[curves] Curve19119: A legacy-level little brother of Curve25519

Mike Hamburg mike at shiftleft.org
Thu Jul 27 11:44:47 PDT 2017

> On Jul 27, 2017, at 11:39 AM, Taylor R Campbell <campbell+moderncrypto-curves at mumble.net> wrote:
>> Date: Thu, 27 Jul 2017 18:27:31 +0200
>> From: Bj�rn Haase <bjoern.m.haase at web.de>
>> Folks interested in a legacy-level high-efficiency curve targeting the 
>> ~94 bit security level might like to have a look at Curve19119 and it's 
>> associated DH protocol X19119.
> Neat.  The danger of a 94-bit security level for a discrete log system
> like this, of course, is that it takes only a single offline 2^94-cost
> precomputation for an attacker to quickly compute any discrete logs in
> the system.

Wait, really?  I thought the strongest precomputation attack was
something like q^(2/3) work to reduce the dlogs to q^(1/3).

If you could do a single offline sqrt(q)-cost attack that made single
discrete logs cheap, then you could do a batch attack of size n in
less than the (state of the art?) O(sqrt(qn)) time.

— Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3571 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170727/3ce6e373/attachment.bin>

More information about the Curves mailing list