2020.12.01 10:48:14 (1333709483751575552) from Daniel J. Bernstein, replying to "Stefano Tessaro (@StefanoMTessaro)" (1333272009564774406):
If I try to use HILL defn 3.1.1 to evaluate the NIST P-256 security level, I get "syntax error". If I charitably extend the syntax, I can get anything between 0 and 2^85, depending on interpretation of various undefined terms. Giving definitions that match reality isn't so easy.
2020.11.30 05:38:16 (1333269089574219777) from "Stefano Tessaro (@StefanoMTessaro)", replying to "Steven Galbraith (@EllipticKiwi)" (1332584404464484354):
The whole confusion stems from the attempt to define one *number* as the security level. While it is indeed simpler, what we care about is a *function* describing the advantage in terms of the adversary's resources.
2020.11.30 05:42:01 (1333270033770848256) from "Steven Galbraith (@EllipticKiwi)", replying to "Stefano Tessaro (@StefanoMTessaro)" (1333269089574219777):
Thanks for your comment. Fully agree
2020.11.30 05:49:52 (1333272009564774406) from "Stefano Tessaro (@StefanoMTessaro)", replying to "Steven Galbraith (@EllipticKiwi)" (1333270033770848256):
Nice talk! - btw, the definition of security level you suggest dates back (at least) to the HILL paper (see Definition 3.1.1 in http://www.csc.kth.se/~johanh/prgfromowf.pdf)