[curves] Curve19119: A legacy-level little brother of Curve25519
Taylor R Campbell
campbell+moderncrypto-curves at mumble.net
Thu Jul 27 12:07:56 PDT 2017
> Date: Thu, 27 Jul 2017 11:44:47 -0700
> From: Mike Hamburg <mike at shiftleft.org>
>
> > On Jul 27, 2017, at 11:39 AM, Taylor R Campbell <campbell+moderncrypto-curves at mumble.net> wrote:
> >
> > Neat. The danger of a 94-bit security level for a discrete log system
> > like this, of course, is that it takes only a single offline 2^94-cost
> > precomputation for an attacker to quickly compute any discrete logs in
> > the system.
>
> Wait, really? I thought the strongest precomputation attack was
> something like q^(2/3) work to reduce the dlogs to q^(1/3).
>
> If you could do a single offline sqrt(q)-cost attack that made single
> discrete logs cheap, then you could do a batch attack of size n in
> less than the (state of the art?) O(sqrt(qn)) time.
Sorry, I confounded batch-sqrt algorithms for ECDLP with NFS for FFDLP
in my fuzzy recollection of the attack costs. I will defer to the
citations at <https://safecurves.cr.yp.to/rho.html> of real experts
who have actually carried out such attacks. (Evidently one should not
take a bumpkin like me at my word about detailed cost estimates!)
More information about the Curves
mailing list