Closed kwantam closed 4 years ago
Rather than replace k
entirely, perhaps we can note that k
could be computed as you suggest? I think having a target security level will be important for folks looking to adopt one of these in their applications or protocols.
Great point! We can add this in the "defining new suites" section, maybe.
I'm helping to implement hash-to-curve in RELIC, and as I'm doing this I'm realizing that the way we've specified
k
inherently requires a judgement call, which is annoying. This is related to @armfazh's issue with callingk
the security parameter---that's subjective and will change over time, and even now people will disagree on how to define it.So how could we do this in an objective way? One way would be to say
in other words, we replace
k
withceil(log2(p)) / 2
. But this is too conservative for curves with large cofactors (like pairing-friendly curves).How about this:
This is essentially how we have been picking
k
already---in particular, I think this will not change any of the hash-to-field parameters in the Suites at all---but it's a totally objective measure, which is nice...I can put together a PR if this seems reasonable.