[cryptography] Practical Threshold Signatures

James A. Donald jamesd at echeque.com
Tue Nov 12 15:12:56 EST 2013

My understanding is that Gap Diffie Helman is the only solution for 
threshold signatures that is actually workable (no trusted party, normal 
signatures, looks the same as an individual signature.)   I base this on 
having looked around for workable solutions.  Maybe there is one I 
missed.  Everything else I looked at was impractical when closely

I am not sure what the scaling is, but is not obviously and intolerably 
horrid.  Signature evaluation is fast - it looks and acts just like a 
normal signature, and we can tolerate large costs for a large group to 
generate signature.

Next problem, find your Gap Diffie Helman group, which in practice means 
an elliptic curve that supports the Weil Pairing.

For source code in C, see http://crypto.stanford.edu/pbc/

Samuel Neves, on the mailing list cryptography at randombit.net claimed

	"For pairing-friendly curves to achieve the 128-bit security level, it 
is a good idea to increase the characteristic to prevent FFS-style 
attacks, and to increase the embedding degree to something higher than 
6. Barreto-Naehrig curves are defined over (large) prime fields, have 
embedding degree 12, and are generally a good choice for the 128-bit level."

More information about the cryptography mailing list