My understanding is that an elliptic curve $E$ over a finite field $\mathbf{F}_q$ has a bit security of $\sqrt{q}$ assuming Pollard rho or Baby-step giant-step. In this thread, it is explained that the field $\mathbf{F}_{2^{256}}$ has a bit security of $128$, but the field $\mathbf{F}_{2^{256^{2}}}$ supposedly only has a bit security of $\approx60$. I struggle to understand why this is.
Thank you for your time!
It is explained that the field $\mathbf{F}_{2^{256}}$ has a bit security of $128$
Actually, the reference was to an elliptic curve based on the field $\mathbf{F}_q$ (where $q \approx 2^{256}$)
but the field $\mathbf{F}_{2^{256^{2}}}$ supposedly only has a bit security of $\approx60$
That reference was to the multiplicative group in the finite field $\mathbf{F}_{q^2}$ (again, with $q \approx 2^{256}$)
These are two different thing; the first is an elliptic curve group, the second is the multiplicative group within a finite field, which has a lot more structure. In particular, there are various attacks that use this structure (such as sieving methods) that apply to the second case that don't apply to the first case (assuming, of course, that the embedding degree in the first case is large)
