
















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The importance of key size selection in cryptography and provides cost-based analysis for symmetric, elliptic curve (ec), and rsa keys. It compares the computational requirements and time to break different key sizes for each cryptosystem. The document also introduces the concept of infeasible number of mips years (imy) to determine key sizes that offer an acceptable level of security until a given year.
Typology: Study Guides, Projects, Research
1 / 24
This page cannot be seen from the preview
Don't miss anything!

















Project: ECE 543/ Presented By: Vasant Patel Submitted To: Dr. Kris Gaj Fall 2000
1. Introduction - Why key size is important? - What affects the security requirement? - **Equivalence of attack efforts
o Mathematical problem of hardness o Efficiency comparison of ECC and RSA o ECC in constrained environment
**4. Conclusion
1.2 What affects the security requirements?
It should be clear that key sizes must be tied to the real value of data being protected from unauthorized access and it also must be tied with what will be the expected lifetime of data. Because it does not make sense for an opponent to spend ten million dollars for breaking a key if recovering the key will only give you a net ten thousand dollars. The same principal also applies to protect other keys such as the master signature key of CA, because obviously such a key is worth ten thousand dollars.
More, if the lifetime of the key, which is being used to protect data for only a day or a week then there is no need to use a key, that will take years to break.
Federal standard specify minimum of 1024 bits for RSA, but there are so many applications for which 768 bits is more than enough. Also we know that signatures on contract required to be secured for at least 30 years or more (unless and other wise if it is time stamped and renewed occasionally). Application such as SSL requires about 1 day for signature with short-term session key, while some require several years. Military and intelligence data such as identity of spies can have at least 100 years of lifetime, but such kind of data is not accessible to every one by on-line nor is it protected by public key cryptosystem.
1.3 Equivalence of attack efforts
For different cryptosystems there are different key size recommendations. These recommendations may be expected to be equivalent for a certain specified level of security in the sense that the computational effort or number of Mips Years for a successful attack is more or less the same for all cryptosystems. So, different cryptosystems offer more or less equivalent security from a computational point of view when the recommended key sizes are used as per guideline.
The term “ computationally equivalent security” should not be confused with, the other term and is not necessarily the same as “ equipment cost equivalent” security, or in other words “ cost equivalent” security. What we meant is here we say that two systems offer cost equivalent security if accessing or obtaining the hardware that allows a successful attack in a certain fixed amount of time that costs the same amount of dollars for both systems. Here note that the price is almost the same, the hardware required may be quite different for the two different kinds of attacks. For ex. some attacks may use only PCs, for other attacks it may be possible to get the required Mips Years by using special- purpose hardware. This paper will discuss both kind of security; “ computationally equivalent security” and “ cost equivalent security”.
In this paper, I will talk about symmetric-key (or secret-key) and asymmetric-key (or public-key) cryptosystems. Such systems can be used to accomplish four important things: confidentiality, integrity, authenticity, and non-repudiation of electronic information during communication. Here assume that two parties involved in communication, a sender S and a receiver R, both of them want to maintain secrecy of the communication from S to R.
2.1. Symmetric key cryptosystems
Explanation: - In symmetric key cryptosystems a key is shared by S and R. To maintain privacy the key should be kept secret. The size of the key, i.e., its number of bits, depends on the symmetric key cryptosystem. Both the message and its encryption consist of a whole number of blocks; a block consists of a fixed number of bits that depends on the symmetric key cryptosystem. Right now the best-known symmetric key cryptosystem is the Data Encryption Standard (DES), introduced in 1977, with key size 56 bits and block size 64 bits. There are other examples of symmetric key cryptosystems:
Attacks : - No method has been published that breaks DES-encrypted messages significantly faster than exhaustive key search, i.e., by trying all of the 2^56 different keys. For exhaustive key search expected number of trials are 2^55. In 1997, after an Internet search of approximately 4 months, a DES key was successfully retrieved by RSA (www.rsa.com/des). The expected computing power required for such a software exhaustive key search is estimated as 0.5 MMY (MMY = one millions MIPS year) and this estimate is based on the Pentium based figures such that a single DES block encryption with a fixed size key requires 360 Pentium clock cycles or 500 Pentium clock cycles with a variable sized key. Half a million MIPS Years are roughly equal to 13, months on a PC, which is an equivalent to 4 months on 3,500 PCs, because an exhaustive key search can be uniformly divided over any number of processors. Therefore for a proper security based cryptoanalysis one has to estimate and keep track of the total computational power of the Internet. A hardware attack is substantially faster than a software attack for the cost of one-time investment. A $20 million parallel DES key searching machine was proposed in 1977 with 12 hours of expected search time, than after in 1980 corrected to $50 million and 2 days, than during 1993 design by M. Wiener Cost and expected time were down to one million dollar and 3.5 hours key search time. Finally in 1998 a $130,000 machine was actually built with an expected search time of 112 hours. By simply guessing there is always possibility that someone may find a key. For any reasonable key sizes the probability that this happens is normally very small, for ex. for a 50-bit key there is a total probability of one in a million that key is found if one
Strong prime:
For this we use p as prime number. Let say | p | represent length of p in binary.
A prime p is considered to be a “strong” if it fulfills the below given conditions
Same way we can describe corresponding values for prime q – , q – –^ , q +^ , b –^ , b – –^ , and b +
Some times a prime is called strong if it satisfies only a subset of these conditions given below.
There are few algorithms by which one can find strong prime (for ex. Willaim/Schmid algorithm, Gordan’s algorithm). Now we will discuss about strong primes as a protection against factoring: The very first attack an opponent can mount against RSA is factoring attack. To factor a natural number n is nothing but to produce a complete list of its prime factors. To split a given natural number n to produce two another natural number whose product is n and neither of them is 1 or n. If n is a product of exactly two primes, then the notation of factoring n and splitting n are equivalent. In fact this is true that most of the factoring algorithm are actually “splitting” algorithm. As we know that there are so many available algorithms for factoring, but efficiency of these algorithms depends on many things, here are the few possible things,
Rivest and Silverman concluded that “Strong primes” only offer little protection beyond that offered by “Random primes”. But there is no technical reason not to use strong primes if some one wants to use (except additional effort required to generate it) [4].
TDL description : - In a traditional discrete logarithm (TDL) system the public key consists of a finite field Fp of size p , a generator g of the multiplicative group ( Fp )^ of Fp , and an element y of ( Fp )^ that is not equal to 1. We assume that the field size p is such that p – 1 has a prime factor of roughly the same order of magnitude as p. The private key is the smallest positive integer m such that g m^ = y. This m is referred as the discrete logarithm of y with respect to g. The private key m is at least 1 and at most p – 2. If some how m can be found, the system can be broken. Thus, the security of TDL systems is based on the difficulty of computing discrete logarithms in the multiplicative group of a finite field. The size of a TDL key refers to the bit-length of the field size p. The actual number of bits required to store a TDL public key is larger, since the public key contains g and y as well.
Attacks : - Today the General Number Field Sieve (GNFS or just NFS) is general purpose algorithm for either factoring large integer or for solving an ordinary discrete logarithm problem. Its run time depends only on the size of number being factored.
GNFS has two phases: In first phase a sieving operation performed which requires considerable amount of memory on computer to create a set of equation. This phase also depends on its ability how fast it can retrieve values from memory, add them together and put it back. That’s why size of memory and internal speed of memory have strong impact on the speed with which the sieve can operate. As we know that this phase needs large memory, for a 512-bit key, 64 Mbytes per sieve machine is enough. However if size of key increases, one has to increase memory too. Below it shows required memory scale with the square root of the time. In the past, as machine become faster sieving speed did not synchronize with machine speed. The probable reason is that while CPUs’ were getting faster, that does not means that internal memory speed and data cache were also synchronizing with CPU speed enhancement. But recent improvement in increasing the size of cache with all next generation of processor, and increasing internal speed of memory has solved this problem. Lenstra’s suggestion is based on processor improvement. But I think that we also have to consider internal speed of memory. Today’s 32 bits machine can address only up to 2 GB of user space. As per detail given in time-space table, it shows that once key size exceed above 710 bits, then memory required for sieving operation can not be addressed by 32 bits computer. Even though 64 bit processors are available, but it seems that 64 bits computers may not be able to use as a widely useful machine for attack. There is one more thought that whether the market will routinely demand machine that has multi gigabyte of memory or not. Today there are so many applications in the market, which require multi gigabytes of memory for ex. servers, but usually they are not available as a distributed machine, because they have very small idle time, and they are assigned to some dedicated task, but they can contribute some CPU time, but that’s not enough as compared to their regular processing time for which they are installed. So the question is, is it possible to have desktop
Thus,
576 bits will take 10.9 times as long as RSA- 512 and requires 3.3 times memory. 768 bits will take 6100 times as long as RSA- 512 and requires 77 times memory. 1024 bits will take 7 million times as long as RSA- 512 and requires 2650 times memory.
Historical Factoring Records
Year Size Number Who Method Hardware
1970 39 2128 + 1 Brillhart/Morrison CFRAC IBM mainframe 1978 45 2223 - 1 Wunderlich CFRAC IBM mainframe 1981 47 3225 - 1 Gerver QS HP - 3000 1982 51 591 - 1 Wagstaff CFRAC IBM mainframe 1983 63 1193 + 1 Davis/Holdridge QS Cray 1984 71 1071 - 1 Davis/Holdridge QS Cray 1986 87 5128 + 1 Silverman MPQS LAN Sun – 3’s 1987 90 5160 + 1 Silverman MPQS LAN Sun – 3’s 1988 100 11104 + 1 Internet MPQS Distributed 1990 111 2484 + 1 Lenstra/Manasse MPQS Distributed 1991 116 10142 + 1 Lenstra/Manasse MPQS Distributed 1992 129 RSA -129 Atkins MPQS Distributed 1996 130 RSA -130 Montgomery GNFS Distributed 1998 140 RSA - 140 Montgomery GNFS Distributed 1999 155 RSA - 155 Montgomery GNFS Distributed
0
50
100
150
200
1969 1974 1979 1984 1989 1994 1999 2004 Year
Key Size (Decimal Digits)
The storage requirements of the NFS are proportional to √L[ n ]. The expected run time of the SNFS follows by replacing the 1.9229 in L[ n ] by 1.5262; thus, the SNFS is much faster than the NFS, but it cannot be used to attack RSA moduli.
To estimate the number of operations required to factor n or to compute discrete logarithms in a certain Fp , this run time estimates cannot be used. For instance, for n and p of about the same size and in our current range of interest, L[ n ] and L[ p ] are approx equal if the o(1)’s are omitted, but the discrete logarithm problem in Fp is considerably more difficult than factoring n. If factoring an RSA modulus n using NFS takes time t , then obviously factoring some other RSA modulus m > n will take time close to t x L[ m ]/L[ n ], the only thing is need to do is just make sure that there should be no such a too big difference between n and m. If, m is much bigger than n, then the o(1) term can no longer be ignored, and t x L[ m ]/L[ n ] will be an overestimate of the time to factor m. The same method applies to the DLNFS. The largest published factorization using the NFS is the 512- bit number RSA155, which is an RSA modulus of 155 decimal digits, in August of 1999. This factoring effort was estimated to cost at most 20 years on a PC with at least 64 Mbytes of memory (or a single day on 7500 PCs). This whole time was spent almost entirely on the sieving step. It is less than 10^4 Mips Years and corresponds to fewer than 3 x 10 17 operations, whereas L[10 155 ] = 2 x 10 19. This shows that L[ n ] overestimates the number of operations to be carried out for the factorization of n. The run time given here is the actual run time of the RSA155 factoring effort. The largest number factored using the SNFS is the 211-digit (and 698-bit) number, in April of 1999, in slightly more than 2000 Mips Years. These run times are only a fraction of the cost of a software DES key search, but the required amount of memory needed by the NFS is larger than normal. So practical experience with the DLNFS is still in limited position. For the most time consuming step of factoring algorithms such as the sieving step, recently Adi Shamir proposed the TWINKLE opto-electronic sieving device to speed up this step. For any special-purpose hardware factoring device it is difficult to achieve parallelization at a reasonable cost, but it may not be impossible. Given the current state of the art it is to be consider that special-purpose hardware will have an obvious impact on the security of RSA moduli. But we should not totally depend on the belief that special-purpose hardware attacks on RSA are impossible. To illustrate this, the quadratic sieve factoring method was implemented successfully on a Single-Instruction-Multiple- Data architecture. A SIMD machine is nothing but one kind of special-purpose hardware. It could be relatively cheap compared to ordinary PCs. Clearly, to obtain any security at all, key sizes for classical asymmetric systems have to be larger than 512 (where 512 is the size of the ‘broken’ RSA modulus RSA155). So, classical asymmetric systems looks like to be more secure than symmetric key cryptosystems from this point of view. The Elliptic Curve Method (ECM) can attack RSA, also. This method produces a factor with significantly higher probability after a relatively small amount of work rather than simple guesswork. For example, if one billion people were to attack a 512-bit RSA modulus, each by running the ECM for just one hour on their PC during idle time, then the probability that one of them would factor the modulus is more than 10%. For a 768-bit RSA modulus the probability of success of the same computational effort is about one in a million. Now, this is a very low success probability after putting a remarkable effort but
group operation can be reduced. As mentioned before here we assumed that p and q are assumed to be close to each other size wise. Then the cost of the group operation is proportional to (log 2 ( q ))^2. Related information can be found on the Internet [11]. From the estimates given on the Internet it can derive that for a 109-bit EC system with p = 2^109 it should take about at least 18,000 years on a single PC (or in other way one year on 18,000 PCs) which is about 8 MMY. This computation is feasible on a large network of computers such as Internet. It is stated by Certicom Company that an attack on a 109-bit EC system with a prime p of about 109 bits should take about 2.2 MMY. This estimation based on primes of a special form.
During 1996 Wiener proposed an attack based on a special-purpose hardware design that achieves a 25 million parallel operation against a 120-bit EC system with p = 2 155 , about 330,000 special-purpose processor chips were used and each of them running 75 Pollard rho processes independent from each other. During that period expected cost was $ million and it require more than month (about 32 days) to complete process. The time to do a k – bit Elliptic curve is 32 x SQRT (2 k-120) days with one of them machine. The designers of this machine also described that this machine can do better job if it is designed by current silicon technology to get optimized performance, so machine can become 50 times faster and can therefore break given key k in about 12 hours instead of 32 days. It is mentioned by Certicom Company that 131-bit EC systems are expected to be infeasible against realistic software and hardware attacks. If any one select key size of EC system larger than 112 bits then, simply guessing the private key need to guess at least all possible combination of 112 bits which might be infeasible for any one. Probable chance is x^2 that to find a right key after doing some fraction x of the expected 0.88√ q group operations in Pollard’s rho attack against SDL systems. The required estimated number of iterations is √ 2 times smaller than required estimated number of iterations for SDL systems. We cannot assume that in next coming year there will be no cryptanalytic progress. Because cryptanalytic related results to EC systems are in progress continuously day-by-day on regular base by researcher and cryptanalyst. To this point, most of them only affected on some special cases.
Some convention used during runtime environment
Here for cost based analysis we assume that Pentium III processor at 500 MHz can be obtained for $ 100 and memory costs $0.50 per megabytes. These assumptions are slightly positive, given current costs but making this choice produces key size estimates. In the next section we will present key size, which is equivalents for RSA, Elliptic curves and Symmetric key systems using cost based analysis.
We consider Wiener’s Elliptic curve breaking machine for a 120-bit sub field as a data point to construct table. If some one wants to use 112 bits then this problem is √ 28 or 16 times easier. It seems that such a machine can break 112 bit EC keys in about 45 minutes.
We can expect based on latest technology that today’s machine can be built 100 times faster than Weiner’s DES machine. Hence we can surely assume that one can build a machine for 10 million dollars, which can break a DES in just 0.03 hours or around 100 seconds. Based on purely computational model, required amount of arithmetic operation to break a 56 bit DES key is almost same as required amount of arithmetic operation to break EC key which is twice the size of DES (i.e. 112 bit), However Wiener’s designed 56 bit DES cracking machine looks like faster than his equivalent 112 bit EC cracking machine. We assume that 56 bit DES can be broken in just about 5 minutes with appropriate hardware and this is certainly equivalent to112 bit EC.
To do sieving operation Shamir’s TWINKLE device seems very effective for RSA key range from 512 bit to 700 bit and even for 1024 bit keys too. We also assumed a software only attack using PCs for sieving and tightly coupled PCs for linear algebra. We assume 500 MIPS machines and total number of such available machine for ten millions dollars is
107 / (100 + 0.05 x Memory required in bytes)
Here, term (100 + 0.05 x Memory required in bytes) represents a per machine cost of $ 100 for processor and cost of memory. The required amount of memory is assumed to be
64 Mbytes x SQRT (L (2keysizes)/L(2^512 ) (Because 64 MB required for RSA-512)
We assume that total required amount of memory to hold the matrix for the entire sieve machine is enough. Hence if we have F dollars to spend on hardware, and time T (in terms of month) for an attack, then we can have this formula
T/2 x F L (n)/ L(2^512 ) = -------------------------------------------------- 300 x (100 + 0.5 Sqrt (L (n)/ L(2^512 )) x 64)
This formula states that RSA – 512 took 2 month on 300 PC’s each has 64 Mbytes memory. That’s why we divide T in numerator with 2 and multiply 300 and 64 in denominator. In real world it would require extra cost for the fast interconnection network for tightly coupled machine to do matrix operation.
The key size given in the below table assuming that we have 10 millions dollars for computer hardware, and it also assumes that EC key size should be twice the symmetric key sizes.
For classical we use L[ n ] of NFS (omit o(1) part) and other factor. And it follows that if classical cryptosystem key size k is chosen such that
L(2k) / (IMY( y ) x 2 12( y^ – 1999) /^ r^ ) ≥ L(2^512 ) / 10^4
Then the security offered classical cryptosystem until year y is atleast computationally equivalent to the security offered by DES in year s. If classical cryptosystem key size k’ is chosen such that
L(2k’) / (IMY( y ) x 2 12( y^ – 1999) /^ r^ ) ≥ L(2^512 ) / (10^4 x 24 x P )
And then security offered classical cryptosystem until year y is atleast cost equivalent to the security offered by DES in year s.
Lenstra create table based on this approach and some other consideration [1].
Elliptic Year Curve Key Size Symmetric Key Size Classical Asymmetric Key Size Subgroup Number of
RAM Required for NFS
Key Sizes In Bits
Sieve memory Matrix Memory
332 24 Mbytes 128 Mbytes 428 64 Mbytes 2 Gbytes 512 160 Mbytes 20 Gbytes 1024 ~256 Gbytes ~100 Gbytes
Progress
90
100
110
120
130
140
150
160
170
19821985198819911994199720002003200620092012201520182021 Years
Key Sizes in Bits
Figure 1. For SDL and EC systems, suggested lower bounds for key sizes
As we can see from figure -1 that gap between the recommended SDL and EC key sizes broaden slowly This is because the fast growing size of the fundamental finite fields in SDL, that makes slow operation of the finite field which is necessary to mount an attack using Pollard’s rho method.
The following are some thoughts on the security and efficiencies of ECC as compared with RSA.
3.1. Hardness of Mathematical Problems
Today the security of the three primary used public-key systems is depending on the intractability of the integer factorization problem (IFP) for RSA systems, the discrete logarithm problem (DLP) for discrete log (DL) systems, and the elliptic curve discrete logarithm problem (ECDLP) for ECC. RSA and DL systems were invented in the late 1970's, and ECC was invented during 1985.
We do not have proof that whether any of these three mathematical problems are really hard or not. We can expect that we may have such kind of proof in next few years. So what we can do is just depend on the hard work and experience of mathematicians and computer scientists who expend incredible amounts of work in trying to develop efficient algorithms for these three problems. To date, the best algorithms known for the integer factorization problem (IFP) and discrete log problem (DLP) are far superior to the best algorithm known for the elliptic curve discrete logarithm problem (ECDLP). For this reason, one can use considerably smaller parameters for ECC than for RSA, while accomplishing the same level of security against known attacks.
So what can we say about the coming future? Will some one be able to find more accurate and efficient algorithms to resolve any of these three problems, and hence representing that the individual public-key systems insecure? And answer is "we don't know yet". We have to learn something from whatever happened in past, and use that to make our future alert and more successful.
We can also think about study time period, how well a problem has been studied and what is the length of time it has been studied. This measurement can be false. Because supporters of RSA often claim that the integer factorization problem (IFP) has been studied for almost centuries, on the other hand the ECDLP has only been studied for last 15 years. On the one side, serious work on factoring really originated in the late 1970’s that was primarily motivated by the invention of RSA. On the other side, since the late 1970's all of the work that has been done on the DLP is directly applicable to the ECDLP (such as the Pollard-rho algorithms, etc.) If someone put above two explanations together then he/she can conclude that both the IFP and the ECDLP have been seriously studied for around the same lengths of time.
Certicom consulting company stated, "Elliptic curves have been studied extensively for the past 150 years as algebraic/geometric entities ". This statement is to assure some non- technical people that the EC themselves are not some recent invention by Certicom.
So, do we have any strong reason to believe that the ECDLP is basically more difficult than that the IFP?