📅 Original date posted:2013-08-05
📝 Original message:On Sun, Aug 4, 2013 at 8:30 PM, Peter Vessenes <peter at coinlab.com> wrote:
> I studied with Jeffrey Hoffstein at Brown, one of the creators of NTRU. He
> told me recently NTRU, which is lattice based, is one of the few (only?)
> NIST-recommended QC-resistant algorithms.
Lamport signatures (and merkle tree variants that allow reuse) are
simpler, faster, trivially implemented, and intuitively secure under
both classical and quantum computation (plus unlikely some proposed QC
strong techniques they're patent clear). They happen to be the only
digital signature scheme that you really can successfully explain to
grandma (even for values of grandma which are not cryptographers).
They have poor space/bandwidth usage properties, which is one reason
why Bitcoin doesn't use them today, but as far as I know the same is
so for all post-QC schemes.
> Though I question the validity of the claim that ECC is so much more secure than RSA (with appropriate keysizes).
The problems are intimately related, but under the best understanding
ECC (with suitable parameters) ends up being the maximally hard case
of that problem class. I do sometimes worry about breakthroughs that
give index-calculus level performance for general elliptic curves,
this still wouldn't leave it any weaker than RSA but ECC is typically
used with smaller keys.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 15:05:31
in reply to nevent1q…nghg
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 15:05:31Event JSON
{
"id": "76cc7d0b99f410f4d4871224510f4d143b6a2f6db5e4223630538cca0ee36ba4",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686150331,
"kind": 1,
"tags": [
[
"e",
"2f2b62dd902f5a8ee01bc2d15f13cdd2131ceb5ca279e6603f849aa0430311f2",
"",
"root"
],
[
"e",
"3c781b5786868f5dffd999967f88eac8ef6cc37b98165c903e686e325010325a",
"",
"reply"
],
[
"p",
"86f42bcb76a431c128b596c36714ae73a42cae48706a9e5513d716043447f5ec"
]
],
"content": "📅 Original date posted:2013-08-05\n📝 Original message:On Sun, Aug 4, 2013 at 8:30 PM, Peter Vessenes \u003cpeter at coinlab.com\u003e wrote:\n\u003e I studied with Jeffrey Hoffstein at Brown, one of the creators of NTRU. He\n\u003e told me recently NTRU, which is lattice based, is one of the few (only?)\n\u003e NIST-recommended QC-resistant algorithms.\n\nLamport signatures (and merkle tree variants that allow reuse) are\nsimpler, faster, trivially implemented, and intuitively secure under\nboth classical and quantum computation (plus unlikely some proposed QC\nstrong techniques they're patent clear). They happen to be the only\ndigital signature scheme that you really can successfully explain to\ngrandma (even for values of grandma which are not cryptographers).\n\nThey have poor space/bandwidth usage properties, which is one reason\nwhy Bitcoin doesn't use them today, but as far as I know the same is\nso for all post-QC schemes.\n\n\u003e Though I question the validity of the claim that ECC is so much more secure than RSA (with appropriate keysizes).\n\nThe problems are intimately related, but under the best understanding\nECC (with suitable parameters) ends up being the maximally hard case\nof that problem class. I do sometimes worry about breakthroughs that\ngive index-calculus level performance for general elliptic curves,\nthis still wouldn't leave it any weaker than RSA but ECC is typically\nused with smaller keys.",
"sig": "ac3eead83d8947ca2d50afd86ed1217961d8d436f94eae8ed60832febf2a1b2e7197078e6697abf5aa6983114767702b5b092186917be8e854bec9408932cf5a"
}