[tahoe-dev] Down with ECDSA

Zooko Wilcox-O'Hearn zooko at zooko.com
Wed Aug 19 19:39:07 UTC 2009


On Wednesday,2009-08-19, at 11:55 , Paul Crowley wrote:

> If you have other needs that neither of these schemes meet, let me  
> know and I'll see what else I can find - thanks!

Dear Paul Crowley:

Thank you very much for your contribution of experise.

Our two main needs are a bit unusual for users of public key crypto.   
First is short public keys.  Not short signatures!  We don't care  
about the size of the signature.  :-)  Second is fast time to  
generate a new public/private key pair.

We also like few CPU cycles for signing time and few CPU cycles for  
verification (in pretty much equal measure).

I often check these benchmarks for new results:

http://bench.cr.yp.to/results-sign.html

Happily, all of the factors that we care about are measured and  
displayed.

It appears that ECDSA is a good choice for performance, although I  
hadn't thought of the security issues with it that you nicely described.

Got anything that has a better proof of security than ECDSA with  
similar performance along these axes?

Thanks,

Zooko



More information about the tahoe-dev mailing list