On 30 September 2013 23:35, John Kelsey <crypto....@gmail.com> wrote:

> If there is a weak curve class of greater than about 2^{80} that NSA knew
> about 15 years ago and were sure nobody were ever going to find that weak
> curve class and exploit it to break classified communications protected by
> it, then they could have generated 2^{80} or so seeds to hit that weak
> curve class.

If the NSA's attack involves generating some sort of collision between a
curve and something else over a 160-bit space, they wouldn't have to be
worried that someone else would find and attack that "weak curve class"
with less than 2^160 work.
The cryptography mailing list

Reply via email to