On 1/30/14, Robert Ransom <[email protected]> wrote: > If your reason for wanting ‘112-bit security’ is that your attacker > can perform 2^80 operations and you want a maximum probability that > They will break *something* with their attack of 2^(-32), then a > 32+2*80 = 192-bit EC group is enough. With Edwards curves, the field > order for that must be at least 194-bit; 2^194 - 33 is not too bad, > and 2^198 - 17 may be better for implementations. (I wouldn't even > consider 2^196 - 15.)
Well that's funny. ? setup_field_pnl(198) q = 2^198 + (-17) minimal_nonsquare = Mod(-1, q) twisted Edwards curve, a=-1, d=19: trace of Frobenius = 601912744319849345102550754396 twisted Edwards curve, a=-1, d=19: j = -3456/11875 twisted Edwards curve, a=1, d=-19: not of the form 2^k*p It's not twist-secure, but *wow* 19 is a small parameter. Robert Ransom _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
