<div dir="ltr"><div>Hey. I want to thank everyone for the helpful answers. They were very interesting to read.<br></div><div>From what I understand, the group I'm looking for is an elliptic cure with a weil pairing. (Jonathan mentioned bilinear map, I assume that means the same thing?)<br>
</div><div>The C code for the Pairing based cryptography seems to be very useful for this purpose.<br><br></div><div>I have two questions regarding the answers I received:<br></div><div><br></div><div>1. I feel not very smart in the domain of elliptic curves and Weil pairing. Before jumping into the code I want to make sure I understand what I'm doing. Do you have a recommendation of something I should read? I'm not afraid of heavy math, though at the same time I can spend only so much time on this.<br>
<br>2. Can I actually trust the elliptic curve with weil pairing to do its cryptographic job? Maybe better asked: Can I trust it like I trust that it is hard to factor numbers? (Maybe even more?)<br><br></div><div>I really appreciate your time reading this. Thank you for your help,<br>
</div><div>real.<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Nov 12, 2013 at 10:12 PM, James A. Donald <span dir="ltr"><<a href="mailto:jamesd@echeque.com" target="_blank">jamesd@echeque.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">My understanding is that Gap Diffie Helman is the only solution for threshold signatures that is actually workable (no trusted party, normal signatures, looks the same as an individual signature.) I base this on having looked around for workable solutions. Maybe there is one I missed. Everything else I looked at was impractical when closely<br>
examined.<br>
<br>
I am not sure what the scaling is, but is not obviously and intolerably horrid. Signature evaluation is fast - it looks and acts just like a normal signature, and we can tolerate large costs for a large group to generate signature.<br>
<br>
Next problem, find your Gap Diffie Helman group, which in practice means an elliptic curve that supports the Weil Pairing.<br>
<br>
For source code in C, see <a href="http://crypto.stanford.edu/pbc/" target="_blank">http://crypto.stanford.edu/<u></u>pbc/</a><br>
<br>
Samuel Neves, on the mailing list <a href="mailto:cryptography@randombit.net" target="_blank">cryptography@randombit.net</a> claimed<br>
<br>
"For pairing-friendly curves to achieve the 128-bit security level, it is a good idea to increase the characteristic to prevent FFS-style attacks, and to increase the embedding degree to something higher than 6. Barreto-Naehrig curves are defined over (large) prime fields, have embedding degree 12, and are generally a good choice for the 128-bit level."<div class="HOEnZb">
<div class="h5"><br>
______________________________<u></u>_________________<br>
cryptography mailing list<br>
<a href="mailto:cryptography@randombit.net" target="_blank">cryptography@randombit.net</a><br>
<a href="http://lists.randombit.net/mailman/listinfo/cryptography" target="_blank">http://lists.randombit.net/<u></u>mailman/listinfo/cryptography</a><br>
</div></div></blockquote></div><br></div>