š
Original date posted:2014-01-18
š Original message:> On Fri, Jan 17, 2014 at 8:55 PM, Alan Reiner <etotheipi at gmail.com> wrote:
>> Isn't there a much faster asymmetric scheme that we can use? I've heard people talk about ed25519, though I'm not sure it can be used for encryption.
>
> Doing ECDH with our curve is within a factor of ~2 of the fastest
> encryption available at this security level, AFAIK. And separate
> encryption would ~double the amount of data vs using the ephemeral key
> for derivation.
>
> Using another cryptosystem would mandate carry around additional code
> for a fast implementation of that cryptosystem, which wouldn't be
> fantastic.
>
> So I'm not sure much can be improved there.
In the case where payment is being sent only to Q1, and Q2 is for discovery only, perhaps we could use a 160-bit curve for d2/Q2 and e/P resulting in 20 byte vs 32 bytes in the OP_RETURN, and of course faster multiplication.
80-bits of security I assume still greatly exceeds the actual level of privacy you get with the overall solution, and since Q2 is never protecting actual funds...
But if it's a "real weakening" of the privacy then definitely not worth it, and even the added complexity of another curve seems possibly not worth it...
Jeremy Spilman [ARCHIVE] /
npub10eā¦jc727
2023-06-07 15:11:50
in reply to nevent1qā¦6cl2
Author Public Key
npub10etkvm8l0jr0jsgdx02dxnhnu5g989dnca90guj5rklwkaplnh3sgjc727Published at
2023-06-07 15:11:50Event JSON
{
"id": "7e28f63fe45546c22a46de7e33df5f8eeda1ed8a498d991c90ee57049c6ea3d0",
"pubkey": "7e57666cff7c86f9410d33d4d34ef3e5105395b3c74af472541dbeeb743f9de3",
"created_at": 1686150710,
"kind": 1,
"tags": [
[
"e",
"6b79d8c7bec3dc6952db91cc68d0510d9897c37dcf58a24d8e2f4288fe42525c",
"",
"root"
],
[
"e",
"471e206708f73e075c31d984e424ac3023f4c05db0ee68f2f0547b4c544c6bde",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "š
Original date posted:2014-01-18\nš Original message:\u003e On Fri, Jan 17, 2014 at 8:55 PM, Alan Reiner \u003cetotheipi at gmail.com\u003e wrote:\n\u003e\u003e Isn't there a much faster asymmetric scheme that we can use? I've heard people talk about ed25519, though I'm not sure it can be used for encryption.\n\u003e \n\u003e Doing ECDH with our curve is within a factor of ~2 of the fastest\n\u003e encryption available at this security level, AFAIK. And separate\n\u003e encryption would ~double the amount of data vs using the ephemeral key\n\u003e for derivation.\n\u003e \n\u003e Using another cryptosystem would mandate carry around additional code\n\u003e for a fast implementation of that cryptosystem, which wouldn't be\n\u003e fantastic.\n\u003e \n\u003e So I'm not sure much can be improved there.\n\nIn the case where payment is being sent only to Q1, and Q2 is for discovery only, perhaps we could use a 160-bit curve for d2/Q2 and e/P resulting in 20 byte vs 32 bytes in the OP_RETURN, and of course faster multiplication. \n\n80-bits of security I assume still greatly exceeds the actual level of privacy you get with the overall solution, and since Q2 is never protecting actual funds...\n\nBut if it's a \"real weakening\" of the privacy then definitely not worth it, and even the added complexity of another curve seems possibly not worth it...",
"sig": "2e1760bd2b9e85419a3836ce7835cc83217e18b44cd28906eff0e189d4ba0e5b773e0594526c1b0882886fa7b3a1cbcc3a4a033fc8a1d3429a04e1441fbf00e7"
}