[Gzz-commits] manuscripts/Sigs article.rst

[Benja Fallenstein]

CVSROOT:        /cvsroot/gzz
Module name:    manuscripts
Changes by:     Benja Fallenstein <address@hidden>      03/05/19 14:59:40

Modified files:
        Sigs           : article.rst 

Log message:
        concl

CVSWeb URLs:
http://savannah.gnu.org/cgi-bin/viewcvs/gzz/manuscripts/Sigs/article.rst.diff?tr1=1.124&tr2=1.125&r1=text&r2=text

Patches:
Index: manuscripts/Sigs/article.rst
diff -u manuscripts/Sigs/article.rst:1.124 manuscripts/Sigs/article.rst:1.125
--- manuscripts/Sigs/article.rst:1.124  Mon May 19 14:58:39 2003
+++ manuscripts/Sigs/article.rst        Mon May 19 14:59:39 2003
@@ -268,6 +268,18 @@
            tv=5.57e+03 [~27.84ms])
 
 
+- Maybe also mention:
+
+  Note that rejection of a wrong key the most time-critical
+  operation, in order to avoid DOSing through giving loads
+  of wrong signatures. If the adversary can only forge the
+  first `$b_0$` bits of the message, rejection of the sig
+  will only take `$\\frac{b_0}{b}$` of the above estimate.
+
+  If the signed bits are the cryptographic hash of the
+  actual message, forging many bits may be hard.
+
+
 Practical Variants
 ==================
 
@@ -312,6 +324,7 @@
 ==========
 
 - presented a new signature scheme with several benefits
+  as far as we know not found together so far
 
   - no trapdoor funcs
 
@@ -337,6 +350,10 @@
 
   - naturally not foolproof: e.g. hashes *do* get broken, REF
 
+  - signatures in practice do depend on a hash function for
+    long messages. however, it only needs to be collision-resistant,
+    not a random oracle
+
 - key idea: using the deterministic random oracle
   to create a huge virtual tree of private keys,
 
@@ -347,9 +364,8 @@
   to work if only a predetermined number of documents is ever signed
   with a key. 
 
+  - not worse than RSA, where giving more signatures increases
+    the possibility of factoring
+
 Acknowledgments
 ===============
-
-
-
-