Dear Jack Lloyd: I like good Devil's Advocacy, and yours was good, but surely you would agree that an algorithm that comes with a proof of its security predicated on some standard problem such as discrete log is *less likely* to get cracked than one that hasn't such a reduction? :-)
Anyway, I think the issue is moot (though fun and interesting), because there isn't any competitor to ECDSA for our performance requirements (small public keys, fast keypair generation). Well, actually there is hector, which is way better than ECDSA on those performance measures: http://bench.cr.yp.to/graph-sign/amd64-molecule.png But, hector isn't really even implemented in a usable way, and I have no idea if it has good proofs of security predicated on some other standard problem and so on: http://allmydata.org/trac/tahoe/ticket/217#comment:50 By the way, here is a paper about security proofs for ECDSA: http://citeseer.ist.psu.edu/old/brown00exact.html and a paper that includes a criticism of that proof: http://citeseer.ist.psu.edu/stern02flaws.html I haven't read either. Regards, Zooko _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
