> Date: Thu, 27 Jul 2017 11:44:47 -0700 > From: Mike Hamburg <m...@shiftleft.org> > > > On Jul 27, 2017, at 11:39 AM, Taylor R Campbell > > <campbell+moderncrypto-cur...@mumble.net> wrote: > > > > Neat. The danger of a 94-bit security level for a discrete log system > > like this, of course, is that it takes only a single offline 2^94-cost > > precomputation for an attacker to quickly compute any discrete logs in > > the system. > > Wait, really? I thought the strongest precomputation attack was > something like q^(2/3) work to reduce the dlogs to q^(1/3). > > If you could do a single offline sqrt(q)-cost attack that made single > discrete logs cheap, then you could do a batch attack of size n in > less than the (state of the art?) O(sqrt(qn)) time.
Sorry, I confounded batch-sqrt algorithms for ECDLP with NFS for FFDLP in my fuzzy recollection of the attack costs. I will defer to the citations at <https://safecurves.cr.yp.to/rho.html> of real experts who have actually carried out such attacks. (Evidently one should not take a bumpkin like me at my word about detailed cost estimates!) _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves