It is generally thought that bitcoin has 2^256 bit security and with the best algorithms (Pollard rho, Kangaroo) the search space can be lowered to about 2^128 bit.
But I disagree with that.
We have 2^256 bit security WITH a mod operator, and if we want to get rid of the mess and complexity of mod, then we are looking at 2^512 bit security level.
Getting rid of mod operator enables us to develop algorithms that are not based on brute force or statistics (like Pollard rho).
The best algorithm I can come up with starts with 2^512 bit security (without mod) which can be lowered all the way to about 2^128 bit with a clever algorithm. It is quite a big reduction but unfortunately still at the same level than with just using regular Pollard rho.
What I think makes bitcoin secure is not the curve itself, but the (damn) mod operator. Does anyone know how to get rid of the mod while still remaining at the 2^256 bit level?
But I disagree with that.
We have 2^256 bit security WITH a mod operator, and if we want to get rid of the mess and complexity of mod, then we are looking at 2^512 bit security level.
Getting rid of mod operator enables us to develop algorithms that are not based on brute force or statistics (like Pollard rho).
The best algorithm I can come up with starts with 2^512 bit security (without mod) which can be lowered all the way to about 2^128 bit with a clever algorithm. It is quite a big reduction but unfortunately still at the same level than with just using regular Pollard rho.
What I think makes bitcoin secure is not the curve itself, but the (damn) mod operator. Does anyone know how to get rid of the mod while still remaining at the 2^256 bit level?