On Sun, Apr 7, 2013 at 4:31 PM, Mike Perry <mikepe...@torproject.org> wrote: > However, it would be interesting to have some benchmarks for high-bit > ECC implementations. It seems to me they should still be faster than > modular exponentiation at the same bitwidth, no?
For signing, — If you are willing to have large amounts of data: (and you can almost always move public key bytes into the signature by making the "public key" a hash of the real public key). (1) You can use merkle signatures, which have stronger security properties than the common asymmetric schemes (simply because they already all use a hash function in a way that a second pre-image is a complete break on the signature). They're also stupid fast, and as a class generally secure against hypothetical quantum computers. and/or (2) You could use multiple schemes e.g. RSA && Ed25519 && merkle && lattice such that the composition is no less secure, ... and even if all of the schemes can be attacked the cost of building the distinct attacks may be powerful. _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
