Cryptography Reference
In-Depth Information
(MQ) or some lattice-based schemes are examples of this. Another common prob-
lem is that they have poor implementation characteristics, like key lengths in the
range of megabytes, e.g., the McEliece cryptosystems. However, there are also some
other schemes, for instance, hyperelliptic curve cryptosystems, which are both as ef-
ficient and secure as the three established families shown above, but which simply
have not gained widespread adoption. For most applications it is recommended to
use public-key schemes from the three established algorithm families.
6.2.4 Key Lengths and Security Levels
All three of the established public-key algorithm families are based on number-
theoretic functions. One distinguishing feature of them is that they require arith-
metic with very long operands and keys. Not surprisingly, the longer the operands
and keys, the more secure the algorithms become. In order to compare different
algorithms, one often considers the
security level
.Analgorithmissaidtohavea
“security level of
n
bit” if the best known attack requires 2
n
steps. This is a quite
natural definition because symmetric algorithms with a security level of
n
have a key
of length
n
bit. The relationship between cryptographic strength and security is not
as straightforward in the asymmetric case, though. Table 6.1 shows recommended
bit lengths for public-key algorithms for the four security levels 80, 128, 192 and 256
bit. We see from the table that RSA-like schemes and discrete-logarithm schemes
require very long operands and keys. The key length of elliptic curve schemes is
significantly smaller, yet still twice as long as symmetric ciphers with the same
cryptographic strength.
Table 6.1
Bit lengths of public-key algorithms for different security levels
Algorithm Family
Cryptosystems
Security Level (bit)
80
128
192
256
Integer factorization RSA
1024 bit 3072 bit 7680 bit 15360 bit
Discrete logarithm
DH, DSA, Elgamal 1024 bit 3072 bit 7680 bit 15360 bit
Elliptic curves
ECDH, ECDSA
160 bit
256 bit
384 bit
512 bit
Symmetric-key
AES, 3DES
80 bit
128 bit
192 bit
256 bit
You may want to compare this table with the one given in Sect. 1.3.2, which
provides information about the security estimations of symmetric-key algorithms. In
order to provide long-term security, i.e., security for a timespan of several decades,
a security level of 128 bit should be chosen, which requires fairly long keys for all
three algorithm families.
An undesired consequence of the long operands is that public-key schemes are
extremely arithmetically intensive. As mentioned earlier, it is not uncommon that
one public-operation, say a digital signature, is by 2-3 orders of magnitude slower
than the encryption of one block using AES or 3DES. Moreover, the computational
