Key Size Selection in Cryptography: A Cost-Based Analysis - Prof. Krzysztof Gaj, Study Guides, Projects, Research of Cryptography and System Security

The importance of key size selection in cryptography and provides cost-based analysis for symmetric, elliptic curve (ec), and rsa keys. It compares the computational requirements and time to break different key sizes for each cryptosystem. The document also introduces the concept of infeasible number of mips years (imy) to determine key sizes that offer an acceptable level of security until a given year.

Typology: Study Guides, Projects, Research

Pre 2010

Uploaded on 02/10/2009

koofers-user-jgl-1
koofers-user-jgl-1 🇺🇸

7 documents

1 / 24

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Key Sizes Selection in Cryptography and Security
Comparison between ECC and RSA
Project: ECE 543/646
Presented By: Vasant Patel
Submitted To: Dr. Kris Gaj
Fall 2000
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18

Partial preview of the text

Download Key Size Selection in Cryptography: A Cost-Based Analysis - Prof. Krzysztof Gaj and more Study Guides, Projects, Research Cryptography and System Security in PDF only on Docsity!

Key Sizes Selection in Cryptography and Security

Comparison between ECC and RSA

Project: ECE 543/ Presented By: Vasant Patel Submitted To: Dr. Kris Gaj Fall 2000

Overview

1. Introduction - Why key size is important? - What affects the security requirement? - **Equivalence of attack efforts

  1. Classification of cryptography**
    • Symmetric
    • Asymmetric o Traditional discrete log system o **EC system
  2. Security comparison between RSA and ECC**

o Mathematical problem of hardness o Efficiency comparison of ECC and RSA o ECC in constrained environment

**4. Conclusion

  1. References**

1.2 What affects the security requirements?

It should be clear that key sizes must be tied to the real value of data being protected from unauthorized access and it also must be tied with what will be the expected lifetime of data. Because it does not make sense for an opponent to spend ten million dollars for breaking a key if recovering the key will only give you a net ten thousand dollars. The same principal also applies to protect other keys such as the master signature key of CA, because obviously such a key is worth ten thousand dollars.

More, if the lifetime of the key, which is being used to protect data for only a day or a week then there is no need to use a key, that will take years to break.

Federal standard specify minimum of 1024 bits for RSA, but there are so many applications for which 768 bits is more than enough. Also we know that signatures on contract required to be secured for at least 30 years or more (unless and other wise if it is time stamped and renewed occasionally). Application such as SSL requires about 1 day for signature with short-term session key, while some require several years. Military and intelligence data such as identity of spies can have at least 100 years of lifetime, but such kind of data is not accessible to every one by on-line nor is it protected by public key cryptosystem.

1.3 Equivalence of attack efforts

For different cryptosystems there are different key size recommendations. These recommendations may be expected to be equivalent for a certain specified level of security in the sense that the computational effort or number of Mips Years for a successful attack is more or less the same for all cryptosystems. So, different cryptosystems offer more or less equivalent security from a computational point of view when the recommended key sizes are used as per guideline.

The term “ computationally equivalent security” should not be confused with, the other term and is not necessarily the same as “ equipment cost equivalent” security, or in other words “ cost equivalent” security. What we meant is here we say that two systems offer cost equivalent security if accessing or obtaining the hardware that allows a successful attack in a certain fixed amount of time that costs the same amount of dollars for both systems. Here note that the price is almost the same, the hardware required may be quite different for the two different kinds of attacks. For ex. some attacks may use only PCs, for other attacks it may be possible to get the required Mips Years by using special- purpose hardware. This paper will discuss both kind of security; “ computationally equivalent security” and “ cost equivalent security”.

2. Classification of cryptography

In this paper, I will talk about symmetric-key (or secret-key) and asymmetric-key (or public-key) cryptosystems. Such systems can be used to accomplish four important things: confidentiality, integrity, authenticity, and non-repudiation of electronic information during communication. Here assume that two parties involved in communication, a sender S and a receiver R, both of them want to maintain secrecy of the communication from S to R.

2.1. Symmetric key cryptosystems

Explanation: - In symmetric key cryptosystems a key is shared by S and R. To maintain privacy the key should be kept secret. The size of the key, i.e., its number of bits, depends on the symmetric key cryptosystem. Both the message and its encryption consist of a whole number of blocks; a block consists of a fixed number of bits that depends on the symmetric key cryptosystem. Right now the best-known symmetric key cryptosystem is the Data Encryption Standard (DES), introduced in 1977, with key size 56 bits and block size 64 bits. There are other examples of symmetric key cryptosystems:

  • Triple DES with two key (key size 112, block size 64);
  • IDEA (key size 128, block size 64);
  • RC5 (variable key and block sizes);
  • Advanced Encryption Standard (AES), with key sizes of 128, 192, or 256 bits and 128 block size

Attacks : - No method has been published that breaks DES-encrypted messages significantly faster than exhaustive key search, i.e., by trying all of the 2^56 different keys. For exhaustive key search expected number of trials are 2^55. In 1997, after an Internet search of approximately 4 months, a DES key was successfully retrieved by RSA (www.rsa.com/des). The expected computing power required for such a software exhaustive key search is estimated as 0.5 MMY (MMY = one millions MIPS year) and this estimate is based on the Pentium based figures such that a single DES block encryption with a fixed size key requires 360 Pentium clock cycles or 500 Pentium clock cycles with a variable sized key. Half a million MIPS Years are roughly equal to 13, months on a PC, which is an equivalent to 4 months on 3,500 PCs, because an exhaustive key search can be uniformly divided over any number of processors. Therefore for a proper security based cryptoanalysis one has to estimate and keep track of the total computational power of the Internet. A hardware attack is substantially faster than a software attack for the cost of one-time investment. A $20 million parallel DES key searching machine was proposed in 1977 with 12 hours of expected search time, than after in 1980 corrected to $50 million and 2 days, than during 1993 design by M. Wiener Cost and expected time were down to one million dollar and 3.5 hours key search time. Finally in 1998 a $130,000 machine was actually built with an expected search time of 112 hours. By simply guessing there is always possibility that someone may find a key. For any reasonable key sizes the probability that this happens is normally very small, for ex. for a 50-bit key there is a total probability of one in a million that key is found if one

Strong prime:

For this we use p as prime number. Let say | p | represent length of p in binary.

A prime p is considered to be a “strong” if it fulfills the below given conditions

  • p is large prime.
  • Largest prime factor of p – 1, say p – , is also large, i.e. p = ap –^ + 1 for some integer a –^ and large prime p –.
  • Largest prime factor of p – –^ – 1, say p – –, is also large i.e. p –^ = a – – p – –^ + 1 for some integer a – –and large prime p – –.
  • Largest prime factor of p +1, say p +, is also large i.e. p = a + p +^ – 1 for some integer a +^ and large prime p +.

Same way we can describe corresponding values for prime q – , q – –^ , q +^ , b –^ , b – –^ , and b +

Some times a prime is called strong if it satisfies only a subset of these conditions given below.

  • p –^ is strong if p –^ is large.
  • p – –^ is strong if p – –^ is large.
  • p +^ is strong if^ p +^ is large.
  • ( p –^ , p +^ ) is strong if both p –^ and p +^ are large.
  • ( p –^ , p – –^ , p +^ ) is strong if all of p –^ , p – –^ , p +^ are large.

There are few algorithms by which one can find strong prime (for ex. Willaim/Schmid algorithm, Gordan’s algorithm). Now we will discuss about strong primes as a protection against factoring: The very first attack an opponent can mount against RSA is factoring attack. To factor a natural number n is nothing but to produce a complete list of its prime factors. To split a given natural number n to produce two another natural number whose product is n and neither of them is 1 or n. If n is a product of exactly two primes, then the notation of factoring n and splitting n are equivalent. In fact this is true that most of the factoring algorithm are actually “splitting” algorithm. As we know that there are so many available algorithms for factoring, but efficiency of these algorithms depends on many things, here are the few possible things,

  • Algorithms whose running time depends on size of n. (QFS and GNFS)
  • Algorithms whose running time depends on size of p and size of q. (Lenstra’s EC Method)
  • Algorithms whose running time depends on size of p –^ , p – –^ , p +or q – , q – –^ , q +. ( Pollard rho‘s p – 1 method , Cyclotomic polynomial p+ 1 method)
  • Algorithms whose running time depends on the closeness of p and q. (Fermat’s method and Lehman’s method)

Rivest and Silverman concluded that “Strong primes” only offer little protection beyond that offered by “Random primes”. But there is no technical reason not to use strong primes if some one wants to use (except additional effort required to generate it) [4].

TDL description : - In a traditional discrete logarithm (TDL) system the public key consists of a finite field Fp of size p , a generator g of the multiplicative group ( Fp )^ of Fp , and an element y of ( Fp )^ that is not equal to 1. We assume that the field size p is such that p – 1 has a prime factor of roughly the same order of magnitude as p. The private key is the smallest positive integer m such that g m^ = y. This m is referred as the discrete logarithm of y with respect to g. The private key m is at least 1 and at most p – 2. If some how m can be found, the system can be broken. Thus, the security of TDL systems is based on the difficulty of computing discrete logarithms in the multiplicative group of a finite field. The size of a TDL key refers to the bit-length of the field size p. The actual number of bits required to store a TDL public key is larger, since the public key contains g and y as well.

Attacks : - Today the General Number Field Sieve (GNFS or just NFS) is general purpose algorithm for either factoring large integer or for solving an ordinary discrete logarithm problem. Its run time depends only on the size of number being factored.

GNFS has two phases: In first phase a sieving operation performed which requires considerable amount of memory on computer to create a set of equation. This phase also depends on its ability how fast it can retrieve values from memory, add them together and put it back. That’s why size of memory and internal speed of memory have strong impact on the speed with which the sieve can operate. As we know that this phase needs large memory, for a 512-bit key, 64 Mbytes per sieve machine is enough. However if size of key increases, one has to increase memory too. Below it shows required memory scale with the square root of the time. In the past, as machine become faster sieving speed did not synchronize with machine speed. The probable reason is that while CPUs’ were getting faster, that does not means that internal memory speed and data cache were also synchronizing with CPU speed enhancement. But recent improvement in increasing the size of cache with all next generation of processor, and increasing internal speed of memory has solved this problem. Lenstra’s suggestion is based on processor improvement. But I think that we also have to consider internal speed of memory. Today’s 32 bits machine can address only up to 2 GB of user space. As per detail given in time-space table, it shows that once key size exceed above 710 bits, then memory required for sieving operation can not be addressed by 32 bits computer. Even though 64 bit processors are available, but it seems that 64 bits computers may not be able to use as a widely useful machine for attack. There is one more thought that whether the market will routinely demand machine that has multi gigabyte of memory or not. Today there are so many applications in the market, which require multi gigabytes of memory for ex. servers, but usually they are not available as a distributed machine, because they have very small idle time, and they are assigned to some dedicated task, but they can contribute some CPU time, but that’s not enough as compared to their regular processing time for which they are installed. So the question is, is it possible to have desktop

Thus,

576 bits will take 10.9 times as long as RSA- 512 and requires 3.3 times memory. 768 bits will take 6100 times as long as RSA- 512 and requires 77 times memory. 1024 bits will take 7 million times as long as RSA- 512 and requires 2650 times memory.

Historical Factoring Records

Year Size Number Who Method Hardware

1970 39 2128 + 1 Brillhart/Morrison CFRAC IBM mainframe 1978 45 2223 - 1 Wunderlich CFRAC IBM mainframe 1981 47 3225 - 1 Gerver QS HP - 3000 1982 51 591 - 1 Wagstaff CFRAC IBM mainframe 1983 63 1193 + 1 Davis/Holdridge QS Cray 1984 71 1071 - 1 Davis/Holdridge QS Cray 1986 87 5128 + 1 Silverman MPQS LAN Sun – 3’s 1987 90 5160 + 1 Silverman MPQS LAN Sun – 3’s 1988 100 11104 + 1 Internet MPQS Distributed 1990 111 2484 + 1 Lenstra/Manasse MPQS Distributed 1991 116 10142 + 1 Lenstra/Manasse MPQS Distributed 1992 129 RSA -129 Atkins MPQS Distributed 1996 130 RSA -130 Montgomery GNFS Distributed 1998 140 RSA - 140 Montgomery GNFS Distributed 1999 155 RSA - 155 Montgomery GNFS Distributed

0

50

100

150

200

1969 1974 1979 1984 1989 1994 1999 2004 Year

Key Size (Decimal Digits)

The storage requirements of the NFS are proportional to √L[ n ]. The expected run time of the SNFS follows by replacing the 1.9229 in L[ n ] by 1.5262; thus, the SNFS is much faster than the NFS, but it cannot be used to attack RSA moduli.

To estimate the number of operations required to factor n or to compute discrete logarithms in a certain Fp , this run time estimates cannot be used. For instance, for n and p of about the same size and in our current range of interest, L[ n ] and L[ p ] are approx equal if the o(1)’s are omitted, but the discrete logarithm problem in Fp is considerably more difficult than factoring n. If factoring an RSA modulus n using NFS takes time t , then obviously factoring some other RSA modulus m > n will take time close to t x L[ m ]/L[ n ], the only thing is need to do is just make sure that there should be no such a too big difference between n and m. If, m is much bigger than n, then the o(1) term can no longer be ignored, and t x L[ m ]/L[ n ] will be an overestimate of the time to factor m. The same method applies to the DLNFS. The largest published factorization using the NFS is the 512- bit number RSA155, which is an RSA modulus of 155 decimal digits, in August of 1999. This factoring effort was estimated to cost at most 20 years on a PC with at least 64 Mbytes of memory (or a single day on 7500 PCs). This whole time was spent almost entirely on the sieving step. It is less than 10^4 Mips Years and corresponds to fewer than 3 x 10 17 operations, whereas L[10 155 ] = 2 x 10 19. This shows that L[ n ] overestimates the number of operations to be carried out for the factorization of n. The run time given here is the actual run time of the RSA155 factoring effort. The largest number factored using the SNFS is the 211-digit (and 698-bit) number, in April of 1999, in slightly more than 2000 Mips Years. These run times are only a fraction of the cost of a software DES key search, but the required amount of memory needed by the NFS is larger than normal. So practical experience with the DLNFS is still in limited position. For the most time consuming step of factoring algorithms such as the sieving step, recently Adi Shamir proposed the TWINKLE opto-electronic sieving device to speed up this step. For any special-purpose hardware factoring device it is difficult to achieve parallelization at a reasonable cost, but it may not be impossible. Given the current state of the art it is to be consider that special-purpose hardware will have an obvious impact on the security of RSA moduli. But we should not totally depend on the belief that special-purpose hardware attacks on RSA are impossible. To illustrate this, the quadratic sieve factoring method was implemented successfully on a Single-Instruction-Multiple- Data architecture. A SIMD machine is nothing but one kind of special-purpose hardware. It could be relatively cheap compared to ordinary PCs. Clearly, to obtain any security at all, key sizes for classical asymmetric systems have to be larger than 512 (where 512 is the size of the ‘broken’ RSA modulus RSA155). So, classical asymmetric systems looks like to be more secure than symmetric key cryptosystems from this point of view. The Elliptic Curve Method (ECM) can attack RSA, also. This method produces a factor with significantly higher probability after a relatively small amount of work rather than simple guesswork. For example, if one billion people were to attack a 512-bit RSA modulus, each by running the ECM for just one hour on their PC during idle time, then the probability that one of them would factor the modulus is more than 10%. For a 768-bit RSA modulus the probability of success of the same computational effort is about one in a million. Now, this is a very low success probability after putting a remarkable effort but

group operation can be reduced. As mentioned before here we assumed that p and q are assumed to be close to each other size wise. Then the cost of the group operation is proportional to (log 2 ( q ))^2. Related information can be found on the Internet [11]. From the estimates given on the Internet it can derive that for a 109-bit EC system with p = 2^109 it should take about at least 18,000 years on a single PC (or in other way one year on 18,000 PCs) which is about 8 MMY. This computation is feasible on a large network of computers such as Internet. It is stated by Certicom Company that an attack on a 109-bit EC system with a prime p of about 109 bits should take about 2.2 MMY. This estimation based on primes of a special form.

During 1996 Wiener proposed an attack based on a special-purpose hardware design that achieves a 25 million parallel operation against a 120-bit EC system with p = 2 155 , about 330,000 special-purpose processor chips were used and each of them running 75 Pollard rho processes independent from each other. During that period expected cost was $ million and it require more than month (about 32 days) to complete process. The time to do a k – bit Elliptic curve is 32 x SQRT (2 k-120) days with one of them machine. The designers of this machine also described that this machine can do better job if it is designed by current silicon technology to get optimized performance, so machine can become 50 times faster and can therefore break given key k in about 12 hours instead of 32 days. It is mentioned by Certicom Company that 131-bit EC systems are expected to be infeasible against realistic software and hardware attacks. If any one select key size of EC system larger than 112 bits then, simply guessing the private key need to guess at least all possible combination of 112 bits which might be infeasible for any one. Probable chance is x^2 that to find a right key after doing some fraction x of the expected 0.88√ q group operations in Pollard’s rho attack against SDL systems. The required estimated number of iterations is √ 2 times smaller than required estimated number of iterations for SDL systems. We cannot assume that in next coming year there will be no cryptanalytic progress. Because cryptanalytic related results to EC systems are in progress continuously day-by-day on regular base by researcher and cryptanalyst. To this point, most of them only affected on some special cases.

Some convention used during runtime environment

Here for cost based analysis we assume that Pentium III processor at 500 MHz can be obtained for $ 100 and memory costs $0.50 per megabytes. These assumptions are slightly positive, given current costs but making this choice produces key size estimates. In the next section we will present key size, which is equivalents for RSA, Elliptic curves and Symmetric key systems using cost based analysis.

  • Key Size Equivalencies based on Cost

We consider Wiener’s Elliptic curve breaking machine for a 120-bit sub field as a data point to construct table. If some one wants to use 112 bits then this problem is √ 28 or 16 times easier. It seems that such a machine can break 112 bit EC keys in about 45 minutes.

We can expect based on latest technology that today’s machine can be built 100 times faster than Weiner’s DES machine. Hence we can surely assume that one can build a machine for 10 million dollars, which can break a DES in just 0.03 hours or around 100 seconds. Based on purely computational model, required amount of arithmetic operation to break a 56 bit DES key is almost same as required amount of arithmetic operation to break EC key which is twice the size of DES (i.e. 112 bit), However Wiener’s designed 56 bit DES cracking machine looks like faster than his equivalent 112 bit EC cracking machine. We assume that 56 bit DES can be broken in just about 5 minutes with appropriate hardware and this is certainly equivalent to112 bit EC.

To do sieving operation Shamir’s TWINKLE device seems very effective for RSA key range from 512 bit to 700 bit and even for 1024 bit keys too. We also assumed a software only attack using PCs for sieving and tightly coupled PCs for linear algebra. We assume 500 MIPS machines and total number of such available machine for ten millions dollars is

107 / (100 + 0.05 x Memory required in bytes)

Here, term (100 + 0.05 x Memory required in bytes) represents a per machine cost of $ 100 for processor and cost of memory. The required amount of memory is assumed to be

64 Mbytes x SQRT (L (2keysizes)/L(2^512 ) (Because 64 MB required for RSA-512)

We assume that total required amount of memory to hold the matrix for the entire sieve machine is enough. Hence if we have F dollars to spend on hardware, and time T (in terms of month) for an attack, then we can have this formula

T/2 x F L (n)/ L(2^512 ) = -------------------------------------------------- 300 x (100 + 0.5 Sqrt (L (n)/ L(2^512 )) x 64)

This formula states that RSA – 512 took 2 month on 300 PC’s each has 64 Mbytes memory. That’s why we divide T in numerator with 2 and multiply 300 and 64 in denominator. In real world it would require extra cost for the fast interconnection network for tightly coupled machine to do matrix operation.

The key size given in the below table assuming that we have 10 millions dollars for computer hardware, and it also assumes that EC key size should be twice the symmetric key sizes.

For classical we use L[ n ] of NFS (omit o(1) part) and other factor. And it follows that if classical cryptosystem key size k is chosen such that

L(2k) / (IMY( y ) x 2 12( y^ – 1999) /^ r^ ) ≥ L(2^512 ) / 10^4

Then the security offered classical cryptosystem until year y is atleast computationally equivalent to the security offered by DES in year s. If classical cryptosystem key size k’ is chosen such that

L(2k’) / (IMY( y ) x 2 12( y^ – 1999) /^ r^ ) ≥ L(2^512 ) / (10^4 x 24 x P )

And then security offered classical cryptosystem until year y is atleast cost equivalent to the security offered by DES in year s.

Lenstra create table based on this approach and some other consideration [1].

computationally equivalent security (Lenstra and Verheul)

Elliptic Year Curve Key Size Symmetric Key Size Classical Asymmetric Key Size Subgroup Number of

  • C = 0 C = DL Key Size
  • 1982 56 417 102 105 417 1.11 x of MIPS Year
  • 1983 57 440 103 107 440 1.89 x
  • 1984 58 463 105 108 463 3.22 x
  • 1985 59 488 106 110 488 5.47 x
  • 1986 60 513 107 111 513 9.31 x
  • 1987 60 539 108 113 539 1.58 x
  • 1988 61 566 109 114 566 2.69 x
  • 1989 62 594 111 116 594 4.58 x
  • 1990 63 622 112 117 622 7.80 x
  • 1991 63 652 113 119 652 1.33 x
  • 1992 64 682 114 120 682 2.26 x
  • 1993 65 713 116 121 713 3.84 x
  • 1994 66 744 117 123 744 6.53 x
  • 1995 66 777 118 124 777 1.11 x
  • 1996 67 810 120 126 810 1.89 x
  • 1997 68 844 121 127 844 3.22 x
  • 1998 69 879 122 129 879 5.48 x
  • 1999 70 915 123 130 915 9.31 x
  • 2000 70 952 125 132 952 1.58 x
  • 2001 71 990 126 133 990 2.70 x
  • 2002 72 1028 127 135 1028 4.59 x
  • 2003 73 1068 129 136 1068 7.80 x
  • 2004 73 1108 130 138 1108 1.33 x
  • 2005 74 1149 131 139 1149 2.26 x
  • 2006 75 1191 133 141 1191 3.84 x
  • 2007 76 1235 134 142 1235 6.54 x
  • 2008 76 1279 135 144 1279 1.11 x
  • 2009 77 1323 137 145 1323 1.89 x
  • 2010 78 1369 138 146 1369 3.22 x
  • 2011 79 1416 139 148 1416 5.48 x
  • 2012 80 1464 141 149 1464 9.32 x
  • 2013 80 1513 142 151 1513 1.59 x
  • 2014 81 1562 143 152 1562 2.70 x
  • 2015 82 1613 145 154 1613 4.59 x
  • 2016 83 1664 146 155 1664 7.81 x
  • 2017 83 1717 147 157 1717 1.33 x
  • 2018 84 1771 149 158 1771 2.26 x
  • 2019 85 1825 150 160 1825 3.85 x
  • 2020 86 1881 151 161 1881 6.54 x
  • 2021 86 1937 153 163 1937 1.11 x

RAM Required for NFS

Key Sizes In Bits

Sieve memory Matrix Memory

332 24 Mbytes 128 Mbytes 428 64 Mbytes 2 Gbytes 512 160 Mbytes 20 Gbytes 1024 ~256 Gbytes ~100 Gbytes

Progress

90

100

110

120

130

140

150

160

170

19821985198819911994199720002003200620092012201520182021 Years

Key Sizes in Bits

Figure 1. For SDL and EC systems, suggested lower bounds for key sizes

As we can see from figure -1 that gap between the recommended SDL and EC key sizes broaden slowly This is because the fast growing size of the fundamental finite fields in SDL, that makes slow operation of the finite field which is necessary to mount an attack using Pollard’s rho method.

3. COMPARING THE SECURITY OF ECC AND RSA

The following are some thoughts on the security and efficiencies of ECC as compared with RSA.

3.1. Hardness of Mathematical Problems

Today the security of the three primary used public-key systems is depending on the intractability of the integer factorization problem (IFP) for RSA systems, the discrete logarithm problem (DLP) for discrete log (DL) systems, and the elliptic curve discrete logarithm problem (ECDLP) for ECC. RSA and DL systems were invented in the late 1970's, and ECC was invented during 1985.

We do not have proof that whether any of these three mathematical problems are really hard or not. We can expect that we may have such kind of proof in next few years. So what we can do is just depend on the hard work and experience of mathematicians and computer scientists who expend incredible amounts of work in trying to develop efficient algorithms for these three problems. To date, the best algorithms known for the integer factorization problem (IFP) and discrete log problem (DLP) are far superior to the best algorithm known for the elliptic curve discrete logarithm problem (ECDLP). For this reason, one can use considerably smaller parameters for ECC than for RSA, while accomplishing the same level of security against known attacks.

So what can we say about the coming future? Will some one be able to find more accurate and efficient algorithms to resolve any of these three problems, and hence representing that the individual public-key systems insecure? And answer is "we don't know yet". We have to learn something from whatever happened in past, and use that to make our future alert and more successful.

We can also think about study time period, how well a problem has been studied and what is the length of time it has been studied. This measurement can be false. Because supporters of RSA often claim that the integer factorization problem (IFP) has been studied for almost centuries, on the other hand the ECDLP has only been studied for last 15 years. On the one side, serious work on factoring really originated in the late 1970’s that was primarily motivated by the invention of RSA. On the other side, since the late 1970's all of the work that has been done on the DLP is directly applicable to the ECDLP (such as the Pollard-rho algorithms, etc.) If someone put above two explanations together then he/she can conclude that both the IFP and the ECDLP have been seriously studied for around the same lengths of time.

Certicom consulting company stated, "Elliptic curves have been studied extensively for the past 150 years as algebraic/geometric entities ". This statement is to assure some non- technical people that the EC themselves are not some recent invention by Certicom.

So, do we have any strong reason to believe that the ECDLP is basically more difficult than that the IFP?