> > As a side result, this shows that it now costs less than 100k USD to
> > break cryptography with a security level of 64 bits (i.e. to compute
> > 264 operations of symmetric cryptography).

Just to clarify:

    As a stopgap measure, the collision-detection library of Stevens and Shumow [SS17]
    can be used to detect attack attempts (it successfully detects our attack).

At the end of section 7.0,

Cheers
-Santiago