[messaging] Useability of public-key fingerprints
Robert Ransom
rransom.8774 at gmail.com
Thu Jan 30 00:39:29 PST 2014
On 1/30/14, Robert Ransom <rransom.8774 at gmail.com> wrote:
> If your reason for wanting ‘112-bit security’ is that your attacker
> can perform 2^80 operations and you want a maximum probability that
> They will break *something* with their attack of 2^(-32), then a
> 32+2*80 = 192-bit EC group is enough. With Edwards curves, the field
> order for that must be at least 194-bit; 2^194 - 33 is not too bad,
> and 2^198 - 17 may be better for implementations. (I wouldn't even
> consider 2^196 - 15.)
Well that's funny.
? setup_field_pnl(198)
q = 2^198 + (-17)
minimal_nonsquare = Mod(-1, q)
twisted Edwards curve, a=-1, d=19: trace of Frobenius =
601912744319849345102550754396
twisted Edwards curve, a=-1, d=19: j = -3456/11875
twisted Edwards curve, a=1, d=-19: not of the form 2^k*p
It's not twist-secure, but *wow* 19 is a small parameter.
Robert Ransom
More information about the Messaging
mailing list