[curves] Curve19119: A legacy-level little brother of Curve25519

Taylor R Campbell campbell+moderncrypto-curves at mumble.net
Thu Jul 27 12:07:56 PDT 2017

> Date: Thu, 27 Jul 2017 11:44:47 -0700
> From: Mike Hamburg <mike at shiftleft.org>
> > On Jul 27, 2017, at 11:39 AM, Taylor R Campbell <campbell+moderncrypto-curves at mumble.net> wrote:
> > 
> > Neat.  The danger of a 94-bit security level for a discrete log system
> > like this, of course, is that it takes only a single offline 2^94-cost
> > precomputation for an attacker to quickly compute any discrete logs in
> > the system.
> Wait, really?  I thought the strongest precomputation attack was
> something like q^(2/3) work to reduce the dlogs to q^(1/3).
> If you could do a single offline sqrt(q)-cost attack that made single
> discrete logs cheap, then you could do a batch attack of size n in
> less than the (state of the art?) O(sqrt(qn)) time.

Sorry, I confounded batch-sqrt algorithms for ECDLP with NFS for FFDLP
in my fuzzy recollection of the attack costs.  I will defer to the
citations at <https://safecurves.cr.yp.to/rho.html> of real experts
who have actually carried out such attacks.  (Evidently one should not
take a bumpkin like me at my word about detailed cost estimates!)

More information about the Curves mailing list