[tahoe-dev] [pycryptopp] #13: [EC]DSA "semi-private"/intermediate keys

James A. Donald jamesd at echeque.com
Tue Jan 12 22:48:01 UTC 2010

 >  > My concern is that {{{x*y mod q}}} is not uniformly
 >  > distributed, even if x and y are uniformly
 >  > distributed.

 >  This was discussed in
 >  [http://allmydata.org/pipermail/tahoe-
 >  dev/2009-May/001798.html on tahoe-dev] but should be
 >  recorded here:
 >  ECDSA can work on elliptic curves over either GF(p)
 >  or GF(2^m^) [or GF(p^m^) but I don't think that's a
 >  standardised option]. When the curve is over GF(p),
 >  ECDSA is specified to use a prime subgroup, say of
 >  order q. Ordinary DSA also uses a prime subgroup of
 >  order q.

Is there any source code available for gap diffie
Hellman groups?  These give a signature that is half the
size of ECDSA (if one uses point compression) and is
considerably easier to comprehend, the signature being
an elliptic curve point that is a public key for a
document specific secret, the document specific secret
being the product of the signers secret key and a value
derived from the document hash.

If I could find some code that does some of the hard
work, I would be motivated to link it to python.

Signatures based on Gap diffie Hellman groups make all
sorts of interesting things possible, It is unclear
whether any of those things would be useful for tahoe,
but they would be useful for me.

More information about the tahoe-dev mailing list