Security Level 密码算法对比
date
Mar 27, 2022
slug
crypto-security-level
status
Published
tags
Cryptography
Standard
summary
RSA 和 ECC 安全性和参数对比
type
Post
Intro
在做实验对比时, 需要保证 RSA 与 pbc 安全性的一致性, 也就是 RSA 和 ECC.
简单找了 NIST 标准, 查了对比.
Main
Ref.1. Table.2 表示不同密码算法在相同安全参数下的参数要求, 不过该表格里面参数没有具体表示.
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Ff3890ece-6fd4-407c-ad86-6cc9a9abdbbe%2Fa12b2345-61b5-4761-bb5e-59697ba97ea9%2FUntitled.png%3Fid%3D1328a017-98be-40d5-8682-76f206890fc8%26table%3Dblock%26spaceId%3Df3890ece-6fd4-407c-ad86-6cc9a9abdbbe%26expirationTimestamp%3D1721923200000%26signature%3DvjxCyFuhPkMNt3lPWvPYRrJBUDsS_7QO1LpSuMdnLc4?table=block&id=1328a017-98be-40d5-8682-76f206890fc8&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Ff3890ece-6fd4-407c-ad86-6cc9a9abdbbe%2Ffb7a1e8a-f9a9-4398-907d-a21491b16bf4%2FUntitled.png%3Fid%3Da040e1d0-4eed-4a9a-835c-c55107b91ba5%26table%3Dblock%26spaceId%3Df3890ece-6fd4-407c-ad86-6cc9a9abdbbe%26expirationTimestamp%3D1721923200000%26signature%3DFgOqpm2L0wGmyWiAIqcXeOANQBFtDoMGmK9acGJXEAU?table=block&id=a040e1d0-4eed-4a9a-835c-c55107b91ba5&cache=v2)
第四列 RSA
k 代表 RSA 群的模N的 bit-length, 其中 N=PQ.
Ref.2. Ch5.1 RSA Key Pair Generation
This Standard specifies three choices for the length of the modulus
(i.e., nlen): 1024, 2048 and 3072 bits.
第五列 ECC
f 代表点 G 的阶 order, 阶的定义参考群元素order定义.
Ref.2. Ch6.1 ECDSA Domain Parameters
q is the field size; n is the order
of the point G
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Ff3890ece-6fd4-407c-ad86-6cc9a9abdbbe%2F1fa4f6b4-ecbf-4e85-95a3-b52a27080aa5%2FUntitled.png%3Fid%3Dc813737a-8d96-4228-90c4-48c9205091ca%26table%3Dblock%26spaceId%3Df3890ece-6fd4-407c-ad86-6cc9a9abdbbe%26expirationTimestamp%3D1721923200000%26signature%3DYHiHE3r5YanZ6R3OWL1ff3ut6oWSComSfKkQ69tBZ5I?table=block&id=c813737a-8d96-4228-90c4-48c9205091ca&cache=v2)
简单结论
RSA 模 N(N=PQ), ECC 点 G 的 order 为 n, 域大小(field size)为 p 的情况下安全性等价关系为:
在 pbc type-A 的曲线上, 对应的则是 RSA 1024bit 安全性, 发现原文也写了
In other words, the fastest known way to break discrete log for a general elliptic curve is to use a algorithm for a generic cyclic group, such as the Pollard rho and lambda methods, implying that the security of a 160-bit elliptic curve group and a 1024-bit finite field are roughly equivalent.