[tahoe-dev] (are you?) Down with ECDSA

Zooko Wilcox-O'Hearn zooko at zooko.com
Thu Aug 20 03:07:50 UTC 2009

Dear Jack Lloyd:

I like good Devil's Advocacy, and yours was good, but surely you  
would agree that an algorithm that comes with a proof of its security  
predicated on some standard problem such as discrete log is *less  
likely* to get cracked than one that hasn't such a reduction?  :-)

Anyway, I think the issue is moot (though fun and interesting),  
because there isn't any competitor to ECDSA for our performance  
requirements (small public keys, fast keypair generation).  Well,  
actually there is hector, which is way better than ECDSA on those  
performance measures:


But, hector isn't really even implemented in a usable way, and I have  
no idea if it has good proofs of security predicated on some other  
standard problem and so on:


By the way, here is a paper about security proofs for ECDSA:


and a paper that includes a criticism of that proof:


I haven't read either.



More information about the tahoe-dev mailing list