[148155] in cryptography@c2.net mail archive
Re: [Cryptography] [cryptography] Practical Threshold Signatures
daemon@ATHENA.MIT.EDU (realcr)
Wed Nov 13 02:03:13 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <52828BC8.6030007@echeque.com>
Date: Wed, 13 Nov 2013 08:14:21 +0200
From: realcr <realcr@gmail.com>
To: jamesd@echeque.com
Cc: cryptography@metzdowd.com, cryptography@randombit.net
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6709825284516848784==
Content-Type: multipart/alternative; boundary=089e0111c09a4a400a04eb08e0fd
--089e0111c09a4a400a04eb08e0fd
Content-Type: text/plain; charset=ISO-8859-1
Hey. I want to thank everyone for the helpful answers. They were very
interesting to read.
From what I understand, the group I'm looking for is an elliptic cure with
a weil pairing. (Jonathan mentioned bilinear map, I assume that means the
same thing?)
The C code for the Pairing based cryptography seems to be very useful for
this purpose.
I have two questions regarding the answers I received:
1. I feel not very smart in the domain of elliptic curves and Weil pairing.
Before jumping into the code I want to make sure I understand what I'm
doing. Do you have a recommendation of something I should read? I'm not
afraid of heavy math, though at the same time I can spend only so much time
on this.
2. Can I actually trust the elliptic curve with weil pairing to do its
cryptographic job? Maybe better asked: Can I trust it like I trust that it
is hard to factor numbers? (Maybe even more?)
I really appreciate your time reading this. Thank you for your help,
real.
On Tue, Nov 12, 2013 at 10:12 PM, James A. Donald <jamesd@echeque.com>wrote:
> My understanding is that Gap Diffie Helman is the only solution for
> threshold signatures that is actually workable (no trusted party, normal
> signatures, looks the same as an individual signature.) I base this on
> having looked around for workable solutions. Maybe there is one I missed.
> Everything else I looked at was impractical when closely
> examined.
>
> I am not sure what the scaling is, but is not obviously and intolerably
> horrid. Signature evaluation is fast - it looks and acts just like a
> normal signature, and we can tolerate large costs for a large group to
> generate signature.
>
> Next problem, find your Gap Diffie Helman group, which in practice means
> an elliptic curve that supports the Weil Pairing.
>
> For source code in C, see http://crypto.stanford.edu/pbc/
>
> Samuel Neves, on the mailing list cryptography@randombit.net claimed
>
> "For pairing-friendly curves to achieve the 128-bit security
> level, it is a good idea to increase the characteristic to prevent
> FFS-style attacks, and to increase the embedding degree to something higher
> than 6. Barreto-Naehrig curves are defined over (large) prime fields, have
> embedding degree 12, and are generally a good choice for the 128-bit level."
>
> _______________________________________________
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
--089e0111c09a4a400a04eb08e0fd
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Hey. I want to thank everyone for the helpful answers=
. They were very interesting to read.<br></div><div>From what I understand,=
the group I'm looking for is an elliptic cure with a weil pairing. (Jo=
nathan mentioned bilinear map, I assume that means the same thing?)<br>
</div><div>The C code for the Pairing based cryptography seems to be very u=
seful for this purpose.<br><br></div><div>I have two questions regarding th=
e answers I received:<br></div><div><br></div><div>1. I feel not very smart=
in the domain of elliptic curves and Weil pairing. Before jumping into the=
code I want to make sure I understand what I'm doing. Do you have a re=
commendation of something I should read? I'm not afraid of heavy math, =
though at the same time I can spend only so much time on this.<br>
<br>2. Can I actually trust the elliptic curve with weil pairing to do its =
cryptographic job? Maybe better asked: Can I trust it like I trust that it =
is hard to factor numbers? (Maybe even more?)<br><br></div><div>I really ap=
preciate your time reading this. Thank you for your help,<br>
</div><div>real.<br></div></div><div class=3D"gmail_extra"><br><br><div cla=
ss=3D"gmail_quote">On Tue, Nov 12, 2013 at 10:12 PM, James A. Donald <span =
dir=3D"ltr"><<a href=3D"mailto:jamesd@echeque.com" target=3D"_blank">jam=
esd@echeque.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">My understanding is that Gap Diffie Helman i=
s the only solution for threshold signatures that is actually workable (no =
trusted party, normal signatures, looks the same as an individual signature=
.) =A0 I base this on having looked around for workable solutions. =A0Maybe=
there is one I missed. =A0Everything else I looked at was impractical when=
closely<br>
examined.<br>
<br>
I am not sure what the scaling is, but is not obviously and intolerably hor=
rid. =A0Signature evaluation is fast - it looks and acts just like a normal=
signature, and we can tolerate large costs for a large group to generate s=
ignature.<br>
<br>
Next problem, find your Gap Diffie Helman group, which in practice means an=
elliptic curve that supports the Weil Pairing.<br>
<br>
For source code in C, see <a href=3D"http://crypto.stanford.edu/pbc/" targe=
t=3D"_blank">http://crypto.stanford.edu/<u></u>pbc/</a><br>
<br>
Samuel Neves, on the mailing list <a href=3D"mailto:cryptography@randombit.=
net" target=3D"_blank">cryptography@randombit.net</a> claimed<br>
<br>
=A0 =A0 =A0 =A0 "For pairing-friendly curves to achieve the 128-bit se=
curity level, it is a good idea to increase the characteristic to prevent F=
FS-style attacks, and to increase the embedding degree to something higher =
than 6. Barreto-Naehrig curves are defined over (large) prime fields, have =
embedding degree 12, and are generally a good choice for the 128-bit level.=
"<div class=3D"HOEnZb">
<div class=3D"h5"><br>
______________________________<u></u>_________________<br>
cryptography mailing list<br>
<a href=3D"mailto:cryptography@randombit.net" target=3D"_blank">cryptograph=
y@randombit.net</a><br>
<a href=3D"http://lists.randombit.net/mailman/listinfo/cryptography" target=
=3D"_blank">http://lists.randombit.net/<u></u>mailman/listinfo/cryptography=
</a><br>
</div></div></blockquote></div><br></div>
--089e0111c09a4a400a04eb08e0fd--
--===============6709825284516848784==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6709825284516848784==--
