Re: [Taler] G the generator

[Jeff Burdges]

You're proposing false generalities that'll makes stuff harder to read,
understand, implement, etc.  It might even damages adoption by making
taler sound like bullshit.

All asymmetric crypto-systems employ a distinguished generator, sometimes it's 
simply 1 in Z mod p, but whatever. 

It's always good to avoid depending on RSA of course, but RSA is the only 
system that supports blind signatures in a reasonable way. 

We'd drop some/all Elliptic curves if some radical mathematical advance broke 
some/all, but that's extremely unlikely.  Avoid EC sounds useless short of that.


In the abstract, there are dangers when abstracting protocols over
cryptographic algorithms, enough that cryptographers like DJB advocate
against it.  

Amusingly, I'm helping a friend here write up a weakness he found in
EKE2, and maybe other PAKEs, using EC-DH as opposed to old style DH.  





On Sat, 2015-10-03 at 16:23 +0200, Fabian Kirsch wrote:
> i hope we can lift the protocol description to an abstraction-level
> where we do not need to restrict ourselves to
> 
> * the existence of a group generator,
> * the use of RSA,
> * the use of Elliptic curves
> 
> Of course the implementation has to use these. But the crypto
> -*design* 
> should just require
> "any asymetric encryption scheme with a public and a private key that
> allows blind signatures and
> either DH-Keygen or ElGammal-Encryption".
> 
> In that way taler's crypto would not need reevaluation with each news
> in 
> the crypto field.
> 
> greetings
>    Fabian
>

signature.asc
Description: This is a digitally signed message part