The cr.yp.to microblog: 2020.12.01 10:48:14

2020.12.01 10:48:14 (1333709483751575552) from Daniel J. Bernstein, replying to "Stefano Tessaro (@StefanoMTessaro)" (1333272009564774406):

If I try to use HILL defn 3.1.1 to evaluate the NIST P-256 security level, I get "syntax error". If I charitably extend the syntax, I can get anything between 0 and 2^85, depending on interpretation of various undefined terms. Giving definitions that match reality isn't so easy.

Context

2020.11.30 05:38:16 (1333269089574219777) from "Stefano Tessaro (@StefanoMTessaro)", replying to "Steven Galbraith (@EllipticKiwi)" (1332584404464484354):

The whole confusion stems from the attempt to define one *number* as the security level. While it is indeed simpler, what we care about is a *function* describing the advantage in terms of the adversary's resources.

2020.11.30 05:42:01 (1333270033770848256) from "Steven Galbraith (@EllipticKiwi)", replying to "Stefano Tessaro (@StefanoMTessaro)" (1333269089574219777):

Thanks for your comment. Fully agree

2020.11.30 05:49:52 (1333272009564774406) from "Stefano Tessaro (@StefanoMTessaro)", replying to "Steven Galbraith (@EllipticKiwi)" (1333270033770848256):

Nice talk! - btw, the definition of security level you suggest dates back (at least) to the HILL paper (see Definition 3.1.1 in http://www.csc.kth.se/~johanh/prgfromowf.pdf)