On Sunday,2009-07-19, at 13:24 , Paul Hoffman wrote:

At 7:54 AM -0600 7/18/09, Zooko Wilcox-O'Hearn wrote:This involves deciding whether a 192-bit elliptic curve public keyis strong enough...Why not just go with 256-bit EC (128-bit symmetric strength)? Isthe 8 bytes per signature the issue, or the extra compute time?

`Those are two good guesses, but no. The main concern is the size of`

`the public key. This is why (if I understand correctly),`

`hyperelliptic curves might eventually offer public key signatures`

`which are twice as good for the purposes of TahoeLAFS as elliptic`

`curves. (By which I mean, the keys are half as big.) I discussed`

`this topic a bit in a subsequent message to the cryptography mailing`

`list entitled "Why hyperelliptic curves?".`

`Actually, the computation time matters, too. Our measurements on an`

`ARM 266 MHz embedded system showed a significant penalty for 256-bit`

`ECDSA vs. 192-bit:`

http://allmydata.org/pipermail/tahoe-dev/2009-June/002083.html Regards, Zooko --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com