Cryptography Reference
In-Depth Information
though, if the size of
p
is increased to 2048 or 3072 bit. This only increases the dif-
ficulty of the index-calculus attack, but the small subgroup attack would still have a
complexity of 2
80
if the subgroup stays the same size. For this reason
q
also must be
increased if larger
p
values are chosen. Table 10.2 shows the NIST-specified lengths
of the primes
p
and
q
together with the resulting security levels. The security level of
the hash function must also match the one of the discrete logarithm problem. Since
the cryptographic strength of a hash function is mainly determined by the bit length
of the hash output, the minimum hash output is also given in the table. More about
security of hash functions will be said in Chap. 11.
Table 10.2
Standardized parameter bit lengths and security levels for DSA
p
q
Hash output (min) Security levels
1024 160
160
80
2048 224
224
112
3072 256
256
128
It should be stressed that the record for discrete logarithm calculations is 532 bit,
so that the 1024-bit DSA variant is currently secure, and the 2048-bit and 3072-bit
variants seem to provide good long-term security.
In addition to discrete logarithm attacks, DSA becomes vulnerable if the ephe-
meral key is reused. This attack is completely analogues to the case of Elgamal
digital signature. Hence, it must be assured that a fresh randomly-genererated key
k
E
is used in every signing operation.
10.5 The Elliptic Curve Digital Signature Algorithm (ECDSA)
As discussed in Chap. 9, elliptic curves have several advantages over RSA and
over DL schemes like Elgamal or DSA. In particular, in absence of strong attacks
against elliptic curve cryptosystems (ECC), bit lengths in the range of 160-256 bit
can be chosen which provide security equivalent to 1024-3072-bit RSA and DL
schemes. The shorter bit length of ECC often results in shorter processing time and
in shorter signatures. For these reasons, the Elliptic Curve Digital Signature Algo-
rithm (ECDSA) was standardized in the US by the American National Standards
Institute (ANSI) in 1998.
10.5.1 The ECDSA Algorithm
The steps in the ECDSA standard are conceptionally closely related to the DSA
scheme. However, its discrete logarithm problem is constructed in the group of
