Remove confusion from 'hardness of the discrete logarithm' in the description of Schnorr's id protocol

[RobinJadoul]

This addresses some confusions in the description of what a group needs for the discrete log to be hard.

Safe primes only matter to ensure that a prime-order subgroup of large order exists, as the security of group of composite order is reduced to the order of its largest prime-order subgroup thanks to the algorithm by Pohlig and Hellman.

A prime order p >= 2^256 offers 128 bits of security against attacks in the generic group model, but note that Z_p* is not a generic group and subexponential attacks based on e.g. the general number field sieve (and implemented for instance by cado-nfs) exist. Hence when the group is a subgroup of (or the entire group, with comparable security for the discrete logarithm), p >= 2^3072 is required for the same 128 bits of security. See also logjam for an attack based on the same principles.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

:white_check_mark: RobinJadoul
:x: fcasal
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[fcasal]

Hi Robin, Thanks for the pull request, that certainly improves the text! Do you have a reference for the 3072 value that we could add here?

[RobinJadoul]

Table 2 (pages 54-55) of https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf lists 3072 bits keys for 128-bit security.

[RobinJadoul]

I also added a proposed citation/reference to the table/document mentioned earlier

[fcasal]

Thanks so much for the contribution!