NIST recommends a 256-bit private key exponent for DLP with a 3072-bit modulus. This question answered how the modulus was chosen/calculated, however, why isn't the private key size closer to the modulus size? It would seem that if one achieves order equal to $2^{256}$, this would be a sufficient number of random private key exponent possibilities to make a brute force attack computationally infeasible? So why the disparity between $2^{256}$ private key and $2^{3072}$ modulus?
Asked
Active
Viewed 186 times
4
-
2For $128$-bit security the smallest exponent size is $256$ bits (due to generic DLP algorithms). The corresponding modulus size is $3072$ bits (due to subexponential algorithm in this group). But a $256$-bit exponent is definitely cheaper for computation than a $3072$-bit one. – Jul 12 '19 at 15:01
-
1@corpsfini when you say "due to subexponential algorithm in this group" are you referring to the existence of some algorithm that undermines the unique powers generated by the cyclic group if the modulus isn't much greater than the key size? – JohnGalt Jul 12 '19 at 15:23
-
2I think the basic intution here is that we don't know any algorithms that recover a DLP private key $x$ in time much less than $\sqrt x$ while we do know how to recover any private key in fields in subexponential time in the size of the field. (Though I don't have any good references for this right now so no proper answer from me) – SEJPM Jul 12 '19 at 17:36
-
2In the multiplicative group of a finite field, the Index Calculus method (based on the number field sieve for factoring, or its variant) has a subexponential complexity in the size of the modulus, hence the big modulus. – Jul 12 '19 at 22:14
-
Does the answer to https://crypto.stackexchange.com/q/8455/142 help you? – j.p. Jul 13 '19 at 08:18
-
@j.p. It talks about the fact that the disparity exists but not why the disparity exists. I think the problem is that Index Calculus is not a simple topic to explain. An abstracted explanation is the "security", that is, the way to make it computationally infeasible to determine the the private key from the public parameters is to use a 3072-bit modulus. A smaller modulus, coupled with Index Calculus leads to the possibility of a successful attack? – JohnGalt Jul 14 '19 at 01:11
-
1@JohnGalt So you understood that there is a sophisticated algorithm to find the discrete logarithm mod p for 3072-bit primes p in time $2^{130}$. This algorithm cannot take advantage of the knowledge that the logarithm is taken in a "small" subgroup of the multiplicative group the field of order $p$. On the other hand there is an algorithm taking advantage of the size $q$ of the multiplicative subgroup one is working in and it takes time square root of the biggest prime factor of its size $q$. So working in a subgroup of 256-bit prime order $q$ in a 3072-bit prime field has security $2^{128}$. – j.p. Jul 14 '19 at 08:42
-
@j.p. That explanation is much appreciated...do you have any advice or reference to resources for those that want to do the heavy lifting of understanding the Index Calculus approach in greater detail? – JohnGalt Jul 14 '19 at 18:19
-
2This paper (PDF) might be of interest to this question. – SEJPM Jul 14 '19 at 20:50
-
1@JohnGalt I don't know a good reference for learning the number field sieve as used for the discrete logarithm, but starting from the recent papers https://ia.cr/2017/067 and https://ia.cr/2016/961 and their references you should be able to get a good idea of it. – j.p. Jul 15 '19 at 06:21
1 Answers
4
Generic algorithms for solving the DLP, like Shanks baby step-giant step or pollard rho are of complexity of order $\mathcal{O}(|G|^{0.5})$. That is, for $|G|=2^{256}$ you get a complexity of $\mathcal{O}(2^{128})$. However, for the index calculus method, that is operated on the modulus, for complexity of $\mathcal{O}(2^{128})$ you would need a modulus of size 3072 bits. You may use larger exponent, but this will result in more complex calculations, while the security remains $\mathcal{O}(2^{128})$
puzzlepalace
- 4,042
- 1
- 19
- 44
Evgeni Vaknin
- 1,076
- 7
- 18
-
1Just thought you might like to know: You can use mathjax to format your posts, it makes the parts that contain notation look much nicer and easier to read. – Ella Rose Jul 18 '19 at 20:36
-
I do not quite get "that is operated on the modulus". If "that" refers to "complexity", is is meant something beyond: complexity of index calculus is a function of the modulus (size)? – fgrieu Jul 18 '19 at 21:43
-
Should be "The complexity of the index calculus method is a function of the modulus" – Evgeni Vaknin Jul 19 '19 at 05:32