On Tue, Aug 13, 2013 at 4:19 PM, grarpamp grarpamp@gmail.com wrote:
Thought I'd note seeing some projects xor different encryption types together, usually for stream encryption, so as to not rest all on one. That's not to suggest such ideas might of use within Tor, just something seen when balancing what to use arises.
Yeah; this isn't about stream encryption, though. It's about signatures.
For signature schemes, the equivalent approach would be to use two different signature algorithms at once, and only accept the signatures when they're valid according to both. I'm kind of doing that in this proposal, I guess, by having documents signed with Ed25519 and RSA1024... but one of the signatures is much better than the other: 255-bit ECC groups will be secure long after RSA1024 has fallen.
I suppose we could come up with a scheme that would introduce *two* new signature schemes at once, choosing them such that it would be very unlikely for them both to fall at the same time ... but I'm not sure that the engineering burden there would have a commensurate payoff.
(I'm also a little surprised that nobody has said we should be using Keccak or Blake2 in place of SHA256/SHA512 here. ;) )
best wishes,