2017.09.07 08:38:44 (905681723974975488) from Daniel J. Bernstein, replying to "Петър Дончев (@petar_donchev)" (905680533639897088):
Parallel rho is from the 1990s and is already taken into account in standard symmetric-crypto sizes. The new attack has _worse_ performance.
2017.09.07 08:20:25 (905677114384424960) from Daniel J. Bernstein:
Collisions: https://eprint.iacr.org/2017/847 says time N^0.4 using hardware N^0.2. But parallel rho is better: time N^0.35 using hardware N^0.15.
2017.09.07 08:34:00 (905680533639897088) from "Петър Дончев (@petar_donchev)":
Can you translate for laics - how bad would that be for popular symmetric crypto?