2019.06.19 11:02:37 (1141270047991750656) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (1141129470407053314):
Given the lack of definitions and explanation, I'm having trouble figuring out what you think you're disputing here. Are you saying "closer to" means under 2^60, rather than specifically 2^56? Or is "quantum security" secretly referring to something other than "qubit operations"?
2019.06.18 23:55:54 (1141102259712999429) from Daniel J. Bernstein, replying to "hannoππππ (@hanno)" (1141096846045171712):
No, CSIDH is fine. All known attacks are exponential in n^(1/2+o(1)), and the question is simply how big the o(1) is. For CSIDH-512 in particular, the new paper is claiming a total of 2^56 qubit operations, but this is under very optimistic assumptions for the attacker.
2019.06.19 00:20:37 (1141108481451278337) from "Chris Peikert (@ChrisPeikert)":
The paper does not claim a total of 2^56 qubit operations.
2019.06.19 00:40:14 (1141113419443179520) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (1141108481451278337):
Claim made in the paper, under very optimistic assumptions, some of which are stated explicitly: "CSIDH-512 does not achieve the claimed 64 bits of quantum security." Next sentence of the paper: "A more prudent estimate would be closer to 40 + 16 = 56 bits of quantum security."
2019.06.19 01:44:01 (1141129470407053314) from "Chris Peikert (@ChrisPeikert)":
Glad you cleared up that it does not claim 2^56 total qubit operations.