Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

[Werner Koch <wk@gnupg.org>]

On Fri, 14 Mar 2014 14:55, v@v-yu.com said:

> A major consideration in the proposed scheme is to make sure that it
> is separable; i.e., that different types of existing keys can be used
> together without a dedicated setup. In the current scheme, signers are

Old implementations won't be able to handle ring signatures at all.  To
use existing keys, users can simply use dedicated subkeys.

> able to produce a ring signature without any cooperation or setup from
> the other possible signers (as long as they each have an RSA, DSA, or

You better need some setup from the other possible signers: They should
be able to create ring signatures.  If you look at a ring signature and
you can figure out that only key has been created with a software
version capable of handling ring signatures it would be easy to single
out who actually did the signature.  Unfortunately we can't completely
hide all hints on the software version used.  For example analyzing
signed mails from mailing list archives should allow to guess which
software version is used.

> Thus, I think it is important to have a new algorithm ID for ring
> signatures so that signers are free to mix together different types of

Agreed,

> What ECC signing algorithms does the current development version of
> GnuPG support?

ECDSA.

EdDSA (Bernstein et al's Schnorr variant) will likely be added soon.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.