My understanding is that Gap Diffie Helman is the only solution for
threshold signatures that is actually workable (no trusted party, normal
signatures, looks the same as an individual signature.) I base this on
having looked around for workable solutions. Maybe there is one I
missed. Everything else I looked at was impractical when closely
examined.
I am not sure what the scaling is, but is not obviously and intolerably
horrid. Signature evaluation is fast - it looks and acts just like a
normal signature, and we can tolerate large costs for a large group to
generate signature.
Next problem, find your Gap Diffie Helman group, which in practice means
an elliptic curve that supports the Weil Pairing.
For source code in C, see http://crypto.stanford.edu/pbc/
Samuel Neves, on the mailing list [email protected] claimed
"For pairing-friendly curves to achieve the 128-bit security level, it
is a good idea to increase the characteristic to prevent FFS-style
attacks, and to increase the embedding degree to something higher than
6. Barreto-Naehrig curves are defined over (large) prime fields, have
embedding degree 12, and are generally a good choice for the 128-bit level."
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
