[cryptography] Merkle-Winternitz-HORS signature scheme for Tahoe-LAFS [corrections]
david-sarah at jacaranda.org
Mon Jul 5 20:13:23 EDT 2010
David-Sarah Hopwood wrote:
> 5. By using seeded hashes, we can halve the size of hash output required for
> any given security level. This is important because -- all other parameters
> being the same -- it results in a fourfold reduction in signature size, as
> well as halving the number of hash compressions.
> [The literature refers to "keyed" or "dedicated-key" hashes. But the seeds
> are not really keys, since they're made public immediately after a given
> hash operation. Also, there are usually other keys involved in a protocol,
> so I think it is unnecessarily confusing to refer to these seeds as keys.]
> The file seed is used to key all hash applications for a given mutable
> file, *except* when hashing a message to produce a message representative.
> The latter is keyed by the signature seed from the signing key.
> Note that eSec *is* preserved if we use independent seeds for each
> level of the Merkle tree. All the hashes at the same level can use
> the same key -- that gives the "TH" construction in section 5.4 of
> There could also be a concern that point 4 above is similar to
> on-line/off-line signatures as patented by Even, Goldreich and Micali
> (U.S. patent 5016274, filed in 1988; expires on 14 May 2011).
I calculated the expiration date incorrectly. It was filed before the
rules changed in June 1995, so it's the later of 20 years after filing
(8 November 2008) or 17 years after issue (14 May 2008). So it has already
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 292 bytes
Desc: OpenPGP digital signature
More information about the cryptography