[messaging] Useability of public-key fingerprints

Robert Ransom rransom.8774 at gmail.com
Thu Jan 30 00:39:29 PST 2014


On 1/30/14, Robert Ransom <rransom.8774 at gmail.com> wrote:

> If your reason for wanting ‘112-bit security’ is that your attacker
> can perform 2^80 operations and you want a maximum probability that
> They will break *something* with their attack of 2^(-32), then a
> 32+2*80 = 192-bit EC group is enough.  With Edwards curves, the field
> order for that must be at least 194-bit; 2^194 - 33 is not too bad,
> and 2^198 - 17 may be better for implementations.  (I wouldn't even
> consider 2^196 - 15.)

Well that's funny.

? setup_field_pnl(198)
q = 2^198 + (-17)
minimal_nonsquare = Mod(-1, q)

twisted Edwards curve, a=-1, d=19: trace of Frobenius =
601912744319849345102550754396
twisted Edwards curve, a=-1, d=19: j = -3456/11875
twisted Edwards curve, a=1, d=-19: not of the form 2^k*p

It's not twist-secure, but *wow* 19 is a small parameter.


Robert Ransom


More information about the Messaging mailing list