AFAIK, 2^119 is the worst-time complexity of the attack. Breaking a 256-bit key through a brute-force attack takes 2^256 operations in the worst case. The 'X/2' you are talking about is the average case, right? We are not looking for collisions here, so the birthday paradox doesn't apply...
Best Regards, Peter Djalaliev
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
