Related-key attack

The key idea is to split the secret in two equal parts.

https://en.wikipedia.org/wiki/Related-key_attack

What is a related key?

https://crypto.stackexchange.com/questions/66868/what-is-a-related-key

Square-Root Attacks

https://www.di.ens.fr/~pnguyen/MPRI/MPRI2010_Squareroot.pdf

https://github.com/zcash/zcash/issues/4065#issuecomment-508740579

Menezes, Sarkar and Singh (http://eprint.iacr.org/2016/1102.pdf) show 2^110 is a conservative estimate for the size of the space of polynomials that needs to be scanned for smooth polynomials. However, for the case q=p^12 relevant for BN curves there is no currently published efficient method for scanning this space. (Checking each polynomial separately for smoothness would result in total running time larger than 2^128.) Thus, to the best of our knowledge the most efficient currently known fully described algorithm for breaking the curve Zcash is presently using is Pollard’s rho, which would run in time sqrt(q)~2^127. (Our thanks to Palash Sankar and Shashank Singh for helping understand their result.)

Public-Key Cryptanalysis

https://pdfs.semanticscholar.org/494d/c674cf7a88c6ca1d34db4093ef8a3d752028.pdf

#Cryptography