Folks: I don't fully understand this thread, but it sounds like to me it might be omitting consideration of multi-target attacks. For example, Tier Nolan's attack (http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/012230.html), which seems to be the best attack on this thread, seems to start with one specific public key of an intended victim, but if the attacker is happy to find a collision with *any* one out of a large number of potential victims, he gets an advantage proportional to the number of potential victims.
So it would be wise, in addition to the kind of analysis already done on this thread (which appears to have already settled at "Yes, we need > 80-bit security."), to make a nice optimistic estimate of how many public keys we could eventually have in use. 2⁴⁰? 2⁵⁰? Or maybe be *very* optimistic, with some added IoT [*] goodness, and budget for 2⁶⁰? Then we need to budget that many more bits of security to keep the future attacker's chances of success low enough that the attacker will never succeed. (Assuming that's our requirement.) You might enjoy this recent blog post by DJB, legendary cryptographer who works in this niche of cryptography as well as several other niches: http://blog.cr.yp.to/20151120-batchattacks.html It has some interesting philosophical musings about the "Attacker Economist" approach. (N.B. My respect for DJB's accomplishments is tremendous, but that doesn't mean I automatically agree with everything he says. I haven't made up my mind what I think about this particular philosophical argument.) Sincerely, Zooko [*] The Internet of Targets _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev