On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography

Meeting the requirements of NIST’s new cryptographic standard ‘Suite B Cryptography’ means phasing out usage of 1024-bit RSA and 160-bit Elliptic Curve Cryptography (ECC) by the year 2010. This write-up comments on the vulnerability of these systems to an open community attack effort and aims to assess the risk of their continued usage beyond 2010. We conclude that for 1024-bit RSA the risk is small at least until the year 2014, and that 160-bit ECC may safely be used for much longer – with the current state of the art in cryptanalysis we would be surprised if a public effort can make a dent in 160-bit ECC by the year 2020. Our assessment is based on the latest practical data of large scale integer factorization and elliptic curve discrete logarithm computation efforts.

[1]  Rainer Steinwandt,et al.  Non-wafer-Scale Sieving Hardware for the NFS: Another Attempt to Cope with 1024-Bit , 2007, EUROCRYPT.

[2]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[3]  Jean-Jacques Quisquater,et al.  Improving the Time Complexity of Matsui's Linear Cryptanalysis , 2007, ICISC.

[4]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[5]  Jeff Gilchrist,et al.  Factorization of a 512-Bit RSA Modulus , 2000, EUROCRYPT.

[6]  Jongsung Kim,et al.  Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher , 2008, IACR Cryptol. ePrint Arch..

[7]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[8]  Arjen K. Lenstra,et al.  Factoring by Electronic Mail , 1990, EUROCRYPT.

[9]  Antoine Joux,et al.  When e-th Roots Become Easier Than Factoring , 2007, ASIACRYPT.

[10]  Tanja Lange,et al.  ECM on Graphics Cards , 2009, IACR Cryptol. ePrint Arch..

[11]  Alex Biryukov,et al.  On Multiple Linear Approximations , 2004, IACR Cryptol. ePrint Arch..

[12]  Michael J. Wiener,et al.  Faster Attacks on Elliptic Curve Cryptosystems , 1998, Selected Areas in Cryptography.

[13]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[14]  Burton S. Kaliski,et al.  The Montgomery Inverse and Its Applications , 1995, IEEE Trans. Computers.

[15]  Alfred Menezes,et al.  Elliptic Curve Cryptography: The Serpentine Course of a Paradigm Shift , 2011, IACR Cryptol. ePrint Arch..

[16]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[17]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[18]  Manindra Agrawal,et al.  PRIMES is in P , 2004 .

[19]  Edlyn Teske On random walks for Pollard's rho method , 2001, Math. Comput..

[20]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[21]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[22]  Orr Dunkelman,et al.  Analysis of Two Attacks on Reduced-Round Versions of the SMS4 , 2008, ICICS.

[23]  Arjen K. Lenstra,et al.  A Kilobit Special Number Field Sieve Factorization , 2007, ASIACRYPT.

[24]  Lei Hu,et al.  Analysis of the SMS4 Block Cipher , 2007, ACISP.

[25]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[26]  Eran Tromer,et al.  Factoring large numbers with the TWIRL device , 2003 .

[27]  Tim Güneysu,et al.  Special-Purpose Hardware for Solving the Elliptic Curve Discrete Logarithm Problem , 2008, TRETS.

[28]  Jung Hee Cheon,et al.  Speeding Up the Pollard Rho Method on Prime Fields , 2008, ASIACRYPT.

[29]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[30]  Dengguo Feng,et al.  Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard , 2009, ISPEC.

[31]  Wenling Wu,et al.  Cryptanalysis of Reduced-Round SMS4 Block Cipher , 2008, ACISP.

[32]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[33]  A. K. Lenstra,et al.  The factorization of the ninth Fermat number , 1993 .

[34]  Jiqiang Lu Attacking Reduced-Round Versions of the SMS4 Block Cipher in the Chinese WAPI Standard , 2007, ICICS.

[35]  Matthew J. B. Robshaw,et al.  Linear Cryptanalysis Using Multiple Approximations , 1994, CRYPTO.

[36]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.