[cryptography] Practical Threshold Signatures
realcr at gmail.com
Wed Nov 13 01:14:21 EST 2013
Hey. I want to thank everyone for the helpful answers. They were very
interesting to read.
>From what I understand, the group I'm looking for is an elliptic cure with
a weil pairing. (Jonathan mentioned bilinear map, I assume that means the
The C code for the Pairing based cryptography seems to be very useful for
I have two questions regarding the answers I received:
1. I feel not very smart in the domain of elliptic curves and Weil pairing.
Before jumping into the code I want to make sure I understand what I'm
doing. Do you have a recommendation of something I should read? I'm not
afraid of heavy math, though at the same time I can spend only so much time
2. Can I actually trust the elliptic curve with weil pairing to do its
cryptographic job? Maybe better asked: Can I trust it like I trust that it
is hard to factor numbers? (Maybe even more?)
I really appreciate your time reading this. Thank you for your help,
On Tue, Nov 12, 2013 at 10:12 PM, James A. Donald <jamesd at echeque.com>wrote:
> My understanding is that Gap Diffie Helman is the only solution for
> threshold signatures that is actually workable (no trusted party, normal
> signatures, looks the same as an individual signature.) I base this on
> having looked around for workable solutions. Maybe there is one I missed.
> Everything else I looked at was impractical when closely
> I am not sure what the scaling is, but is not obviously and intolerably
> horrid. Signature evaluation is fast - it looks and acts just like a
> normal signature, and we can tolerate large costs for a large group to
> generate signature.
> Next problem, find your Gap Diffie Helman group, which in practice means
> an elliptic curve that supports the Weil Pairing.
> For source code in C, see http://crypto.stanford.edu/pbc/
> Samuel Neves, on the mailing list cryptography at randombit.net claimed
> "For pairing-friendly curves to achieve the 128-bit security
> level, it is a good idea to increase the characteristic to prevent
> FFS-style attacks, and to increase the embedding degree to something higher
> than 6. Barreto-Naehrig curves are defined over (large) prime fields, have
> embedding degree 12, and are generally a good choice for the 128-bit level."
> cryptography mailing list
> cryptography at randombit.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography