The cr.yp.to microblog: 2020.07.30 06:37:15

2020.07.30 06:37:15 (1288695126752022529) from Daniel J. Bernstein, replying to "Nadim Kobeissi (@nadim@symbolic.software) (@kaepora)" = "Nadim Kobeissi (@kaepora)" (1288689833632829440):

No, it isn't normal. Measured by asymptotic pre-quantum security levels, McEliece/ECDLP/AES are exactly as strong today against known attacks as they were at the time of their introduction in the 1970s/1980s/1990s. (Of course quantum computers break ECDLP and speed up searches.)

2020.07.30 06:43:40 (1288696738782445570) from Daniel J. Bernstein:

FFDH is a different case, I agree, and also instructive: its structure led to a more and more complicated attacks reducing the security more and more. L(1/2) security conjecture was broken in the 1990s. L(1/3) security conjecture was broken in the 2010s for small characteristic.