> On Jul 27, 2017, at 11:39 AM, Taylor R Campbell > <campbell+moderncrypto-cur...@mumble.net> wrote: > >> Date: Thu, 27 Jul 2017 18:27:31 +0200 >> From: Bj�rn Haase <bjoern.m.ha...@web.de> >> >> Folks interested in a legacy-level high-efficiency curve targeting the >> ~94 bit security level might like to have a look at Curve19119 and it's >> associated DH protocol X19119. > > Neat. The danger of a 94-bit security level for a discrete log system > like this, of course, is that it takes only a single offline 2^94-cost > precomputation for an attacker to quickly compute any discrete logs in > the system.
Wait, really? I thought the strongest precomputation attack was something like q^(2/3) work to reduce the dlogs to q^(1/3). If you could do a single offline sqrt(q)-cost attack that made single discrete logs cheap, then you could do a batch attack of size n in less than the (state of the art?) O(sqrt(qn)) time. — Mike
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves