Zooko wrote: > Are there any other types of digital signature scheme which can have > public keys shorter than 2*security level bits?
Well I suggested the small DSA variant. David Hopwood showed a shortcoming but it sounded like it didn't apply to your usage. More generally, what would happen if you replaced an arbitrary public key with its hash, and used that for the URL; and then included the full public key (or at least information sufficient to regenerate it) in the signature? The sigs would get much bigger but the key could be much smaller. Does that tradeoff work for you? Are its security implications worth exploring? Hal Finney _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
