On 1/30/14, Robert Ransom <[email protected]> wrote: > On 1/30/14, Robert Ransom <[email protected]> wrote: > >> If your reason for wanting ‘112-bit security’ is that your attacker >> can perform 2^80 operations and you want a maximum probability that >> They will break *something* with their attack of 2^(-32), then a >> 32+2*80 = 192-bit EC group is enough. With Edwards curves, the field >> order for that must be at least 194-bit; 2^194 - 33 is not too bad, >> and 2^198 - 17 may be better for implementations. (I wouldn't even >> consider 2^196 - 15.) > > Well that's funny. > > ? setup_field_pnl(198) > q = 2^198 + (-17) > minimal_nonsquare = Mod(-1, q) > > twisted Edwards curve, a=-1, d=19: trace of Frobenius = > 601912744319849345102550754396 > twisted Edwards curve, a=-1, d=19: j = -3456/11875 > twisted Edwards curve, a=1, d=-19: not of the form 2^k*p > > It's not twist-secure, but *wow* 19 is a small parameter.
For twist security: twisted Edwards curve, a=-1, d=4871: trace of Frobenius = -812987829911451385204552182824 twisted Edwards curve, a=-1, d=4871: j = 195118184034564423353284705161608727620400662763077148794639 WINNER: twisted Edwards curve, a=-1, d=4871 Robert Ransom _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
