Bit security level < 128

[veorq]

Sorry if this was already discussed: section 1.1 says

The following comparison assumes BLS signatures with curve BLS12-381, targeting 128 bits security.

Strictly speaking, from our current understanding the security level is lower than this, as discussed in https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-01#section-3.2

The revised complexity is then less than 120.

As stated in the discussion of this issue in https://www.nccgroup.trust/globalassets/our-research/us/public-reports/2019/ncc_group_zcash2018_public_report_2019-01-30_v1.3.pdf (p8), the actual value of eaching "128-bit" is mostly psychological, but probably better show that we're aware of this issue in the document?

[zhenfeizhang]

sounds good. working on a fix...

[zhenfeizhang]

There is a newer evaluation from pairing friendly curve, version 09, here. I am using this evaluation for consistency.