The microblog: 2019.06.25 11:46:22

2019.06.25 11:46:22 (1143455385023438848) from Daniel J. Bernstein:

Brier, Ferradi, Joye, Naccache in claim 2^256 security for factoring p^29 q where p and q each have 512 bits. ECM easily breaks this. The claim seems to start from saying 512-bit primes, but that's for group sizes in Schnorr etc.

2019.06.25 19:28:19 (1143571639008931840) from Daniel J. Bernstein:

After the same talk, Dan Boneh commented that the factoring algorithm from should be even faster than ECM here. I wonder which of these attacks is a bigger constraint if one is trying to increase the size of p^29 q to reach 2^256 security.