[tor-talk] NSA supercomputer
Gregory Maxwell
gmaxwell at gmail.com
Mon Apr 8 19:50:19 UTC 2013
On Sun, Apr 7, 2013 at 4:31 PM, Mike Perry <mikeperry at torproject.org> wrote:
> However, it would be interesting to have some benchmarks for high-bit
> ECC implementations. It seems to me they should still be faster than
> modular exponentiation at the same bitwidth, no?
For signing, — If you are willing to have large amounts of data: (and
you can almost always move public key bytes into the signature by
making the "public key" a hash of the real public key).
(1) You can use merkle signatures, which have stronger security
properties than the common asymmetric schemes (simply because they
already all use a hash function in a way that a second pre-image is a
complete break on the signature). They're also stupid fast, and as a
class generally secure against hypothetical quantum computers.
and/or
(2) You could use multiple schemes e.g. RSA && Ed25519 && merkle &&
lattice such that the composition is no less secure, ... and even if
all of the schemes can be attacked the cost of building the distinct
attacks may be powerful.
More information about the tor-talk
mailing list