The lack of delinearization makes this rather fragile: if someone fails to check a key signature their key can be canceled. Having to carry around those signatures also makes this approach unsuitable for some applications e.g. where keys are used once and the group is formed by the verifier instead of the signers, in that case the additional signatures plus the collective signature require more bandwidth and computation than normal single party signatures.
On Tue, Jul 4, 2017 at 9:04 AM, Nicolas Gailly <nicolas.gai...@epfl.ch> wrote: > Hi all, > > We recently published an Internet-Draft about “Collective Edwards-Curve > Digital Signature Algorithms” based on Ed25519 and Ed448: > https://datatracker.ietf.org/doc/draft-ford-cfrg-cosi/ > > We already submitted it to the CFRG mailing list (follow-up discussions in > [0]), and and since we thought that this community might also be interested, > we wanted to reach out to this mailing list, too. > > FWIW, we plan to give a short presentation on that topic at the next CFRG > meeting in Prague (18th of July). > > Any feedback is more than welcome. Thanks! > > All the best, > > Nicolas > > [0] https://www.ietf.org/mail-archive/web/cfrg/current/msg09205.html > > > > _______________________________________________ > Curves mailing list > Curves@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/curves > _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves