public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Peter Vessenes <peter@coinlab.com>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Preparing for the Cryptopocalypse
Date: Sun, 4 Aug 2013 23:41:57 -0700	[thread overview]
Message-ID: <CAAS2fgTPFHGQVs8qUj+8NyRQ3Ym=ws=_+FuWWvyYra5r-PZsdQ@mail.gmail.com> (raw)
In-Reply-To: <CAMGNxUuhpOF+fOpHxQ7ZrV2=tGTEhfF3LiA=g87HZW=0QkNzYA@mail.gmail.com>

On Sun, Aug 4, 2013 at 8:30 PM, Peter Vessenes <peter@coinlab.com> wrote:
> I studied with Jeffrey Hoffstein at Brown, one of the creators of NTRU. He
> told me recently NTRU, which is lattice based, is one of the few (only?)
> NIST-recommended QC-resistant algorithms.

Lamport signatures (and merkle tree variants that allow reuse) are
simpler, faster, trivially implemented, and intuitively secure under
both classical and quantum computation (plus unlikely some proposed QC
strong techniques they're patent clear).  They happen to be the only
digital signature scheme that you really can successfully explain to
grandma (even for values of grandma which are not cryptographers).

They have poor space/bandwidth usage properties, which is one reason
why Bitcoin doesn't use them today, but as far as I know the same is
so for all post-QC schemes.

> Though I question the validity of the claim that ECC is so much more secure than RSA (with appropriate keysizes).

The problems are intimately related, but under the best understanding
ECC (with suitable parameters) ends up being the maximally hard case
of that problem class.   I do sometimes worry about breakthroughs that
give index-calculus level performance for general elliptic curves,
this still wouldn't leave it any weaker than RSA but ECC is typically
used with smaller keys.



  parent reply	other threads:[~2013-08-05  6:42 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-04 17:13 [Bitcoin-development] Preparing for the Cryptopocalypse Melvin Carvalho
2013-08-04 18:06 ` Alan Reiner
2013-08-05  3:30   ` Peter Vessenes
2013-08-05  5:29     ` John Dillon
2013-08-05  5:37       ` Alan Reiner
2013-08-05  6:41     ` Gregory Maxwell [this message]
2013-08-05 15:37       ` Peter Vessenes
2013-08-06 11:09       ` Mike Hearn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAS2fgTPFHGQVs8qUj+8NyRQ3Ym=ws=_+FuWWvyYra5r-PZsdQ@mail.gmail.com' \
    --to=gmaxwell@gmail.com \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=peter@coinlab.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox