[cryptography] Practical Threshold Signatures

realcr realcr at gmail.com
Wed Nov 13 01:14:21 EST 2013

Hey. I want to thank everyone for the helpful answers. They were very
interesting to read.
>From what I understand, the group I'm looking for is an elliptic cure with
a weil pairing. (Jonathan mentioned bilinear map, I assume that means the
same thing?)
The C code for the Pairing based cryptography seems to be very useful for
this purpose.

I have two questions regarding the answers I received:

1. I feel not very smart in the domain of elliptic curves and Weil pairing.
Before jumping into the code I want to make sure I understand what I'm
doing. Do you have a recommendation of something I should read? I'm not
afraid of heavy math, though at the same time I can spend only so much time
on this.

2. Can I actually trust the elliptic curve with weil pairing to do its
cryptographic job? Maybe better asked: Can I trust it like I trust that it
is hard to factor numbers? (Maybe even more?)

I really appreciate your time reading this. Thank you for your help,

On Tue, Nov 12, 2013 at 10:12 PM, James A. Donald <jamesd at echeque.com>wrote:

> My understanding is that Gap Diffie Helman is the only solution for
> threshold signatures that is actually workable (no trusted party, normal
> signatures, looks the same as an individual signature.)   I base this on
> having looked around for workable solutions.  Maybe there is one I missed.
>  Everything else I looked at was impractical when closely
> examined.
> I am not sure what the scaling is, but is not obviously and intolerably
> horrid.  Signature evaluation is fast - it looks and acts just like a
> normal signature, and we can tolerate large costs for a large group to
> generate signature.
> Next problem, find your Gap Diffie Helman group, which in practice means
> an elliptic curve that supports the Weil Pairing.
> For source code in C, see http://crypto.stanford.edu/pbc/
> Samuel Neves, on the mailing list cryptography at randombit.net claimed
>         "For pairing-friendly curves to achieve the 128-bit security
> level, it is a good idea to increase the characteristic to prevent
> FFS-style attacks, and to increase the embedding degree to something higher
> than 6. Barreto-Naehrig curves are defined over (large) prime fields, have
> embedding degree 12, and are generally a good choice for the 128-bit level."
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131113/e801d8a1/attachment-0001.html>

More information about the cryptography mailing list