[messaging] Useability of public-key fingerprints

Robert Ransom rransom.8774 at gmail.com
Thu Jan 30 02:10:58 PST 2014


On 1/30/14, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 1/30/14, Robert Ransom <rransom.8774 at gmail.com> wrote:
>
>> If your reason for wanting ‘112-bit security’ is that your attacker
>> can perform 2^80 operations and you want a maximum probability that
>> They will break *something* with their attack of 2^(-32), then a
>> 32+2*80 = 192-bit EC group is enough.  With Edwards curves, the field
>> order for that must be at least 194-bit; 2^194 - 33 is not too bad,
>> and 2^198 - 17 may be better for implementations.  (I wouldn't even
>> consider 2^196 - 15.)
>
> Well that's funny.
>
> ? setup_field_pnl(198)
> q = 2^198 + (-17)
> minimal_nonsquare = Mod(-1, q)
>
> twisted Edwards curve, a=-1, d=19: trace of Frobenius =
> 601912744319849345102550754396
> twisted Edwards curve, a=-1, d=19: j = -3456/11875
> twisted Edwards curve, a=1, d=-19: not of the form 2^k*p
>
> It's not twist-secure, but *wow* 19 is a small parameter.

For twist security:

twisted Edwards curve, a=-1, d=4871: trace of Frobenius =
-812987829911451385204552182824
twisted Edwards curve, a=-1, d=4871: j =
195118184034564423353284705161608727620400662763077148794639
WINNER: twisted Edwards curve, a=-1, d=4871


Robert Ransom


More information about the Messaging mailing list