The "Supersingular Isogeny Key Encapsulation" proposal submited to PQC-NIST (PDF) defines the value $n$ to be from set $\{192,256,320\}$ (see point 1.4). Does anybody have an idea to what it corresponds to exactly? Can I use, let say P751 and with all 3 values of $n$?
I know that reference implementation uses 32 bytes for P751, but I would like to understand what motivates choice of those values.
I am the principal submitter for the SIKE proposal.
The reference implementation uses 24, 32, and 40 bytes respectively for SIKEp503, SIKEp751, and SIKEp964 respectively. The motivation for these values comes from Theorem 1 in Section 4.3.3. In each case we start with n equal to the desired security level of the corresponding parameter set (128, 192, and 256 bits respectively) and add an extra 64 bits to allow for up to $2^{64}$ random oracle queries.
Sorry if any of the above was not clearly stated in the specification.
