: Re: [tor-talk] Deterministic Builds - was: Bridge Communities?
Previous by thread: Re: [tor-talk] NSA supercomputer
Next by thread: Re: [tor-talk] NSA supercomputer
Index(es):
- Author
- Thread