[agl]

There are various groupish signature systems (including DAA and BBS[1]) that would probably be a better answer here, _if you controlled the signers_. But, in this context, the devices have shipped and they do P-256 ECDSA. So the question then becomes, what _can_ we do without being able to change the signers? Can we plausibly retrofit something onto them?

[1] http://crypto.stanford.edu/~dabo/papers/groupsigs.pdf

[ecesena]

I see, thank you for the clarification. I was just surprised to read it takes several seconds on a 4GHz cpu. For example the chip we’re using in Solo is a STM32 at 80MHz so it’s prob impractical (But in fairness I don’t have numbers on DAA either.)