[curves] Curve19119: A legacy-level little brother of Curve25519
mike at shiftleft.org
Thu Jul 27 11:44:47 PDT 2017
> On Jul 27, 2017, at 11:39 AM, Taylor R Campbell <campbell+moderncrypto-curves at mumble.net> wrote:
>> Date: Thu, 27 Jul 2017 18:27:31 +0200
>> From: Bj�rn Haase <bjoern.m.haase at web.de>
>> Folks interested in a legacy-level high-efficiency curve targeting the
>> ~94 bit security level might like to have a look at Curve19119 and it's
>> associated DH protocol X19119.
> Neat. The danger of a 94-bit security level for a discrete log system
> like this, of course, is that it takes only a single offline 2^94-cost
> precomputation for an attacker to quickly compute any discrete logs in
> the system.
Wait, really? I thought the strongest precomputation attack was
something like q^(2/3) work to reduce the dlogs to q^(1/3).
If you could do a single offline sqrt(q)-cost attack that made single
discrete logs cheap, then you could do a batch attack of size n in
less than the (state of the art?) O(sqrt(qn)) time.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3571 bytes
Desc: not available
More information about the Curves