I’m looking at Table 4, and it talks about the num of bits p needs for a certain security level with or without ignoring constants.

For example it says for BN curves with n=12, when not ignoring constants, 256 bits in p is enough for 128 bit security.

Isn’t *that* the relevant number?

Why also write the number that ignores the constants? ]]>

Your precision about the practical security implications for breaking Baretto-Naehrig curves in very valuable for people who are more users than creators/cryptanalysts of these curves.

We thought in the past that the crossover point of the best attacks for BN curves (with embedded degree 12) was for curves around 256 bits, thus providing a security level of 128 bits.

You now consider that the best attack has a complexity around 96 bits instead of 128 bits.

I understand that it’s difficult to provide precise numbers, but if we want to reconsider the actual estimated crossover of the best attacks on BN curves, what would be the actual size of the curves which cannot be broken with an attack better than the canonical ones ?

Would it be around 192 bits curves (96 bits security level) ? 160 ? 128 ? 112 ?

Even if 256 bits BN curve become obsolete, smaller curves may still provide interesting benefits for lesser security use cases… ]]>

It may be worth clarifying that this is “contrary to” the original Sarkar–Singh method. If I understand correctly, the Sarkar–Singh method combined with Kim–Barbulescu does give an asymptotic improvement, and is currently the best algorithm. (I’m assuming it can be applied to the “special extended” case as well.)

Zcash (https://z.cash) had been planning to use a BN128 curve, and we’re currently trying to reassess what curve we will need in light of this attack: https://github.com/zcash/zcash/issues/714

]]>The table was edited. Thanks. ]]>