2015年5月7日 · The real question isn't "Why doesn't Suite B use P-521?" It is, "Why doesn't Suite B use AES-192?" NSA were only interested in 192-bit security for Suite B, but they chose to use AES-256 because AES-192 wasn't widely supported.

2023年3月27日 · For most elliptic curves in general use, the security level in bits is approximately half the number of bits in the curve. Thus, X25519 and P256 provide about 128-bit security, P384 provides 192-bit security, X448 provides 224-bit security, and …

$\begingroup$ In contrast to, say, edwards448, E-521 is overkill, which is why the CFRG adopted edwards448 and not E-521 for RFC 7748: edwards448 obtains a much higher security level than edwards25519—so much higher than an already high 128-bit security level for edwards25519 that it would take a cryptanalytic breakthrough for the difference to have any meaning whatsoever—and much higher ...

2020年9月30日 · Stack Exchange Network. Stack Exchange network consists of 183 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

2022年12月31日 · $\begingroup$ It means the overall run time is for one day. The physical qubits used will be initialised and measured at different stages (and will only need to be coherent between initialisation and measurement), but I think (surface code afficiandos will know for sure) that some will need to be coherent for the duration. $\endgroup$

2018年4月30日 · The problem is that the signature algorithm for the key exchange seems to be ECDSA-P521-SHA512. (Firefox reports "Signature Scheme: ECDSA-P521-SHA512" in the developer tools, and Wireshark confirms that the Server Key Exchange record is signed using "Signature Algorithm" 0x0603 ecdsa_secp521r1_sha512).

2013年7月22日 · Signatures make sense only if there is a verifier somewhere, and the verifier uses the public key, which is public.

2020年4月14日 · 521-bit ECC keys are the same strength as RSA 15,360-bit keys. Yes, this is the common wisdom. If you look through the tables at keylength.com you will find that a rough 256-bit security level is usually equated to 512-bit or longer ECC keys and 15360-bit RSA keys.

2018年12月3日 · At www.keylength.com, I found the following table of ECC field size and the corresponding RSA modulus recommended by NIST. ECC Modulus RSA Prime Size 160 1024 224 2048 ...

2017年7月14日 · My understanding of ECDSA signature length is that it depends on the key size. So for instance, if a "prime256v1" is used, the signature length will be 64 because (n/8)*2 and for "secp384r1" it wil...