DOI:10.1007J.Cryptology(2001)14:255 - PDF document

DOI:10.1007J.Cryptology(2001)14:255Ð293 2001InternationalAssociationforCryptologicResearch SelectingCryptographicKeySizesArjenK.LenstraCitibank,N.A.,1NorthGateRoad,Mendham,NJ07945-3104,U.S.A.TechnischeUniversiteitEindhovenEricR.VerheulPricewaterhouseCoopers,GRMSCryptoGroup,Goudsbloemstraat14,5644KEEindhoven,TheNetherlandseric.verheul@[nl.pwcglobal.com,pobox.com]CommunicatedbyAndrewOdlyzkoReceivedSeptember1999andrevisedFebruary2001Onlinepublication14August2001Inthisarticleweofferguidelinesforthedeterminationofkeysizesforsymmetriccryptosystems,RSA,anddiscretelogarithm-basedcryptosystemsbothoverÞniteÞeldsandovergroupsofellipticcurvesoverprimeÞelds.Ourrecommendationsarebasedonasetofexplicitlyformulatedparametersettings,combinedwithexistingdatapointsaboutthecryptosystems.Keywords.Symmetrickeylength,Publickeylength,RSA,ElGamal,Ellipticcurvecryptography,MooreÕslaw.1.IntroductionThePurposeofThisPaperCryptographyisoneofthemostimportanttoolsthatenablee-commercebecausecryp-tographymakesitpossibletoprotectelectronicinformation.Theeffectivenessofthisprotectiondependsonavarietyofmostlyunrelatedissuessuchascryptographickeysize,protocoldesign,andpasswordselection.Eachoftheseissuesisequallyimportant:ifakeyistoosmall,orifaprotocolisbadlydesignedorincorrectlyused,orifapass-wordispoorlyselectedorprotected,thentheprotectionfailsandimproperaccesscanbegained.Inthisarticlewegivesomeguidelinesforthedeterminationofcryptographickeysizes.Foreachofanumberofcryptosystemswedescribetheeffortandcostrequiredforasuccessfulattack,wherethecostmaybemeasuredinseveraldifferentways.Other 256A.K.LenstraandE.R.Verheulprotocol-orpassword-relatedissuesarenotdiscussed.Wedonotaimtopredictthefuture,butifcurrenttrendspersist,thenfollowingourguidelineswillresultinacceptablesecurityforcommercialapplicationsofcryptography.Keysizerecommendationsarescatteredthroughoutthecryptographicliteratureormay,foraparticularcryptosystem,befoundinvendordocumentation.Unfortunatelyitisoftenhardtotellonwhatpremises(otherthanmarketability)therecommenda-tionsarebased.AsfarasweknowthisarticleistheÞrstuniform,clearlydeÞned,andproperlydocumentedtreatmentofthissubjectforthemostimportantgenerallyacceptedcryptosystems.Weformulateasetofexplicitparametersettingsandapplytheseuniformlytoexistingdataaboutthecryptosystems.Theresultingkeysizerec-ommendationsarethusobtainedinauniformmechanicalway,dependingonlyonourdefaultsettings,butindependentoffurtherassumptionsornon-scientiÞcconsidera-tions.TheresultingkeysizerecommendationsareintendedfordesignerswhowantaÒconservativeÓestimateforthekeysizesforvariousschemesoverthenext20Ð30OurkeysizerecommendationsarenotintendedasÒbestestimatesÓbasedonargumentsarguingfororagainstcertainimplementation-relateddifÞculties.Eventhoughsomeoftheseargumentsmaybenotwithoutmerit,theyareavoided.Basingasecurityargumentonsomethingthatcurrentlyhappenstobeperceivedasaproblemasopposedtobasingitonthemoreintrinsicbiggerpictureis,inouropinion,wishfulthinking.Despiteourattempttobeobjectivewedonotexpectthatourdefaultsaretoevery-oneÕstaste.Theycan,however,easilybechangedwithoutaffectingtheoverallapproach,therebymakingthisarticleusefulalsoforthosewhoobjecttoourchoicesortheresultingkeysizerecommendations.Otherpaperscontainingkeysizerecommendationsare[3],[5](symmetrickeycryptosystems),[29](RSA),[16](RSAandellipticcurvecryptosys-tems),and[38](symmetricandasymmetrickeycryptosystems).Anextendedabstractofthisarticleappearedin[22].Althoughthechoiceofkeysizesusuallygetsthemostattention,nearlyallfailuresare,inourexperience,notduetoinadequatekeysizesbuttoprotocolorpassworddeÞciencies.Toillustratethis,thecryptographickeysizesusedbythepopularemailencryptionprogramÒPrettyGoodPrivacyÓ(PGP)offeranacceptablelevelofsecurityforcurrentapplications.However,theuser-passwordthatprotectstheprivatePGPkeysstoredonanInternet-accessiblePCdoesnotnecessarilyofferthesamesecurity.Eveniftheuserisrelativelysecurity-consciousandselectsapasswordconsistingof9charactersrandomlychosenfrom62alphanumericchoices,theresultingsecurityiscomparablewiththesecurityofferedbytherecentlybrokenÒDataEncryptionStandardÓandtherebyunacceptablebytodayÕsstandards.AnevenmoredisturbingexamplecanbefoundinmanynetworkconÞgurations.Inoneexampleeachusermayselectapasswordthatconsistsof14characters,whichshould,inprinciple,offerenoughsecurity.Beforetransmissionoverthenetworkthepasswordsareencrypted,withtheinterestingfeaturehoweverthateachpasswordissplitintotwopartsofatmost7characterseach,andthateachofthetworesultingpartsistreatedseparately,i.e.,encryptedandtransmittedoverthenetwork.Thiseffectivelyreducesthepasswordlengthof14to7,whichisnotsufÞcientlysecure.Formoreexampleswereferto[1].Thus,applicationoftheguidelinesgivenheremakessenseonlyafteroneisconvincedoftheoverallsecurityofthedesign,ofitsimplementation,andofend-to-endsystem SelectingCryptographicKeySizes257Oursuggestionsarebasedonreasonableextrapolationsofdevelopmentsthathavetakenplaceduringthelastfewdecades.Thisapproachmayfail:asinglebrightideamayprovethatallcurrentlypopularcryptographicprotocolsareconsiderablylesseffectivethanexpected.Itmayevenrenderthemcompletelyineffective,asshownbythefollow-ingtwoexamples.Inthe1980sthethenpopularknapsack-basedcryptosystemsweresuddenlywipedoutbyanewtypeofattack.Morerecently,threeindependentgroupsofresearchersshowedthatellipticcurvecryptosystemsbasedontheuseofcurvesoftraceoneareeasilybreakable.Inthisarticlewediscussonlycryptosystemsforwhichitisbelievedtobeunlikelythatsuchcatastropheswilleveroccur.Nevertheless,forsomeofthesesystemsnon-trivial,butnon-catastrophic,newcryptanalyticinsightsareobtainedonafairlyregularbasis.Sofar,agradualincreaseinkeysizeshasbeenaneffectivecountermeasureagainstthesenewinsights.Fromanapplicationpointofviewitistobehopedthatthiswillnotchangeanytimesoon.Itisthepurposeofthisarticletogiveanideabyhowmuchkeysizeshavetobeincreasedtomaintainacomfortablemarginofsecurity.IfsufÞcientlylargequantumcomputerscanbebuilt,thenallasymmetrickeycryp-tosystemsdiscussedinthisarticleareinsecure[34].Itisunclearifquantumcomputersarefeasibleatall.Oursuggestionsdonottakequantumcomputersintoaccount.Neitherdoweincorporatethepotentialeffectsofmolecularcomputing[28]..Manyoftheconsiderationsdiscussedinthisarticle,andthedefaultchoiceswemake,concernparametersandissuesthatareatbestofsecondaryimportance.Theyareincludedforthenon-specializedreaderwhomaynotimmediatelybeabletorecognizetherelativeimportanceorpotentialimpactofthevariousissuesrelatedtokeysizeselection.RunTimeConventionAllruntimeestimatesinthisarticlearebasedonactualruntimesorreliableestimatesofruntimesona450MHzPentiumIIprocessor,atthetimeofwritingofthispaperoneofthemostpopularcommonlyavailableprocessors.AÒPCÓalwaysreferstothisprocessor.Intheliterature,computingpowerisoftenmeasuredinMips-Years,whereaMips-YearisdeÞnedastheamountofcomputationthatcanbeperformedinoneyearbyasingleDECVAX11780.ThismeasurehasoftenbeencriticizedbecauseitisunclearhowitcanbeusedinaconsistentmannerforprocessorswithinstructionsetsdifferentfromtheVAX.Wefullyagreewiththeconcernsexpressedin[37].Nevertheless,becauseofitspopularityandthewideacceptanceithasgained,weusethismeasurehereaswell.Weusethecon-ventionthat1yearofcomputingonaPCisequivalentto450Mips-Years,whereitshouldbekeptinmindthatultimatelyallourestimatesarebasedonruntimesonaPCandnotontheliteraldeÞnitionorourdeÞnitionofMips-Years.Asshownin2.2.4thetwodeÞnitionsare,however,sufÞcientlyclose.OurMips-YearÞguresshouldthereforebecompatiblewithMips-YearÞguresfoundelsewhere.WewriteMMYfor1millionMips-Years.LowerBoundsTheguidelinesinthisarticlearemeantaslowerboundsinthesensethatkeysofsizesequaltoorlargerthantherecommendedsizesattainatleastacertainspeciÞedlevelof 258A.K.LenstraandE.R.Verheulsecurity.Fromasecuritypointofviewitisacceptabletoerrontheconservativesidebyrecommendingkeysthatmaybeslightlylargerthanactuallyrequired.Mostkeysizeguidelinesinthisarticlearethereforeobtainedbysystematicallyunderestimatingthecomputationaleffortrequiredforasuccessfulattack.Thus,keysareestimatedtobeweakerthantheyareinreality,whichisacceptableforourpurposeofÞndinglowerbounds.Insomecasesslightoverestimatesoftheattackeffortareusedinstead,butinthosecasesthereareotherfactorsthatensurethatthedesiredlevelofsecurityisachieved.EquivalenceofAttackEffortsWepresentkeysizerecommendationsforseveraldifferentcryptosystems.ForacertainspeciÞedlevelofsecuritytheserecommendationsmaybeexpectedtobeequivalentinthesensethatthecomputationaleffortornumberofMips-Years(Section1.2)forasuccessfulattackismoreorlessthesameforallcryptosystemsunderconsideration.So,fromacomputationalpointofviewthedifferentcryptosystemsoffermoreorlessequivalentsecuritywhentherecommendedkeysizesareused.Thiscomputationallyequivalentsecurityshouldnotbeconfusedwith,andisnotnecessarilythesameas,securitywithequivalentcostofequipment,orcost-equivalentsecurityforshort.Herewesaythattwosystemsoffercost-equivalentsecurityifaccessingoracquiringthehardwarethatallowsasuccessfulattackinacertainÞxedamountoftimecoststhesameamountofdollarsforbothsystems.Notethatalthoughthepriceisthesame,thehardwarerequiredmaybequitedifferentforthetwodifferentattacks;someattacksmayusePCs,forotherattacksitmaybepossibletogettherequiredMips-Yearsrelativelycheaplybyusingspecial-purposehardware.Followingourguidelinesdoesnotnecessarilyresultincost-equivalentsecurity.In3.2.5andSection4.5weindicatehowourguidelinesmaybechangedtoobtaincostequivalence,therebypossiblygivingupcomputationalequivalence.Thereareatleasttworeasonswhyweusecomputationallyequivalentsecurityasopposedtocost-equivalentsecurity.Mostimportantly,wefoundthatcomputationalequivalenceallowsrigorousanalysis,mostlyindependentofourownjudgmentorpref-erences.Analysisofcostequivalence,ontheotherhand,dependsonsubjectivechoicesthatchangeovertime,andthathaveaconsiderableeffectontheoutcome.Thus,forcostequivalencethereisawholespectrumofÒreasonableÓoutcomes,dependingononeÕsperceptionofwhatisreasonable.InSection4.5wepresentthreepointsofthespectrum.Anotherreasonwhywerestrictedourselvestocomputationalequivalenceisthat,inthemodelwehaveadopted,weneedaworkablenotionofequivalencetoachieveourgoalofdeterminingacceptablekeysizerecommendationsÑachievinganytypeofequivalenceinitselfhasneverbeenourgoal.Whetherornottheresultingrecommendationsareindeedacceptabledependsonhowacceptableourmodelisfoundtobe.Remarkonpublishedversusunpublishedattacks.Theanalysesinthispaperareoftenbasedonrecentlypublishedcryptanalyticresults.However,ascanbeseenbelow(inparticularin3.1.2),weneverusethesepublishedresultstoassessthesecurityofcryptographicsystems,onlytoderivedataaboutthecomputationaleffortinvolvedinasuccessfulattack.Thus,argumentssuchasÒa512-bitRSAkeywasbrokenonlyin1999(see2.4.6),so1024-bitRSAkeysmustbesafeforquiteawhileÓarenotusedinthis SelectingCryptographicKeySizes259article[38].Doesanyoneseriouslybelievethatpublishedattacksrepresentthestateoftheart?Itmaysafelybeassumedthatunpublishedworkismanyyearsaheadofwhatthepublicatlargegetstosee:apublicannouncementthatasystemisbrokenprovidesatbestarathertrivialupperboundÑandaverysimple-mindedone,inouropinionÑforthedatethatthesystembecamevulnerable.ThisisillustratedinRemark3.1.8.Seealso2.4.5and3.1.3.OrganizationofThisPaperInSection2wedescribethecryptographicprimitivesforwhichwederivekeysizerec-ommendations,namelythecryptographicprimitivesthatarementionedintheWassenaarArrangement(Section2.1).InSection3wepresentthemodelunderlyingourkeysizerecommendations.Themodelisbasedonanumberofvariablesthatparametrizeenvi-ronmentalfactorsaffectingthesecurityorperceivedsecurityofkeysizechoices.Theroleoftheparametersisdescribedandconservativedefaultsettingsaresuggested.InSection4weapplythemodelfromSection3tothecryptographicprimitivesfromSection2.Thisresultsinanumberofformulasfromwhich,forinstancewiththedefaultsettings,keysizerecommendationscanbederived.InSection5wediscusssomeoftheimplicationsofourkeysizerecommendations.2.CryptographicPrimitivesTheWassenaarArrangementTheCoordinatingCommitteeforMultilateralExportControls(COCOM)wasaninter-nationalorganizationregulatingthemutualcontroloftheexportofstrategicproducts,includingcryptographicproducts,frommembercountriestocountriesthatjeopardizetheirnationalsecurity.Membercountries,e.g.,EuropeancountriesandtheUS,imple-mentedtheCOCOMregulationsinnationallegislation(e.g.,theITARintheUS).TheWassenaarArrangementisafollow-upoftheCOCOMregulations.ThecurrentrestrictionsintheWassenaarArrangement(December1998)withrespecttocryptog-raphyareratherdetailed[42].ForÞvetypesofcryptographicprimitivesamaximumkeysizeisgivenforwhichexportdoesnotrequirealicense.DuetothenatureoftheWassenaarArrangement,itisnotsurprisingthatitturnsoutthatthesekeysizesdonotprovideadequateprotectionforthemajorityofcommercialapplications.Inthisarticlewelimitourselvestothesecryptographicprimitives.Intheremainderofthissectionwereviewforeachofthesecryptographicprimitivessomefactsanddatathatarerelevantforourpurposes:ÐAbriefdescription.ÐThekeysizerecommendationfromtheWassenaarArrangement.ÐThemostimportantknown(i.e.,published)attacks.ÐTheeffectivenessofthoseattacksusinggenericsoftwareimplementations.ÐTheeffectivenessofthoseattacksusingspecial-purposehardware.ÐTheeffectivenessofguessing(Remark1.1.1).ÐTheeffectivenessofincompleteattacks(Remark1.1.1).ÐPastcryptanalyticprogress. 260A.K.LenstraandE.R.VerheulWedistinguishthecryptographicprimitivesintosymmetrickey(orsecretkey)andasymmetrickey(orpublickey)cryptosystems.Suchsystemsareinstrumentaltobuilde-commerceenablingsolutionsand,morespeciÞcally,canbeusedtoachieveconÞden-tiality,integrity,authenticity,andnon-repudiationofelectronicinformation.Forsim-plicityweassumetwocommunicatingparties,asenderandareceiver,whowanttomaintainconÞdentialityofthecommunicationfrom.Attheendofthesectionwebrießymentioncryptographichashfunctionsaswell.SymmetricKeyCryptosystems.Insymmetrickeycryptosystemsshareakey.TomaintainconÞdentialitythekeyshouldbekeptsecret.Thesizeofthekey,i.e.,itsnumberofbits,dependsonthesymmetrickeycryptosystem.Oftenboththemessageanditsencryptionconsistofawholenumberofblocks,whereablockconsistsofaÞxednumberofbitsthatdependsonthesymmetrickeycryptosystem.Thebest-knownsymmetrickeycryptosystemistheDataEncryptionStandard(DES),introducedin1977,withkeysize56bitsandblocksize64bits.Otherexamplesofsymmetrickeycryptosystemsare:ÐTwoKeyTripleDES(keysize112,blocksize64);ÐIDEA(keysize128,blocksize64);ÐRC5(variablekeyandblocksizes);ÐtheforthcomingAdvancedEncryptionStandard(AES),withkeysizesof128,192,or256bitsandblocksize128.WassenaarArrangement.ThemaximumsymmetrickeysizeallowedbytheWassenaarArrangementis56bitsforÒnichemarketÓapplicationsand64bitsforÒmassmarket.ÓAttacks.Despitemanyyearsofresearch,nomethodhasbeenpublishedthatbreaksaDES-encryptedmessagesubstantiallyfasterthanexhaustivekeysearch,i.e.,tryingall2differentkeys.Theexpectednumberoftrialsofexhaustivekeysearchis2Softwaredatapoints.NowadaystheDESisnotconsideredtobesufÞcientlysecure.In1997aDESkeywassuccessfullyretrievedafteranInternetsearchofap-proximately4months([31]andRemark3.1.3).Theexpectedcomputingpowerrequiredforsuchasoftwareexhaustivekeysearchisunderestimatedas0.5MMY(Section1.2).ThisestimateisbasedonthePentium-basedÞguresthatasingleDESblockencryptionwithaÞxedkeyrequires360Pentiumclockcycles[8]or500Pentiumclockcycleswithavariablekey[2].Furthermore,ourestimateliesbetweentwoDECVAX11estimatesthatcanbefoundin[9]and[29].ItfollowsthatourMips-YearsconventionissufÞcientlyaccurate.HalfamillionMips-Yearsisroughly13,500monthsonaPC.Thisisequivalentto4monthson3500PCs,becauseanexhaustivekeysearchcanbeevenlydividedoveranynumberofprocessors.ForapropersecurityanalysisonethereforehastoevaluateandkeeptrackofthetotalcomputationalpoweroftheInternet. SelectingCryptographicKeySizes261Special-purposehardwaredatapoints.Atthecostofaone-timeinvestmentahardwareattackissubstantiallyfasterthanasoftwareattack.In1977a$20millionparallelDESkeysearchingmachinewasproposedwithanexpectedsearchtimeof12hours[11].WewriteÒ[$20million,12hours,1977]-hardwareÓforthisdesign.In[10]itwascorrectedto[$50million,2days,1980]-hardware.Wienerpublishedadetailed[$1million,3.5hours,1993]-hardwaredesign[43],andspecialpurpose[$130,000,112hours,1998]-hardwarewasactuallybuilt[19];seealso[13].Effectivenessofguessing.ThereisalwaysthepossibilitythatsomeonemayÞndakeysimplybyguessingit.Forreasonablekeysizestheprobabilitythatthishappensissmall:evenfora50-bitkeythereisatotalprobabilityofoneinamillionthatitisfoundifonebillionpeopleeachmakeadifferentguess.Withthesameeffort,theprobabilityofsuccesshalvesforeachadditionalkeybit:fora60-bitkeyitbecomesonlyoneinabillion.Notethatexhaustivekeysearchisnothingmorethansystematicguessing.Incompleteattacks.Thesuccessprobabilityofexhaustivekeysearchispropor-tionaltothefractionofthekeyspacesearched;i.e.,forany1,thechanceisthatthekeyisfoundaftersearchingafractionofthekeyspace.Cryptanalyticprogress.Weassumenomajorchanges,i.e.,thatfuturesymmetrickeycryptosystemdesignsdonotallowfasterattacksthanexhaustivekeysearch.Also,weassumethatadesignthatturnsouttoallowafasterattackwillnolongerbeused.Belowweassumetheexistenceofagenericsymmetrickeycryptosystemofarbitrarykeysizeforwhichexhaustivekeysearchisthebestattack.Itfollowsthatfora-bitkeyasuccessfulattackcanbeexpectedtorequireontheorderof2invocationsoftheunderlyingfunction.AsymmetricKeyCryptosystemsOverviewInasymmetrickeycryptosystemsthereceiverhasaprivatekey(whichkeepssecret)andacorrespondingpublickeythatanyone,including,hasaccessto.ThesenderÕspublickeytoencryptinformationintendedfor,andusesitsprivatekeytodecrypttheencryptedmessage.Iftheprivatekeycanbederivedfromthepublickey,thenthesystemcanbebroken.Whattheprivateandpublickeysconsistof,andhowharditistobreakthesystem,dependsonthetypeofasymmetrickeycryptosystem.Forcryptanalyticandhistoricreasonswedistinguishthefollowingthreetypes:1.Classicalasymmetricsystems.2.Subgroupdiscretelogarithmsystems.3.Ellipticcurvesystems.Thesethreetypesofsystemsarediscussedinmoredetailinthenextthreesubsections.ClassicalAsymmetricSystemsClassicalAsymmetricSystemsrefertoRSA,duetoRivest,Shamir,andAdleman,andtraditionaldiscretelogarithmsystems,suchastheDifÞeÐHellmanandElGamalschemes. 262A.K.LenstraandE.R.VerheulRSAdescription.InRSAthepublickeycontainsalargenon-primenumber,theso-calledRSAmodulus.Itischosenastheproductoftwolargeprimes.Iftheseprimescanbefound,thentheprivatekeycanbefound,therebybreakingthesystem.Thus,thesecurityofRSAisbasedonthedifÞcultyoftheintegerfactorizationproblem(see2.4.10).ThesizeofanRSAkeyreferstothebit-lengthoftheRSAmodulus.ThisshouldnotbeconfusedwiththeactualnumberofbitsrequiredtostoreanRSApublickey,whichmaybeslightlymore.TDLdescription.Inatraditionaldiscretelogarithm(TDL)systemthepublickeyconsistsofaÞniteÞeldGFofsize,ageneratorofthemultiplicativegroupofGF,andanelementofGFthatisnotequalto1.WeassumethattheÞeldsizeissuchthat1hasaprimefactorofroughlythesameorderofmagnitude.Theprivatekeyisthesmallestpositiveintegersuchthat.Thisreferredtoasthediscretelogarithmofwithrespectto.Theprivatekeyisatleast1andatmost2.Ifcanbefound,thesystemcanbebroken.Thus,thesecurityofTDLsystemsisbasedonthedifÞcultyofcomputingdiscretelogarithmsinthemultiplicativegroupofaÞniteÞeld.ThesizeofaTDLkeyreferstothebit-lengthoftheÞeldsizeTheactualnumberofbitsrequiredtostoreaTDLpublickeyislarger,sincethepublickeycontainsaswell.WassenaarArrangement.BoththemaximalRSAmodulussizeandthemaximalÞeldsizeallowedbytheWassenaarArrangementare512bits,i.e.,RSAmoduliandasaboveshouldbelessthan2Attacks.FactoringanRSA-modulusbyexhaustivesearchamountstotryingallprimesupto .FindingadiscretelogarithmbyexhaustivesearchrequiresontheorderofoperationsinGF.Thus,ifexhaustivesearchwerethebestattackonthesesystems,then112-bitRSAmodulior56-bitÕswouldgivesecuritycomparablewiththeDES.However,therearemuchmoreefÞcientattacksthanexhaustivesearchandmuchlargerkeysarerequired.Surprisingly,themethodstoattackthesetwoentirelydifferentproblemsaresimilar,andforthisreasonwetreatRSAandTDLsystemsasthesamecategory.ThefastestfactoringalgorithmpublishedtodayistheNumberFieldSieve,inventedin1988byJohnPollard.Originallyitcouldbeusedonlytofactornumbersofaspecialform,suchastheninthFermatnumber21(factoredin1990).ThisoriginalversioniscurrentlyreferredtoastheSpecialNumberFieldSieve(SNFS)asopposedtotheGeneralNumberFieldSieve(NFS),whichcanhandlenumbersofarbitraryform,includingRSAmoduli.OnheuristicgroundstheNFScanbeexpectedtorequiretimeproportionaltotofactoranRSAmodulus,wherethetermgoestozeroasgoestoinÞnity.Fornotationalconveniencewereferto(1)asasn],whichisanabbreviatedversionofthemorecommondeÞnition SelectingCryptographicKeySizes263Theruntimetimen]iscalledsubexponentialintheinputsizebecauseasgoestoinÞnityitislessthanforanyconstant0.ThestoragerequirementsoftheNFSareproportionalto n].TheexpectedruntimeoftheSNFSis 5262];thus,theSNFSismuchfasterthantheNFS,butitcannotbeusedtoattackRSAmoduli.Ifisaprimenumber,thenadiscretelogarithmvariationoftheNFS,whichwerefertoasÒDLNFS,ÓÞndsadiscretelogarithminGFinexpectedtimeproportionaltotop].TheseruntimeestimatesÑwithomissionoftheasiscustomaryÑcannotbeuseddirectlytoestimatethenumberofoperationsrequiredtofactoracertainortocomputediscretelogarithmsinacertainGF.Forinstance,thediscretelogarithmprobleminisconsiderablymoredifÞcultthanfactoringanofaboutthesamesizeas,buttp]andandn]areapproximatelyequaliftheÕsareomitted.However,asshownbyextensiveexperiments,theestimatescanbeusedforlimitedrangeextrapolation.Ifoneknows,byexperimentation,thatfactoringanRSAmodulususingtheNFStakestimethenfactoringsomeotherRSAmoduluswilltaketimeclosetotom]=L[n]/(omittingtheÕs),ifthesizesofdonotdifferbytoomuch,saybynotmorethan100bits.If,however,ismuchbiggerthan,thentheeffectofthegoingtozerocannolongerbeignored,andandm]=L[n]/willbeanoverestimateofthetimetofactor[36].ThesameruntimeextrapolationmethodappliestotheDLNFS.NFSbackground.Forabetterappreciationofthesecurityofferedbyclassicalasymmetricsystemswhencomparingthemwithotherasymmetricsystems,wedescribeafewmoredetailsoftheNFS.Itconsistsoftwomajorsteps,asievingstepandamatrixstep,whichintheorytakeanequalamountofcomputingtimeasgoestoinÞnity.Fornumbersinourcurrentrangeofinterest(say,upto700bits),however,thematrixsteptakesonlyafractionofthecomputingtimeofthesievingstep.Thesievingstepcanbeevenlydistributedoveranynumberofprocessors,withhardlyanyneedforcommunication,resultinginalinearspeedup.Thecomputingpowerrequiredforthesievingstepoflarge-scalefactorizationscaninprinciplequiteeasilybeobtainedonanylooselycouplednetworkofcomputerssuchastheInternet.Thematrixstepontheotherhanddoesnotallowsuchastraightforwardparallelization.ThesituationisworsefortheDLNFS.Although,asintheNFS,theDLNFSsievingandmatrixstepsareintheoryequallyhard,theDLNFSmatrixstepisseveralordersofmagnitudemoretime-andmemory-consumingthantheNFSmatrixstep.Currentlythematrixstepisconsideredtobethemajorbottleneckobstructingsubstantiallylargerfactorizationsorevenmildlyinterestingdiscretelogarithmcomputations.Effortsareunderwaytoimplementitonafastandhigh-bandwidthnetworkofPCs.Eventhoughtheeffectivenessofthatapproachisstilluncertain,earlyexperimentslookencouraging[24],[39]andthereisnoreasontobelievethatparallelizationofthematrixstepwillnotbesuccessful.ItistemptingtousetheperceiveddifÞcultyandapparentÒunparallelizabilityÓofthematrixstepasanargumentinfavorofRSAkeyssmallerthansolelybasedontheestimatedcomputationalcostofbreakingthem.Itisuncleartous,however,howthisperceiveddifÞcultyshouldbefactoredin,and,moreimportantly,weÞnditimprudenttodosobecauseitisunlikelythatitwilllast.Indeed,therearestrongandconsistentindicationsthatveryfastnetworksofratherlargePCshavebeendesigned,andmayevenhavebeenbuilt,thatwouldbeabletotacklematricesthatareveryfaroutofreachfor 264A.K.LenstraandE.R.Verheulgenerallyaccessiblecomputersystems.Inthiscontextwerepeat(Remark1.4.1)thatitisnaõvetobelievethatthepublishedfactorizationofa512-bitRSAmodulusreferredtoin2.4.6belowisthebestonecandoatthispoint(seealso3.1.2).Softwaredatapoints.ThelargestpublishedfactorizationusingtheNFSisthatofthe512-bitnumberRSA155,whichisanRSAmodulusof155decimaldigits,inAugustof1999[6].Thisfactoringeffortwasestimatedtocostatmost20yearsonaPCwithatleast64MBofmemory(orasingledayon7500PCs).Thistimewasspentalmostentirelyonthesievingstep.Itislessthan10Mips-Yearsandcorrespondstofewerthanoperations,whereaswhereas155]D2¤1019(omittingthe).Thisshowsthatthatn]overestimatesthenumberofoperationstobecarriedoutforthefactorizationof.TheruntimegivenhereistheactualruntimeoftheRSA155factoringeffortandshouldnotbeconfusedwiththeestimatesgivenin[37],whichappearedaroundthesametime;theseestimatesare100timestoohigh[26].ThelargestnumberfactoredusingtheSNFSisthe233-digit(and773-bit)number21,inNovemberof2000,inlessthan17,000Mips-Years.TheseruntimesareonlyafractionofthecostofasoftwareDESkeysearch,buttheamountofmemoryneededbytheNFSisseveralordersofmagnitudelarger.PracticalexperiencewiththeDLNFSisstilllimited.Itisgenerallyacceptedthat,foranyuptoabout500,factoring-bitintegerstakesaboutthesameamountoftimeascomputingdiscretelogarithmsin-bitÞelds,whereisasmallconstantaround20.ForgoingtoinÞnitythereisnodistinctionbetweenthehardnessof-bitfactoring-bitdiscretelogarithms.BelowwedonotpresentseparatekeysizesuggestionsforTDLsystemsandwerecommendusingtheRSAkeysizesuggestionsforTDLsystemsaswell.Special-purposehardwaredatapoints.Special-purposehardwaredevicesareoccasionallyproposedforthemosttime-consumingstepoffactoringalgorithmssuchasthesievingstepoftheNFS,butnousefuldatapointshavebeenpublished.Recently,ShamirproposedtheTWINKLEopto-electronicsievingdevice[33],[21].Thisdevice,iffeasibleatall,doesnotaffecttheasymptoticruntimeoftheNFS,nordoesitaffectthematrixstep.Duetothecomplexityoftheunderlyingfactorizationalgorithmsandthecorrespondinghardwaredesignforanyspecial-purposehardwarefactoringdevice,itwouldbedifÞculttoachieveparallelizationatareasonablecostandatascalecomparablewithhardwareattacksontheDES,butitmaynotbeimpossible.Also,bythetimeaspecial-purposedesigncouldbeoperationalitisconceivablethatitwouldnolongerbecompetitiveduetonewalgorithmicinsightsandfastergeneral-purposeprocessors.Giventhecurrentstateoftheartweconsiderittobeunlikelythatspecial-purposehardwarewillhaveanoticeableimpactonthesecurityofRSAmoduli.HoweverweÞnditimprudenttoignorethepossibilityaltogether,andwarnagainsttoostrongarelianceonthebeliefthatspecial-purposeattacksonRSAareimpossible.Toillustratethis,thequadraticsievefactoringmethodwasimplementedsuccessfullyonaSingle-Instruction-Multiple-Data(SIMD)architecture[12].AnSIMDmachineisbynomeansspecial-purposehardware,butitcouldberelativelycheapcomparedwithordinaryPCs. SelectingCryptographicKeySizes265Effectivenessofguessing.Obviously,keysizesforclassicalasymmetricsystemshavetobelargerthan512toobtainanysecurityatall(where512isthesizeoftheÒbrokenÓRSAmodulusRSA155;see2.4.6).Itmaysafelybeassumedthatbreakingthesystembyguessworkisoutofthequestion:itwouldrequireatleast254correctlyguessedbitsforRSAor512bitsforTDL.So,fromthispointofview,classicalasymmetricsystemsseemtobemoresecurethansymmetrickeycryptosystems.ForRSAthereismoretothisstory,asshownin2.4.9below.Incompleteattacks.BoththeNFSandtheDLNFSareeffectiveonlyifruntocompletion.Thereisnochancethatanyresultswillbeobtainedearly.RSA,however,canalsobeattackedbytheEllipticCurveMethod(ECM).Afterarelativelysmallamountofworkthismethodproducesafactorwithsubstantiallyhigherprobabilitythanmereguesswork.Togiveanexample,if1billionpeopleweretoattacka512-bitRSAmodulus,eachbyrunningtheECMforjust1hourontheirPC,thentheprobabilitythatoneofthemwouldfactorthemodulusismorethan10%.Fora768-bitRSAmodulustheprobabilityofsuccessofthesamecomputationaleffortisaboutoneinamillion.Admittedly,thisisaverylowsuccessprobabilityforatremendouseffortÑbutthesuccessprobabilityisordersofmagnitudelargerthanguessing,whiletheamountofworkisofthesameorderofmagnitude.NodiscretelogarithmequivalentoftheECMhasbeenpublished.ThedetailsofourECMruntimepredictionsarebeyondthescopeofthisarticle.SeealsoSection5.9.Cryptanalyticprogress.Classicalasymmetricsystemsaretheprimeexampleofsystemsforwhichtheeffectivenessofcryptanalysisissteadilyimproving.Roughlyspeakingtheeffectofalgorithmicimprovementsoverthelast25yearsturnedouttobecomparablewiththeeffectoffasterhardware;seeRemark4.3.1(2).Thecurrentstateoftheartoffactoring(anddiscretelogarithm)algorithmsshouldnotbeinterpretedastheculminationofmanyyearsofresearchbutisjustasnapshotofworkinprogress.ItmaybeduetotherelativecomplexityofthemethodsusedthatsomanymoreorlessindependentimprovementsandreÞnementshavebeenmadeandÑwithoutanydoubtÑwillbemade.Weillustratethispointwithalistofsomeofthedevelopmentssincetheearlyseventies,eachofwhichhadasubstantialeffectonthedif-Þcultyoffactoringorcomputingdiscretelogarithms:continuedfractionmethod,linearsieve,quadraticsieve,multiplepolynomialvariation,Gaussianintegers,looselycoupledparallelization,multiplelargeprimes,specialnumberÞeldsieve,structuredGaussianelimination,numberÞeldsieve,singularintegers,latticesieving,blockLanczosorcon-jugategradient,sieving-basedpolynomialselectionfortheNFS,and,mostrecently,parallelizedblockLanczos.WeÞnditreasonabletoassumethatthistrendofcontinuousalgorithmicdevelopmentswillcontinueintheyearstocome.IthasneverbeenprovedthatbreakingRSAisequivalenttofactoringtheRSAmodulus.Indeed,forRSAthereisevidencethattheequivalencedoesnotholdiftheso-calledpublicexponent(anotherpartoftheRSApublickey)issmall.WethereforeintroducetheexplicitassumptionthatbreakingRSAisequivalenttofactoringtheRSAmodulus.BasedonrecentresultsinthisareathepublicexponentforRSAmustbesufÞcientlylarge.Valuessuchas3and17cannolongerberecommended,butcommonlyusedvaluessuchas265,537stillseemtobeÞne.Ifonepreferstostayonthesafesideonemayselectanodd32-bitor64-bitpublicexponentatrandom. 266A.K.LenstraandE.R.VerheulFurthermorewerestrictourselvestoTDL-basedprotocolsforwhichattacksareprov-ablyequivalenttoeithercomputingdiscretelogarithmsorsolvingtheDifÞeÐHellmanproblemÑtheproblemofÞndinggivenforknown(butunknown).Thereisstrongevidencethatthelatterproblemisequivalenttocomputingdiscretelogarithms.Weexplicitlyexclude,however,TDL-basedprotocolsthatrelyontheso-calledDecisionDifÞeÐHellmanproblemÑtheproblemofdistinguishing,andforarandomaregiven[18].SubgroupDiscreteLogarithmSystems.Subgroupdiscretelogarithm(SDL)systemsareliketraditionaldiscretelogarithmsystems,exceptthatgeneratesarelativelysmall,butsufÞcientlylarge,subgroupofthemultiplicativegroupGF,anideaduetoSchnorr.Thesizeofthesubgroupisprimeandisindicatedby.Theprivatekeyisatleast1andatmost1.ThesecurityofSDLisbasedonthedifÞcultyofcomputingdiscretelogarithmsinasubgroupofthemultiplicativegroupofaÞniteÞeld.Thesecanbecomputedifdiscretelogarithmsinthefullmultiplicativegroupcanbecomputed.Therefore,thesecurityofanSDLsystemreliesonthesizesofboth.Nevertheless,thesizeofanSDLkeysimplyreferstothebit-lengthofthesubgroupsize,wheretheÞeldsizegivenbythecontext.TheactualnumberofbitsrequiredtostoreanSDLpublickeyissubstantiallylargerthantheSDLkeysize,sincethepublickeycontains,andaswell.WassenaarArrangement.ThemaximumSDLÞeldsizeallowedbytheWasse-naarArrangementis512bitsÑthereisnomaximumallowedkeysize.Apopularsub-groupsizeis160bits.ThatchoiceisusedintheUSDigitalSignatureAlgorithm,withÞeldsizesvaryingfrom512to1024bits.Attacks.MethodsthatcanbeusedtoattackTDLsystemscanalsobeusedtoattackSDLsystems.TheÞeldsizeshouldthereforesatisfythesamesecurityrequire-mentsasinTDLsystems.However,thesubgroupdiscretelogarithmproblemcanalsobeattackeddirectlybyPollardÕsrhomethod,whichdatesfrom1978,andbyShanksÕsevenolderbaby-stepÐgiant-stepmethod.Thesemethodscanbeappliedtoanygroup,aslongasthegroupelementsallowauniquerepresentationandthegrouplawcanbeappliedefÞcientlyÑunliketheDLNFSitdoesnotrelyonanyspecialpropertiesthatgroupelementrepresentationsmayhave.TheexpectedruntimeofPollardÕsrhomethodisexponentialinthesizeof,namely1 groupoperations,i.e.,multiplicationsin.Itsstoragerequirementsareverysmall.ShanksÕsmethodneedsaboutthesamenumberofoperationsbutneedsstorageforabout groupelements.PollardÕsrhomethodcaneasilybeparallelizedoveranynumberofprocessors,withverylimitedcommunication,resultinginalinearspeedup[40].ThisisanotherillustrationofthepowerofparallelizationandanotherreasontokeeptrackofthecomputationalpoweroftheInternet.Furthermore,thereisnopost-processinginvolvedinPollardÕsrho(unlikethe(DL)NFS,whereaftercompletionofthesievingstepthecumbersomematrixstephastobecarriedout),althoughfortheparallelizedversionsubstantialamountsofstoragespaceshouldbeavailableatacentrallocation. SelectingCryptographicKeySizes267Datapoints.WehavenotbeenabletoÞndanyusefuldataabouttheeffectivenessofanattackonSDLsystemsusingtheparallelizedversionofPollardÕsrhomethod.OurÞguresbelowarebasedonanadaptationofdatapointsforellipticcurvesystems.Thisisdescribedindetailin4.2.5.Effectivenessofguessing.AslongasSDLkeysarenotshorterthanthe112bitspermittedbytheWassenaarArrangementforECsystems(see2.6.2),guessingtheprivatekeyrequiresguessingatleast112bits,whichmaysafelybeassumedtobeinfeasible.Incompleteattacks.ThesuccessprobabilityofPollardÕsrhomethodis,roughlyspeaking,proportionaltothesquareofthefractionoftheworkperformed,i.e.,forany1,thechanceisthatthekeyisfoundafterperformingafractionoftheexpected1 groupoperations.So,doing10%oftheworkyieldsa1%successrate.Cryptanalyticprogress.SincetheinventionofPollardÕsrhomethodin1978nonewresultshavebeenobtainedthatthreatenSDLsystems,withtheexceptionoftheefÞcientparallelizationofPollardÕsrhomethodin1996.Theonlyreasonableextrapo-lationofthisrateofalgorithmicprogressistoassumethatnosubstantialprogresswillbemade.ProgresswouldalmostnecessarilyimplyanentirelynewapproachandmayinstantaneouslywipeoutallpracticalSDLsystems.Theresultsin[27]and[35]that,inacertaingenericmodelofcomputation,PollardÕsrhomethodisessentiallythebestonecandomaybecomfortinginthiscontext.Itshouldbekeptinmind,however,thatthegenericmodeldoesnotapplytoanypracticalsituationthatweareawareof,andthatthepossibilityofasubexponentialattackagainstSDLsystemscannotberuledout.EllipticCurveSystems.Ellipticcurve(EC)systemsarelikeSDLsystems,exceptthatgeneratesasubgroupofthegroupofpointsonanellipticcurveoveraÞniteÞeld,anideaindependentlyduetoKoblitzandMiller.Thesizeofthesubgroupgeneratedbyisprimeandtheprivatekeyisintherange[1ThesecurityofECsystemsisbasedonthedifÞcultyofcomputingdiscretelogarithmsinthesubgroupgeneratedby.ThesecanbecomputedifdiscretelogarithmsinthefullgroupofpointsonanellipticcurveoveraÞniteÞeldcanbecomputed.ThisproblemisknownastheECDLproblem.NobettermethodtosolvetheECDLproblemisknownthanbysolvingtheprobleminallcyclicsubgroupsandbycombiningtheresults.ThedifÞcultyoftheECDLproblemthereforedependsonthesizeofthelargestprimedivisoroftheorderofthegroupofpointsofthecurve(whichiscloseto).Forthatreason,,andareusuallychosensuchthatthesizesofareclose.Thus,thesecurityofECsystemsreliesonthesizeof,andthesizeofanECkeyreferstothebit-lengthofthesubgroupsize.TheactualnumberofbitsrequiredtostoreanECpublickeymaybesubstantiallylargerthantheECkeysize,sincethepublickeycontains,andaswell.AdescriptionofthegroupofpointsonanellipticcurveoveraÞniteÞeldandhowsuchpointsarerepresentedoroperateduponisbeyondthescopeofthisarticle.NeitherdowediscusshowappropriateellipticcurvesandÞniteÞeldscanorshouldbeselected. 268A.K.LenstraandE.R.VerheulWassenaarArrangement.ThemaximumECkeysizeallowedbytheWassenaarArrangementis112bits,withunspeciÞedÞeldsize.ForprimeÞeldsapopularsizeis160bitsbothfortheÞeldsizeandthesubgroupsize.Fornon-primeÞeldsanexampleofacommerciallyavailablechoiceiswitha161-bitAttacks.ADLNFSequivalentorothersubexponentialmethodtoattackECsystemshasneverbeenpublished.ThemostefÞcientmethodpublishedtoattackECsystemsisPollardÕsparallelizablerhomethod,withanexpectedruntimeof0 groupoperations.Thisruntimeisexponentialinthesizeof.Theexpectednumberofiterationsisafactor 2smallerthanforSDLsystems,duetotheresultindependentlydescribedin[15]and[46].IfÞeldinversionsareproperlyhandled,theaveragenumberofÞeldmultiplicationspergroupoperationisapproximately12[14].Softwaredatapoints.Becauseareassumedtobeofthesameorderofmagnitudethecostofthegroupoperationisproportionalto.DataabouttheeffectivenessofanattackusingPollardÕsrhomethodcanbefoundin[7].Fromtheestimatesgiventherewederivethata109-bitECsystemwithshouldtakeabout18,000yearsonaPC(or,equivalently,1yearon18,000PCs)whichisabout8MMY.Thiscomputationisfeasibleonalargenetworkofcomputers.Italsofollowsfrom[7]thatanattackona109-bitECsystemwithaprimeofabout109bitsshouldtakeabout2.2MMY.Thisisanunderestimatebecauseitisbasedonprimesofaspecialformandthusoverlyoptimisticforgeneralprimes[14].Nevertheless,itisusedasthebasisforextrapolationstoestimatetheeffortrequiredforsoftwareattacksonlargerECsystemsoverprimeÞelds(Section1.3).Special-purposehardwaredatapoints.In1996anattackagainsta120-bitECsystemwithwassketched(andpublished3yearslater,see[40])basedonaspecial-purposehardwaredesignthatachievesa25-million-foldparallelism,i.e.,330,000special-purposeprocessorchipseachrunning75independentPollardrhoprocesses.Buildingthismachinewouldcost$10millionanditsruntimewouldbeabout32days.Thedesignersclaimthatanattackercandobetterbyusingcurrentsilicontechnologyandthatfurtheroptimizationmaybeobtainedfrompipelining.Ontheotherhand,in[7]itismentionedthat131-bitECsystemsÒareexpectedtobeinfeasibleagainstrealisticsoftwareandhardwareattacks,Ówhere131-bitsystemsover131-bitÞeldsareabout32timeshardertobreakthan120-bitsystemsover155-bitÞelds.Thisshowsthatthereisnocleardistinctionbetweenwhichcomputationsareconsideredtobefeasibleandwhicharenot,andthatdrawingaconclusionfromacostevaluationismostlyamatterofpersonaltasteandpreferences(see3.1.2).ThepipelineddesignisfurtherconsideredinSection3.2.Effectivenessofguessing.AslongasECkeysarenotshorterthanthe112bitspermittedbytheWassenaarArrangement,guessingtheprivatekeyrequiresguessingatleast112bits,whichmaysafelybeassumedtobeinfeasible.Incompleteattacks.AswithPollardÕsrhoattackagainstSDLsystems,thechanceisthatthekeyisfoundafterperformingafractionoftheexpected0 groupoperations. SelectingCryptographicKeySizes269Cryptanalyticprogress.Withtheexceptionoftheresultfrom[15]and[46],noprogressthreateningthegeneralECDLproblemhasbeenmadesincetheinventionofPollardÕsrhomethodin1978anditsparallelizationin1996(see2.5.7).ThekeywordhereisÒgeneral,ÓbecauseEC-relatedcryptanalyticresultsareobtainedquiteregularly.Sofartheseresultsmostlyaffect,orratherÒwipeout,Óspecialcases,e.g.,curvesforwhichtheorderofthegroupofpointsortheunderlyingÞniteÞeldhavespecialproperties.Forthenon-specializeduserthisishardlycomforting:ECsystemsarerelativelycomplicatedanddesignersoftenapplyspecialcasestoavoidnastyimplementationproblems.Wemaketheexplicitassumptionthatcurvesarepickedatrandom,i.e.,thatspecialcasesarenotused,andthatonlycurvesoverprimeÞeldsareused.Basedonthisassump-tionandthelackofcryptanalyticprogressaffectingsuchcurvesitisnotunreasonabletoassumethattherewillbenosubstantialprogressintheyearstocome.Itis,however,nothardtoÞndresearcherswhoÞndthatECsystemshavenotbeenaroundlongenoughtotrustthemfullyandthattherichmathematicalstructureofellipticcurvesmaystillhavesomesurprisesinstore.OthersarguethattheECDLproblemhasbeenstudiedextensively,andthatthelackofprogressaffectingwell-chosenECsystemsindicatesthattheyaresufÞcientlysecure.Wedonotwanttotakeapositioninthisargumentbutnotethatsomerecentdevelopments[17]and[41]seemtosupporttheformerstandpoint.Forthepurposesofthepresentpaper,wesimplysuggesttwokeysizesforECsystems:onebasedonÒnocryptanalyticprogressÓandonebasedonÒcryptanalyticprogressataratecomparablewithRSAandTDLsystems,ÓthelatterdespiteourfearorconvictionthatanynewcryptanalyticinsightagainstECsystems,suchasasubexponentialmethod,mayprovetobefatal.Readersmaytheninterpolatebetweenthetwotypesofextrapolationsaccordingtotheirowntaste.CryptographicHashFunctions.AcryptographichashfunctionisafunctionthatmapsanarbitrarylengthmessagetoaÞxedlengthÒhashÓofthemessage,satisfyingvariouspropertiesthatarebeyondthescopeofthisarticle.Thesizeofthehashfunctionisthelengthinbitsoftheresultinghash.ExamplesofcryptographichashfunctionareMD4,MD5(bothofsize128),SHA-1,RIPEMD-160(bothofsize160),and,mostrecently,SHA-256(ofsize256).Attacks.Weassumethatasuccessfulattackagainstacryptographichashfunc-tionconsistsofÞndingsuchthatthehashesofarethesame.IfcannotbefoundthehashfunctioniscalledÒcollision-resistant.ÓForhashfunctionsthatareonlyrequiredtobeÒtargetcollision-resistantÓ(i.e.,itissupposedtobeinfeasibletoÞndanthathashestoagiventargethashvalue),thesizesmaybehalvedassumingthehashfunctionisproperlyused.Cryptographichashfunctionscanbeattackedbytheso-calledbirthdayparadoxattack.Thenumberofhashfunctionap-plicationsrequiredbyasuccessfulattackisexpectedtobeproportionalto2,whereisthesizeofthehashfunction.Softwaredatapoints.In[4]241,345,837,and1016PentiumcyclesarereportedforMD4,MD5,SHA-1,andRIPEMD-160,respectively.Thiscompareswith360Ð 270A.K.LenstraandE.R.Verheul500cyclesfortheDESdependingonÞxedorvariablekeys,asreportedin[2]and[8](see2.2.4).Thus,thesoftwarespeedofahashfunctionapplicationasusedbyabirthdayparadoxattackiscomparablewiththesoftwarespeedofasingleDESblockencryption.Special-purposehardwaredatapoints.Special-purposehardwarehasbeende-signedforseveralhashfunctions.Wemayassumethattheirspeediscomparablewiththespeedofspecial-purposeexhaustivekeysearchhardware.Cryptanalyticprogress.Weassumetheexistenceofagenericcryptographichashfunctionforwhichthebirthdayparadoxattackisthebestattack.Ifaproposeddesignallowsafasterattack,weassumethatitwillnolongerbeused.Weassumethatanexhaustivekeysearchattackonourgenericsymmetrickeycryptosystemofkeysizecanbeexpectedtotakeaboutthesametimeasabirthdayparadoxattackonourgenericcryptographichashfunctionofsize2.Thus,alowerboundforthesizeofcryptographichashfunctionsfollowsbydoublingthelowerboundforthesizeofsymmetrickeycryptosystems.BecauseofthissimpleÒruleofthumb,Ósizesofcryptographichashfunctionsarenotdiscussedinwhatfollows.Ifspeedsdiffer,adjustaccordingly.3.TheModelKeyPointsInthissubsectionwepresentthefourpointsonwhichthechoiceofcryptographickeysizesdependsprimarily:1.Lifespan:theexpectedtimetheinformationneedstobeprotected.2.Securitymargin:anacceptabledegreeofinfeasibilityofasuccessfulattack.3.Computingenvironment:theexpectedchangeincomputationalresourcesavailabletoattackers.4.Cryptanalysis:theexpecteddevelopmentsincryptanalysis.EfÞciencyandstorageconsiderationsconcerningthecryptographickeysmayalsoinßu-encethechoiceofkeysizes,butsincetheyarenotdirectlysecurity-relatedtheyarenotdiscussedhere.Lifespan.InthetableinSection4keysizesaresuggestedforthecryptosys-temsdiscussedinSection2,dependingontheexpectedlifespanofthecryptographicapplication.ItistheuserÕsresponsibilitytodecideuntilwhatyeartheprotectionshouldbeeffective,orhowtheexpectedlifespancorrespondstopopularsecuritymeasuressuchasÒshort-term,ÓÒmedium-term,ÓorÒlong-termÓsecurity.TheuserÕsdecisionmaydependonthevalueofthedatatobeencrypted.Securitymargin.AcryptosystemcanbeassumedtobesecureonlyifitisconsideredtobesufÞcientlyinfeasibletomountasuccessfulattack.Unfortunately,itishardtoquantifywhatpreciselyismeantbyÒsufÞcientlyinfeasibleÓ(see2.6.5).Onecould,forinstance,decidethatakeysizeforacertaincryptosystemissecureforcurrentapplicationsifbreakingitwouldbe,say,10timesharderthanthelargestkeysizethat SelectingCryptographicKeySizes271cancurrentlybebrokenforthatcryptosystem.ThereareseveralproblemswiththisFirst,thechoice10isratherarbitrary.Secondly,itisnaõvetobelievethatthelargestpublishedkeybrokensofaraccuratelyrepresentsthebestthatcancurrentlybedone(Remark1.4.1).Inthethirdplace,forsomeofthecryptographicprimitivesconsideredheredatamaynotbeavailable(TDL,see2.4.6,andSDL,see2.5.4),ortheymaybeoutdated,therebyrulingoutuniformapplicationofthisapproach.Finally,theproblemofanyÞxedsecuritymarginisthattherearealwaysuserswhopreferadifferentchoice.Weoptforadifferentapproachbyofferingaßexiblechoiceofsecuritymargin.DeÞnitionI.ThesecuritymarginisdeÞnedastheyearuntilwhichauserwaswillingtotrusttheDES.TherationaleforthisdeÞnitionofsecuritymarginisthatthesecurityofferedbytheDESissomethingmostuserscanrelateto,forinstancebecausetheircompanyusedtheDESuntilacertainyear.Furthermore,differentchoicesofallowustosatisfydifferentsecurityneeds.AnotheradvantageofourchoiceofsecuritymarginisdiscussedinRemark3.1.4.TheDESwasintroducedin1977andstipulatedtobereviewedevery5years.WethereforeassumethattheDESwasatleastsufÞcientlysecureforcommercialapplicationsuntil1982.DefaultSettingI.OurdefaultsettingforOurdefaultsettingforassumesthatin1982acomputationaleffortof0.5MMYprovidedanadequatesecuritymarginforcommercialDESapplicationsagainstsoftwareattacks(see2.2.4).Asfarashardwareattacksareconcerned,theDESkeysearching[$50million,2days,1980]-hardware(see2.2.5)wasnotaseriousthreatforcommercialapplicationsoftheDESatleastuntil1982.WestressÒcommercialapplicationsÓbecause,evenfor1980budgets,$50millionand2dayswerebynomeansaninsurmountableobstacleforcertainorganizations.Ourdefaultsettingforisfurtherdiscussedbelow(Remark3.1.8).Althoughallourresultsarebasedonthedefaultsetting1982,theycaneasilybeadaptedtoproducekeysizerecommendationsforanyotherreasonablevalueof.InSection4.4itisindicatedhowthiscanbedone.ThemaximalvalueofaÒcommercialapplicationÓoftheDES,eitherbackin1982orrightnow,isthevalueofthecompanyencryptingthedata.Thus,overtimethereisnointrinsicdifferencebetweenthepossiblevalueofcommercialapplicationsoftheDES.Asbusinessesmoveonlinethenumberofcommercialapplicationsisincreasing,butvolumeisnotasecurityfactor.AconceptofÒvalueÓisthereforenotdirectlyincorporatedinourmodel,butvaluecanbecomparedwiththecostofanattackusingournotionofÒcostequivalenceÓ(Section4.5andthepenultimatecolumnofTable1).Seealso3.1.1.Wearegratefultoananonymousrefereeforsuggestingustoclarifythispoint.Remarkonsecuritymargin.AparticularchoicefordoesnotimplythattheDESisthoughttobevulnerablefromyearon[38];itmeansthattheuserwhopickediswillingtotrusttheDESuntiltheyear.Ofcourse,anyresponsibleusermaintains 272A.K.LenstraandE.R.Verheulacomfortablemarginbetweenthemomentuntilwhichtheyarewillingtouseasystemandthemomentwhentheybelievethesystemtobevulnerable.Itisbafßingthatanyonewouldseriouslybelieve[38]thattheDESwasnotactuallybrokenuntil1997,theyearthatitwaspubliclydemonstrated(Remarks1.4.1and3.1.8).Remarkonsecuritymarginandincompleteattacks.ItshouldbeunderstoodthatourdeÞnitionofsecuritymargin(DeÞnitionI)alsotakesintoaccounttheprobabilityofsuccessofincompleteattacks.Indeed,trustingtheDESimpliesthatoneÞndsittobesufÞcientlyresistanttoalltypesofpotentialattackers.Thatis,thewholespectrumbetween,ontheonehand,attackersthatsearchafractioncloseto1ofthekeyspaceand,ontheotherhand,attackersthatsearchafractioncloseto0ofthekeyspace.Theformerisassumedtobetooexpensivetocarryout,andforthelatteritisassumedthattheprobabilityofsuccessistoolow.Notethatthesuccessprobabilityofexhaustivekeysearchisproportionaltothefractionofthekeyspacesearched(see2.2.7),butthatforPollardÕsrhomethodtheprobabilityofsuccessisonlyproportionaltothesquareofthefractionoftheworkperformed(see2.5.6and2.6.7).Therefore,anincompleteattackagainstECorSDLsystemshasasmallerprobabilityofsuccessthanasimilarlyincompleteattackagainsttheDES.Thus,ifECorSDLkeysizesmaybeexpectedtosatisfyacertainsecuritymargin,theyalsoofferresistanceagainstincompleteattacksthatisatleastequivalenttotheresistanceofferedbytheDES.BecausefurthermoreincompleteattacksagainstRSAandTDLsystemscannotbeexpectedtobesuccessfulatall(see2.4.9andSection5.9),weconcludethattheeffectofincompleteattackshaseffectivelybeentakencareofinourmodel.SeealsoSection5.8.Computingenvironment.Toestimatehowthecomputingpoweravailabletoat-tackersmaychangeovertimeweuseMooreÕslaw.MooreÕslawstatesthatthedensityofcomponentsperintegratedcircuitdoublesevery18months.Awidelyacceptedinterpre-tationofthislawisthatthecomputingpowerperchipdoublesevery18months.Thereissomeskepticismwhetherthislawwill,orevencan,holdmuchlongerbecausenewtechnologieswilleventuallyhavetobedevelopedtokeepupwithit.ThereforeweallowtheusertodeÞnethefollowingslightvariationofMooreÕslawthatislesstechnologyDeÞnitionII.Thevariable0isdeÞnedasthenumberofmonthsittakesonaverageforanexpectedtwofoldprocessorspeedupandmemorysizeincrease.DefaultSettingII.OurdefaultsettingforDeÞnitionIII.The0,1-valuedvariabledeÞneshowmustbeinterpreted:ÐIf1theamountofcomputingpowerandrandomaccessmemory(RAM)onegetsforadollarisexpectedtodoubleeveryÐIf0theamountofcomputingpowerandRAMisexpectedtodoubleeverymonths,irrespectiveoftheprice.DefaultSettingIII.Ourdefaultsettingfor SelectingCryptographicKeySizes273DefaultSettingIIcorrespondstoapopularinterpretationofMooreÕslaw.CombinedwithDefaultSettingIIIitleadstoalesstechnologydependentversionofMooreÕslawthatmayholdevenifMooreÕstraditionallawnolongerholdsbecauseoftechnologicalSofarDefaultSettingsIIandIIIseemtobesufÞcientlyaccurate:every18monthstheamountofcomputingpowerandRAMonegetsforadollardoubles.Withthesedefaultsettingsitfollowsthatforthesamecostoneexpectstogetafactorof2100morecomputingpowerandfastmemoryevery10years,eitherinsoftwareonmultipurposechips(PCs)orusingspecial-purposehardware.Toillustratethis,itisnotunreasonabletoassumethatacheaperandslowerversionoftheDESkeysearching[$50million,2days,1980]-hardware(see2.2.5)wouldbe[$1million,100days,1980]-hardware,i.e.,50timeslesshardwareandtherefore50timesslower.WithDefaultSettingsIIandIIIthelatterhardwaremaybeexpectedtobe2timesfasterin1993,sincethereare1266monthsbetween1980and1993.Since2406and100406daysisabout6hours,thiswouldresultin[$1million,6hours,1993]-hardwarewhichisindeedclosetoWienerÕs[$1million,3.5hours,1993]-hardwaredesign(see2.2.5).Ontheotherhand,furtherextrapolationsuggests[$1million,0.6hours,1998]-hardwareforDESkeysearching.Thatisapproximatelyequivalentto[$130,000,4.6hours,1998]-hardware,andtherebyabout24timesfasterthanthe[$130,000,112hours,1998]-hardwarethatwasactuallybuiltin1998[19].AccordingtoKocher[20]thisanomalyisduetothefactthatbuildingthe$130,000machinewas,relativelyspeaking,asmall-scaleenterprisewhereeverydoublingofthebudgetwouldhavequadrupledtheperformance.Obviouslythisnon-linearimprovementappliesonlyaslongasthedeviceisrelativelysmall.0itisassumedthatthecomputationalresourcesavailabletoattackersdoubleeverymonths,sotheirbudgetsarenotimmediatelyrelevant.If1theeffectofbudgetincreasesandinßationhavetobetakenintoaccount.ThisleadstothefollowingDeÞnitionIV.Thevariable0isdeÞnedasthenumberofyearsittakesonaverageforanexpectedtwofoldincreaseofbudget.DefaultSettingIV.OurdefaultsettingforTheUSGrossNationalProductshowsatrendofdoublingevery10years:$1630billionin1975,$4180billionin1985,and$7269billionin1995,whereeachÞgureisgivenincontemporarydollars.DefaultSettingIVleadstotheassumptionthatthebudgetsoforganizationsÑincludingtheonesbreakingcryptographickeysÑdoubleevery10years,measuredincontemporarydollars.NotethatwithDefaultSettingIVtheeffectofbudgetincreasesisverysmall;seeRemark1.1.1.CombinationofDefaultsSettingsIÐIV.Ifin1982anamountofcomputingpowerof0.5MMYisassumedtobeinfeasibletoinvestinanattackonacommercialcryptographicapplication,then100MMYisinfeasiblein1992. 274A.K.LenstraandE.R.VerheulMMYisinfeasiblein2002,and4MMYisinfeasiblein2012.TheseÞguresagreewithOdlyzkoÕsestimatesbasedoncomputingpowerthatmaybeavailableontheInternet[29].Ourestimatesare,however,obtainedinanentirelydifferentfashion..Itisimpossibletosaywhatcryptanalyticdevelopmentswilltakeplace,orhavealreadytakenplacesurreptitiously.WeÞnditreasonabletoassumethatthepaceof(published)futurecryptanalyticÞndingsandtheirimpactarenotgoingtovarydramaticallycomparedwithwhatwehaveseenfrom1970until1999,asdescribedin2.2.8,2.4.10,2.5.7,2.6.8,and2.7.5.Nevertheless,weallowsomeßexibilityinthechoiceofexpectedcryptanalyticprogress.Asindicatedin2.2.8and2.7.5weassumethattherewillbenocryptanalyticdevel-opmentsaffectingsymmetrickeycryptosystemsorhashfunctions:ifthereisprogressweassumethattheaffectedsystemorfunctionisreplacedbyasystemorfunctionthatisnotaffected.Itfollowsfrom2.4.10and2.6.8thatwehavetotakeamoreßexibleapproachtoasymmetriccryptosystems.DeÞnitionV.Thenumber0isdeÞnedasthenumberofmonthsitisexpectedtotakeonaverageforcryptanalyticdevelopmentsaffectingclassicalasymmetricsystemstobecometwiceaseffective,i.e.,monthsfromnowwemayexpectthatattackingthesameclassicalasymmetricsystemcostshalfthecomputationaleffortitcoststoday.DefaultSettingV.OurdefaultsettingforDefaultSettingVcorrespondscloselytocryptanalyticprogressaffectingclassicalasym-metricsystemsduringthepast25years,asmentionedin2.4.10;seeRemark4.3.1(2).DeÞnitionVI.Thenumber0isdeÞnedasthenumberofmonthsitisexpectedtotakeonaverageforcryptanalyticdevelopmentsaffectingECsystems(chosenasindicatedin2.6.8)tobecometwiceaseffective,unless0inwhichcasenoECcryptanalyticprogressisexpected.DefaultSettingVI.OurdefaultsettingforDefaultSettingVIcorrespondswiththefactthattherehasnotbeensubstantialcryptan-alyticprogressaffectingECsystems,assumingthesystemhasbeenproperlychosenasindicatedin2.6.8.SincetherehasbeennocryptanalyticprogressaffectingSDLsystemssincethein-ventionofPollardÕsrhomethod(anditsparallelization)otherthanprogressaffectingthefullmultiplicativegroup(see2.5.7),weassumenocryptanalyticprogressaffectingSDLsystems.AlthoughforECsystemsthesituationissimilar(i.e.,forproperlycho-senparametersnoprogresstospeakofoverthelast10orsoyears)wechosetoallowprogressforECcryptanalysis(withDefaultSettingVIÒnoprogressÓ)because,unlikeSDLsystems,itisnothardtoÞndresearcherswhoÞnditnotunlikelythattherewill SelectingCryptographicKeySizes275beECcryptanalyticprogress.WedonotÞnditrealistictoexcludethepossibilityofcryptanalyticprogressaffectingclassicalasymmetricsystems,soisassumedtobestrictlypositive.Remarkondefaultsettings.Wedonotexpectthateveryoneagreeswithourdefaultsettings.InparticularDefaultSettingIisdebatable.Note,however,thatitdoesnotassumethattheDESwasunbreakablein1977or1982.ItassumesthattheDESofferedenoughsecurityforcommercialapplications,notthatwell-fundedgovernmentagencieswereunabletobreakitbackin1977.InthiscontextitmaybeentertainingtomentionthatWiener,afterpresentinghis[$1million,3.5hours,1993]-hardwaredesignatacryptographyconference,wastoldthathehaddoneanicepieceofworkandhewasofferedasimilarmachineatonly85%ofthecostÑwiththecatchthatitwas5yearsold[45].Inanycase,anyonewhofeelsthatourdefault1982infeasibilityassumptionistooweakortoostrongcanstillusethekeysizerecommendationsthatresultfromDefaultSettingI,i.e.,1982.InSection4.4itisexplainedhowthismaybedone.NeitherdoweexpectthateveryoneagreeswithDefaultSettingsIIÐIV.SomearguethatMooreÕslawcannotholdmuchlonger,othersarguethatitiswellunderstoodthatMooreÕslawisverylikelytodiearound2012orso,andstillothers[20]ÞndthatforbigmachinesMooreÕslawistoopessimistic.DefaultSettingsIIÐIVthusrepresentareasonablecompromise,inparticularbecausetheyallowatechnology-independentinterpretationofMooreÕslawÑeveniftechnologygetsworse,ifthatwerepossible,acquiringcomputingpowermaybecomecheaper.SoftwareversusSpecial-PurposeHardwareAttacksTheproposedkeysizesinthenextsectionareobtainedbycombiningDefaultSettingsIÐVIwiththesoftwarebasedMips-YearsdatapointsfromSection2.ThisimpliesthatallextrapolationsarebasedonÒsoftwareonlyÓattacksandresultincomputationallyequivalentkeysizes(Section1.4).Onemayobjectthatthisdoesnottakespecial-purposehardwareattacksintoaccount.Inthissubsectionwediscusstowhatextentthisisareasonabledecision,andhowourresultsshouldbeinterpretedtotakespecial-purposehardwareattacksintoaccountaswell.Symmetrickeysystems.In1980theDEScouldeitherbebrokenatthecostof0.5MMY(see2.2.4),orusing[$50million,2days,1980]-hardware(see2.2.5).In3.1.5wehaveshownthatthisisconsistentwithDefaultSettingIIandWienerÕs1993design.Itfollowsfromthisconsistencythatthe1982relationbetweensoftwareandspecial-purposehardwareattacksontheDEShasnotchanged.Inparticular,ifoneassumesthattheDESwassufÞcientlyresistantagainstaspecial-purposehardwareattackin1982,thesameholdsforthesymmetrickeysizessuggestedforthefuture,eventhoughtheyarebasedonextrapolationsofÒsoftwareonlyÓattacks.Wenotethatourestimatesandtheresultingcostofspecialhardwaredesignsforexhaustivekeysearchareconsistentwiththeestimatesgivenin[3]and[5].Furthermore,itseemsreasonabletoassumethataDESattackof1MMYiscomparablewithanattackby[$10million,20days,1980]-hardwareor,usingDefaultSettingII,II,¤106=210:66D$125,000,1day,1996]-hardware. 276A.K.LenstraandE.R.VerheulECsystems.Thecostofasoftwareattackona109-bitECsystemwithwasestimatedas8MMY(see2.6.4),sothatattackinga120-bitECsystemwithshouldtakeabout91timesasmanyMips-Years,i.e.,about730MMY.The[$10million,32days,1996]-hardwaredesignattackinga120-bitECsystemwith(see2.6.5)shouldthusbemoreorlesscomparablewith730MMY.However,thedesignersofthehardwaredeviceremarkthattheirdesignwasbasedon1992(orevenolder)technologywhichcanbeimprovedbyusing1996technology.So,byDefaultSettingII,theÒupgradedÓ[$10million,32days,1996]-hardwaredesigncouldbemoreorlesscomparablewith7304600MMY.ItfollowsthatanECattackof1MMYiscomparablewith[$70,000,1day,1996]-hardware.With3.2.1weÞndthat1MMYisequivalentto[$70,000Ð$125,000,1day,1996]-hardwaredependingonanECoraDESattack.Becauseoftheconsistencyofthesecon-versionsitistemptingtosuggestthat1MMYisapproximatelyequivalentto[$100,000,1day,1996]-hardware;moregenerally,that1MMYwouldbeequivalentto[$10,1day,]-hardwareinyear.Thatis,1MMYisequivalentto[$25,000,1day,1999]-hardware.Thisconversionformulawouldallowustogobackandforthbetweensoftwareandspecial-purposehardwareattacks,andmakeourentiremodelapplicabletohardwareattacksaswell.Inouropiniontheconsistencybetweenthetwoconversionsisamerecoincidencewithoutmuchpracticalmerit.IntheÞrstplace,theestimateholdsonlyforrelativelysimple-mindedDESorECcrackingdevicesforellipticcurvesovernon-primeÞelds(i.e.,thosewith),notforellipticcurvesoverprimeÞeldsandcertainlynotforfull-blownPCs.ForprimeÞeldsthehardwarewouldbeconsiderablyslower,whereasinsoftwareECsystemsoverprimeÞeldscanbeattackedfasterthanthoseovernon-primeÞelds(see2.6.4).Thus,forspecial-purposehardwareattacksonECsystemsoverprimeÞeldstheaboveconsistencynolongerholds.Inthesecondplace,accordingto[44],thepipelinedversionoftheEC-attackingspecial-purposehardwarereferredtoabovewouldbeaboutseventimesfaster,whichmeansthatalsoforspecial-purposehardwareattacksonECsystemsovernon-primeÞeldstheconsistencybetweenDESandECattacksislost.AlsoaccordingtoWiener[44],theprimeÞeldversionofthepipelineddevicewouldbeabout2to2timesslowerthanthenon-primeÞeldversion.Itshouldbenotedthatthedetailsofthepipelineddevicehaveneverbeenpublished(andmostlikelywillneverbepublished[45]).Asmentionedin2.6.8,weconsideronlyECsystemsthatuserandomlyselectedcurvesoverprimeÞelds.ThereforewemaybaseourrecommendationsonÒsoftwareonlyÓattacks,ifweusethesoftware-baseddatapointthata109-bitECsystemcanbeattackedin2.2MMY(see2.6.4).Thiscanbeseenasfollows.The2.2MMYunderestimatesthetruecost,andislowerthanthe8MMYcosttoattackthenon-primeÞeldofequivalentsize.Thelattercanbedoneusingnon-pipelinedspecial-purposehardwareinawaythatismoreorlessconsistentwithourDESinfeasibilityassumption,asarguedabove.Forspecial-purposehardwareanon-primeÞeldcanbeattackedfasterthanaprimeÞeldofequivalentsize,soifweusethenaõveDES-consistenthardwareconversion,thenthehypotheticalspecial-purposehardwarethatfollowsfromextrapolationofthe2.2MMYÞguretolargerprimeÞeldssubstantiallyunderestimatesthetruehardwarecost.Thatmeansthattheresultingkeysizesaregoingtobetoolarge,whichisacceptablesincewearederivinglowerboundsforkeysizes(Section1.3). SelectingCryptographicKeySizes277ThemorerealisticprimeÞeldequivalentofthenon-DES-consistentpipelineddevicefornon-primeÞeldsis,basedontheÞguresgivenabove,atleast28timesslowerthanourhypotheticalhardware.Thisimpliesthatthemorerealistichardwarewouldleadtolowerkeysizesthanthehypotheticalhardware.Thus,itisacceptabletosticktothelatter(Section1.3).ItfollowsthatifoneassumesthattheDESwassufÞcientlyresistantagainstaspecial-purposehardwareattackintheyearindicatedbythesecuritymarginasinDeÞnitionI,thenthesameholdsfortheECkeysizessuggestedforthefuture,eventhoughtheyarebasedonextrapolationsofÒsoftwareonlyÓattacks.SDLsystems.ThesameholdsforSDLsystemsbecauseouranalysisofSDLkeysizesisbasedontheECanalysisasdescribedin4.2.5below.Classicalasymmetricsystems.Forclassicalasymmetricsystemswedonotcon-siderspecial-purposehardwareattacks,asarguedin2.4.7.Theissueofsoftwareattacksonclassicalasymmetricsystemsversusspecial-purposehardwareattacksonothercryp-tosystemsisdiscussedin3.2.5below.Costcomparisonofsoftwareandspecial-purposehardwareattacks.Ourkeysizerecommendationsbelowarecomputationallyequivalent(Section1.4)and,asarguedin3.2.2,theyalloffersecurityatleastequivalenttothe1982securityoftheDES(basedonDefaultSettingI),bothagainstsoftwareandspecial-purposehardwareattacks.Thatdoesnotnecessarilyimplythatthekeysizesforthevariouscryptosystemsarealsocostequivalent(Section1.4),becausetheequipmentcostsofthe1982softwareandspecial-purposehardwareattacksontheDESarenotnecessarilyequaleither.Onepointofviewisthataccessingthehardwarerequiredforsoftwareattacksis,orultimatelywillbe,essentiallyforfree.ThisissupportedbyallInternet-basedcryptosys-temattackssofarandotherlargecomputationalInternetprojectssuchasSETI.Adoptionofthissimple-mindedrulewouldmakecomputationalandcostequivalenceidentical,whichiscertainlynotgenerallyacceptable[44].Unfortunately,apreciseequipmentcostcomparisondeÞesexactanalysis,primarilybecausenopreciseÒcostofaPCÓcanbepinpointed,butalsobecauseatrulycompleteanalysishasneverbeencarriedoutforthepipelinedECattackingdesignfrom[44]and[45].AspointedoutinSection1.4thisisoneofthereasonsthatwedecidedtousecomputationalequivalenceasthebasisforourresults.Nevertheless,wesketchhowananalysisbasedoncostequivalencecouldbecarriedout.DeÞnitionVII.Thenumber0isdeÞnedasthepriceinUSdollarsofastrippeddownPCwithatleast64MBofRAM.ByastrippeddownPCwemeana450MHzPentiumIIprocessor,amother-board,andcommunicationshardware.DefaultSettingVII.OurdefaultsettingforAccordingtonewspaperadvertisementsfullyequippedPCscanbeboughtforpricesvaryingfrom$0to$450.TheÒfreeÓmachinessupportthepointofviewthatsoftwareattacksareforfree.DefaultSettingVIIassumesthatonedoesnotwanttodealwith 278A.K.LenstraandE.R.Verheulthestringsattachedtothefreemachinesandisbasedonwholesaleextrapolationofcurrentprices.Ourchoicedisregardsthepossibilityofamuchlargerquantitydiscountoneshouldbeabletonegotiateforaverylargeorder.AssumingDefaultSettingVII,1millionsoftwareMips-Yearsisequivalentto[$365$81million,1day,1999]-hardware.ComparedwiththeexhaustiveDESkeysearch[$125,000,1day,1996][$31,250,1day,1999]-hardwarefrom3.2.1,asoftwareMips-Yearisthusabout timesmoreexpensive.Comparedwiththepipelined[$70,0007,1day,1996]1996]1day,1999]-hardwaretoattackECsystemsovernon-primeÞeldsreferredtoin3.2.2,asoftwareMips-Yearismorethan3timesmoreexpensive,butatmostabout2timesmoreexpensivethantheprimeÞeldversionofthepipelinedItfollowsthatforourpurposessoftwareMips-Yearsareatmost26timesmoreexpensivethanMips-Yearsproducedbyspecial-purposehardware.InSection4.5itisshownhowthisfactor26canbeusedtoderivecost-equivalentkeysizesfromthecomputationallyequivalentones.Notethatthefactor26shouldbetakenwithalargegrainofsalt.ItsscientiÞcmeritisinouropinionquestionablebecauseitisbasedonthepresumedinfeasibilityofspecial-purposehardwareattacksonRSA(see2.4.7andthepipelineddesignin[12]).MemoryConsiderationsTheprocessorscontributingtoaparallelizedexhaustivekeysearchdonotrequireasubstantialamountofmemory.ThisisalsothecasefortheprocessorsinvolvedinaparallelizedattackusingPollardÕsrhomethodagainstSDLorECsystems.AlthoughfortheparallelizedversionofPollardÕsrhomethodsubstantialstoragespacehastobeavailableatacentrallocation,weassumethatstoragerequirementsdonothavetobetakenintoaccounttoestimateSDLandECsystemkeysizes.ForparallelizedNFSattacksagainstclassicalasymmetricsystems,however,eachofthecontributingprocessorsneedsarelativelylargeamountofRAMofspeedcompatiblewiththeprocessorspeed.Untilrecentlymemoryaccesstimesandnotprocessorspeedsdeterminedtheeffectiveruntimesofthestandardtypeofsievingused:aclockratetwiceasfastwouldoftenresultinonlymarginallyfastersieving.Thisisbecausestan-dardsievingrequiresverylittlecomputationandconsistsalmostexclusivelyofconstantupdatesofmoreorlessrandomlocationsinalargechunkofmemory,andthusdoesnotallowefÞcientcaching.Straightforwardextrapolationofruntimestofasterprocessorswasthereforeimpossible.NewergenerationsofprocessorswithlargermemoriesallowefÞcientimplementationofNFSlatticesieving,whichis,comparedwithstandardsieving,arelativelycompute-intensivemethod.ItsefÞciencydependsmostlyontheprocessorspeed,andmemoryaccesstimehardlymatters.Toillustratethis,weobservedthatthespeedofNFSlatticesievingonPentiumprocessorsgrowsstrictlylinearlywiththeprocessorspeed,withaninterestinglarger-than-expectedspeedupwhenmovingfromPentiumItoPentium SelectingCryptographicKeySizes279IIprocessors:anaveragesievingstepoperationfortheresultpresentedin[6]takes15.8secondsona133MHzPentiumI,12.7secondsona166MHzPentiumI,5.34sec-ondsona300MHzPentiumII,and3.61secondsona450MHzPentiumII.Hereallprocessorsexecutethesamebinarythatusesabout48MBoftheirabout200MBAsaconsequence,theredoesnotseemtobeanyreasonnottoextrapolateNFSruntimesinthestandardfashion.Atworsttheextrapolatedsievingtimesarelowerthantheactualones,makingfactoringlookeasierthanitactuallyis,andtherebymakingtheRSAkeysizerecommendationssomewhatlarger(Section1.3).TheamountofmemoryrequiredbytheNFSgrowswiththesquarerootoftheruntime.Since(DeÞnitionII)isassumedtobestrictlypositive,availableRAMgrowslinearlywiththeprocessorspeed.Thus,sincecurrentprocessorshaveingeneralenoughmemoryforproblemsthatarecurrentlysolvedusingtheNFS,wemayassumethatfutureprocessorshavemorethanenoughmemorytotacklefutureproblems.CombiningtheseobservationsweconcludethattheNFSmemoryrequirementsdonotexplicitlyhavetobetakenintoaccountwhenextrapolatingNFSruntimestofutureprocessorsandlargerRSAmoduliorÞeldsizes.4.LowerBoundEstimatesforCryptographicKeySizesIntroductionInthissectionwepresentformulasthatcanbeusedtoderivelowerboundsforcrypto-graphickeysizes.InSections4.2Ð4.5weconcentrateonkeysizerecommendationsthatcanbeexpectedtoofferanacceptablesecuritymarginuntilayearspeciÞedbytheuser.InSection4.6wedescribehowkeysizerecommendationscanbederivedthatcanbeexpectedtoofferalevelofsecuritythatiscurrently(i.e.,atthetimeofwritingofthisarticle)atleastequivalenttoasymmetrickeysizespeciÞedbytheuser.Therecommendationsinthispaperarebasedonthedefaultsettings.Touseothersettings,refertoSection4.4,orusetheJavaappletprovidedbyPuolamaki[30].Remarkonprecision.OurÒprogressÓparameters,and(fromDeÞni-tionsII,V,andVI,respectively)aremeasuredinmonths,becausethatcorrespondstothewayMooreÕslawisoftenformulated.Below,however,timeismeasuredinwholeyears,asisthesecuritymargin(fromDeÞnitionI).InprinciplewecouldadoptamuchÞnergranularityand,forinstance,usethemoreprecisedatapointthata511.7-bitRSAmoduluswasbrokenin1999.64.Inouropinionthatwouldgiveamisleadingsenseofprecisionthatwouldbeinappropriateforanarticleofthissort.OnemayobjectÑandwewouldnotdisagreeÑthatkeysizerecommendationsshouldnotbegivenonayear-by-yearbasis,aswedobelow.Inourexperience,however,theuncertaintiesinherentinthistypeofÒback-of-the-envelopeÓengineeringarenotappreciatedbyallintendedusers:ifayearisnotspeciÞedinourtables,theymayendupusinganinterpolatedvalue,insteadofsimplyusingthenextyearup.Ifcalculatedproperly,thereisnothingwrongwithinterpolatedvalues(thecurvesareconvex,andweareonlyinterestedinlowerbounds),butitismoreconvenient,andsafer,simplytoprovidevaluesforallyears. 280A.K.LenstraandE.R.VerheulAnotherpointofcriticismisthatwedonotroundthevaluesresultingfromourformulas,therebyfailingtoreßectthattheyarecrudeestimatesatbest.Thus,ifaccordingtosomeformula,akeysizeof1537bitsisbelievedtobeadequateforacertainyear(andcertainparametersettings),thenweprintthevalue1537inourtables,andnot1500,1536,1568,or1600.Wewholeheartedlyagreethatsomethinglike1537givesamisleadingsenseofprecision,andofcourseweconsideredroundingvalues,butwedecidednottodosoforacoupleofreasons.First,wewouldalwayshavetoroundup,butwewouldhavetousedifferentgranularitiesforRSAandTDLrecommendationscomparedwiththoseforsymmetrickey,SDL,orECCsystems.WithoutanydoubttheresultingrelativelylongRSAkeyswouldbeinterpretedastheauthorsÕbiasagainstRSAandinfavorofECC,somethingwewanttoavoidatallcost.Secondly,andthismayseemstrangetomanyreaders,thereisanamazinglycommonbelief,ormisunderstanding,thatRSAkeysmusthavealengththatisdivisiblebyanon-trivialpowerof2suchas32,64,or128.WedonotwanttofuelthismisconceptionbyrecommendingRSAkeysizesthatareall0modulo32oreven10,orthatshowanyotherpatternthatcan(andwill)bemisunderstood.Thus,roundingisÞne,buttheuserwillhavetodoitÑwejustprovidethebare,unbiasednumbers.Wearegratefultoananonymousrefereeforbringingupthissubjectonceagain.Wehopetheseparagraphsclarifyouropinionsanddecisions.KeySizeFormulasforaGivenYearInfeasiblenumberofMips-Years).SupposethatkeysizeshavetobedeterminedthatachieveatleastaspeciÞedsecuritymarginuntilyear.BreakingtheDEStakes5Mips-Years(see2.2.4).Thisamountofcomputationofferedanacceptablelevelofsecurityintheyear(DeÞnitionIin3.1.2).BasedonDeÞnitionsIÐIVin3.1.2and3.1.5itfollowsthatinyear,i.e.,yearslater,anamountofcomputationofMips-Yearsoffersanacceptablelevelofsecurity.HerestandsforÒInfeasiblenumberofMips-YearsforyearÓ.Thefactor2isduetotheexpectedprocessorspeedupintheperiodfromyeartoyear(DeÞnitionsIandIIin3.1.2and3.1.5),andthefactorreßectstheexpectedincreaseinthebudgetavailabletoanattacker(DeÞnitionsI,III,andIVin3.1.2and3.1.5).Theresultingvalueisusedtoderivekeysizesthatofferanacceptablelevelofsecurityuntilyear,forallcryptographicprimitivesconsideredinSection2.Symmetrickeysystems.Forsymmetrickeycryptosystemsweintroducethepossibilitythattheblock-encryptionspeedofthesymmetrickeysystemtobeusedisdifferentfromtheblock-encryptionspeedoftheDES.DeÞnitionVIII.Thevariable0isdeÞnedastheratioofthenumberofcyclesrequiredforasingleblockencryptionusingtheDESandthesymmetrickeysystemtheuserwishestouse. SelectingCryptographicKeySizes281DefaultSettingVIII.OurdefaultsettingforBecausethesymmetrickeysystemtobeusedistimesslowerthantheDES,attackingitgoestimessloweraswell.Itfollowsthatifthesymmetrickeysystemisusedwithaofatleastv//.v/asin4.2.1,thenthesecurityofferedbythesymmetrickeysystemuntilisatleastcomputationallyandcostequivalent(see3.2.1)tothesecurityofferedbytheDESinyear.HereweusethattheDEShasa56-bitkey(see2.2.1),thatitcanbeattackedin5Mips-Years(see2.2.4),andthatthereisnofasterattackmethodthanexhaustivesearch(see2.2.8).Classicalasymmetricsystems.Forclassicalasymmetricsystemsweusetheasymptoticruntimetimen]oftheNFS(omittingthe)asdeÞnedin2.4.4combinedwiththedatapointthata512-bitkeywasbrokenin1999atthecostoflessthan10Years(see2.4.6).Furthermore,weexpectcryptanalyticprogressbyafactor2comparedwiththestateoftheartin1999,theyearofthedatapoint(see2.4.10andDeÞnitionVin3.1.7).Itfollowsthatiftheclassicalasymmetrickeysizeischosensuchthat IMY.y/¤212.y¡1999/=r¸L[2512] thenthesecurityofferedbyclassicalasymmetricsystemsuntilyearisatleastcompu-tationallyequivalenttothesecurityofferedbytheDESinyear.If,ontheotherhand,theclassicalasymmetrickeysizeischosensuchthat IMY.y/¤212.y¡1999/=r¸L[2512] thenthesecurityofferedbyclassicalasymmetricsystemsuntilyearisatleastcostequivalenttothesecurityofferedbytheDESinyear(DeÞnitionVIIin3.2.5).Thefactor26isexplainedin3.2.5.Becausethedatapointusedslightlyoverestimatesthecostoffactoringa512-bitkeyandbecauseweomitthe,thedifÞcultyofbreakingclassicalasymmetricsystemsisoverestimated(see2.4.4),i.e.,theclassicalasymmetrickeysizesshouldbeslightlylargerthangiveninTable1.Wedidnotattempttocorrectthis,becausetheeffectisminorandmaydisappeariftheRSAkeysizesgiveninTable1areroundedinareasonableway(Remark4.1.1).ECsystems.ForECsystemsweusetheexpectedgrowthrateofthenumberofgroupoperationsrequiredbyPollardÕsrhomethod(see2.6.3),theexpectedgrowthofthecostofthegroupoperations(see2.6.4),andtheoptimisticestimatethata109-bitECsystemcanbebrokenin2.2MMY(see2.6.4).Furthermore,if0(DeÞnitionVIin3.1.7),weexpectcryptanalyticprogressbyafactor2comparedwiththestate 282A.K.LenstraandE.R.Verheuloftheartin1999(theyearofthedatapoint).Weset1if0andotherwise.ItfollowsthatiftheECkeysizeischosensuchthat IMY.y/¤C¸2109=2¤1092 thenthesecurityofferedbyECsystemsuntilyearisatleastcomputationallyandcostequivalent(see3.2.2)tothesecurityofferedbytheDESinyear.Thefactorsand109accountfortherelativespeedofthearithmeticoperationstobeperformedbyPollardÕsrhomethod.SDLsystems.ForSDLsystemsweuseÞniteÞeldsizeeitherequalasin4.2.3(see2.4.6,2.5.1,and2.5.3).BecausenosuitableSDLdatapointsareavailable(see2.5.4)weestimatethatarithmeticoperationsina-bitÞniteÞeldtimesmoreexpensivethanarithmeticoperationsinanellipticcurvegroupovera109-bitÞniteÞeld(wheretheÒ9ÓunderestimatesthenumberofÞeldmultiplicationsrequiredforanECoperation,estimatedas12in2.6.3).SinceforSDL 2moreiterationsinPollardÕsrhomethodmaybeexpectedthanforECsystems,itfollowsthatifthesubgroupsize IMY.y/¸2109=2¤1092¤9 p andtheÞniteÞeldsizeisatleast,thenthesecurityofferedbySDLsystemsuntilyearisatleastequivalenttothesecurityofferedbytheDESinyear:computationallyequivalentifandcostequivalentifasin4.2.3.Notethattheaboveexpressionforisequivalentto2log Nk2¤p Theresultingsizesaretoolargebecausethe2.2MMYestimateisonthelowside.ThisoptimismistoasmallextentcorrectedbytheoptimisticchoiceofnineÞeldmultiplica-tions(where12or13wouldbemoreaccurate[14]).ItfollowsfromastraightforwardanalysisthatthesubgroupsizeresultingfromtheaboveformulaisoftherequireddifÞ-culty,independentoftheECdatapoint,ifamultiplicationinaÞeldofsizetakesabout69Pentiumclockcycles.Accordingtoourownexperimentswithreasonablyfastbutnon-optimizedsoftwareaÞeldmultiplicationcanbedonein24Pentiumclockcycles,sothatthesubgroupsizesresultingfromtheEC-baseddatapointareatmosttwobitstoolarge(Section1.3).LowerboundsforcomputationallyequivalentkeysizesForyearsrangingfrom1982to2050andforDefaultSettingsIÐVIIIthecomputationallyequivalentkeysizerecommendationsresulting(Remark4.1.1)fromtheformulasgiveninSection4.2aregiveninTable1.Furthermore,Table1containskeysizerecommendations18,i.e.,cryptanalyticprogressaffectingECsystemscomparablewithDefaultSettingVforthecryptanalyticprogressaffectingclassicalasymmetricsystems.Forcost-equivalentkeysizerecommendationsseeSection4.5. SelectingCryptographicKeySizes283RemarksonthecomputationofTable1.Strictlyspeakingthedataforyearsbefore1999donotmakesensefortheÒEC18Ócolumn,becausewealreadyknowthatforrandomcurvesoverprimeÞeldssuchprogressdidnotoccurbefore1999.Nevertheless,thedatacanbefoundinTable1aswell,initalics.ItisdescribedinSection4.4inwhatcircumstancesthedata,andtheotherdatainitalics,maybeused.2.ThedatainTable1donotchangesigniÞcantlyiftheÒ512-bit,10Mips-Years,1999Ódatapointisreplacedby,forinstance,Ò333-bit,30Mips-Years,1988Ó(theÞrst100-digitfactorization)orÒ429-bit,5000Mips-Years,1994Ó(thefactorizationoftheRSA-Challenge;5000Mips-YearsoverestimatesthetimeittooktobreaktheRSA-Challengedespitetheremarksmadein[37]).Thisvalidatesourdefaultsettingforforcryptanalyticprogressaffectingclassicalasymmetricsystems,see2.4.10and3.1.7.UsingTable1.AssumingoneagreeswithDefaultSettingsIÐVII,Table1canbeusedasfollows.Supposeoneisdevelopingacommercialapplicationintheyear2000inwhichtheconÞdentialityorintegrityoftheelectronicinformationhastobeguaranteedfor20years,i.e.,untiltheyear2020.Lookingattherowfortheyear2020inTable1,oneÞndsthatanamountofcomputingof2Mips-Yearsintheyear2020maybeconsideredtobeasinfeasibleas5Mips-Yearswasin1982(see2.2.4).Securitycomputationallyequivalent(Section1.4)tothatofferedbytheDESin1982isobtainedbyusingintheyear2020(whilekeepingRemark4.1.1inmind):ÐSymmetrickeysofatleast86bits,andhashfunctionsofatleast172bits.ÐRSAmoduliofatleast1881bits;themeaningoftheÒ1472ÓgiveninthesecondentryofthesamecolumnisexplainedinSection4.5.ÐSubgroupdiscretelogarithmsystemswithsubgroupsofatleast151bitswithÞniteÞeldsofatleast1881bits.Thus,foranSDLsystemsuchasXTRitfollowsthat151and61881[23].ÐEllipticcurvesystemsoverprimeÞeldsofatleast161bitsifoneisconÞdentthatnocryptanalyticprogresswilltakeplace,andatleast188bitsifonepreferstobemorecareful.IfÞniteÞeldsareusedinSDLorECsystemsthatallowsigniÞcantlyfasterarithmeticoperationsthansuggestedbyourestimates,thedatainTable1canstillbeused:iftheÞeldarithmeticgoestimesfaster,keysshouldberoughly2bitslargerthanindicatedinTable1.Asnotedabove,however,theÞeldarithmeticisalreadyassumedtobequitefast.Similarly,ifonedoesnotagreethatthedatapointusedforECsystemsunderestimatestheactualcostandthatweoverestimatedthecostbyafactor,i.e.,thatthe2.2MMYtoattack109-bitECsystems(see2.6.4)shouldbeonly2MMY,addroughly2bitstothesuggestedECkeysizes.NotethatitdoesnotfollowfromTable1orthedefaultsettingsthat1024-bitRSAkeyswillbesafeonlyuntil2002[38].ItfollowsfromTable1thatuntiltheyear2002,RSAkeysof1024bitscanbeexpectedtooffersecuritycomputationallyequivalenttotheDESin1982.Inthiscontext,seealsoRemarks1.4.1and3.1.3. Table1.Lowerboundsforcomputationallyequivalentkeysizes,assuming0and ClassicalLowerboundCorrespondingEllipticcurveforhardwarenumberofkeysizeSDLkeysizeInfeasiblecostinUS$foryearsonSymmetricandSDLkey numberofa1dayattacka450MHzYearkeysizeÞeldsizesize18Mips-Years(see4.5)PentiumIIPC 198256417102105198458463105108198660513107111198861566109114 1990636221121171991636521131191992646821141201993657131161211994667441171231995667771181241996678101201261997688441211271998698791221291999709151231301304 200070952125132132720017199012613313512002721028127135139220037310681291361403200473110813013814352005741149131139147120067511911331411481200776123513414215222008761279135144155520097713231371451578 20107813691381461601201179141613914816322012801464141149165420138015131421511687201481156214315217212015821613145154173220168316641461551773201783171714715718052018841771149158181120198518251501601851 20208618811511611882202186193715316319052022871995154164193820238820541561661971202489211315716719822025892174158169202420269022361601702057202791229916117220712028922362162173210220299324271641752133 2030932493165176215520329526291681792221203496276817118222752036982912173185232120389930611761882394 204010132141791912441204210333711821942483204410435331851972551204610637001872002602204810738711902032658 205010940471932062722 SelectingCryptographicKeySizes285AlternativeSecurityMarginDefaultSettingI(see3.1.2)assumesthattheDESofferedenoughsecurityforcommercialapplicationsuntiltheyear1982,butnotbeyond1982.ForcorporationsthathaveusedtheDESbeyond1982orevenuntilthelate1990stheresultingdefaultinfeasibilityassumptionof0.5MMYin1982(see2.2.4)maybetoostrong.Forothersitmaybetooweak.HereweexplainhowtouseTable1tolookupkeysizesforyear,forexample2005,if,i.e.,ifonetruststheDESuntiltheyear1982.Hereisnegativeifourinfeasibilityassumptionisconsideredtobetooweakandpositiveotherwise.Weassumethedefaultsettingsfortheotherparameters.So,forexample,13ifonetruststheDESuntil1995.OfcourseRemark4.1.1appliesagain.ÐSymmetrickeys:taketheentryforyear,i.e.,20051992inourexample.Theresultingsymmetrickeysizesuggestionis64bits.ÐClassicalasymmetrickeys:taketheentryforyear43,i.e.,20051998inourexample.So879-bitRSAandTDLkeysshouldbeused.ÐSDLkeys:letbetheclassicalasymmetrickeysizeforyear43,letbetheSDLsizeforyear,andletbetheclassicalasymmetrickeysizefor,thenuseasubgroupofsizeoveraÞeldofsize.Inourexample114,and682,sothatasubgroupofsize114113bitsshouldbeusedwithan879-bitÐECsystemswith0:taketheÒ0Óentryforyear,i.e.,2005intheexample.TheresultingECkeysizesuggestionis120bits.ÐECsystemswith18:taketheÒ18Óentryforyear43,i.e.,1998inourexample.TheresultingECkeysizesuggestionis129bits.TheTable1entriesinitalicsforyearsbefore1999maybeusedinthelastapplication;theotheritalicsentriesmaybeusedifThecorrectnessofthesemethodscanbeseenasfollows.Letdenotetheclassicalasymmetrickeysizerecommendationforacertainyearandsecuritymargin.WewanttoÞndtheyearforwhich,where1982byDefaultSettingI.FromthedeÞnitionofin4.2.1andthewayischosenin4.2.3itfollowsfromwhichweÞndthat43ifthedefaultsettingsareused.Theotherresultsfollowinthesameway.Cost-EquivalentKeySizesTable1canbeusedtoderivecost-equivalentkeysizesinthefollowingmanner,ifthedefaultsettingsareused.Alowerboundfortheequipmentcostforasuccessful1dayattackisgiveninthepenultimatecolumnofTable1,inyearindollarsofyearSymmetrickeyandECsystems.ThesymmetrickeysizesarederivedbasedonthedeÞnitionofthesecuritymarginwhichimplysufÞcientresistanceagainsteither 286A.K.LenstraandE.R.Verheulsoftwareorspecial-purposehardwareattacks.TheECkeysizesarebasedonestimatesthatarecostconsistentwiththesymmetrickeysizes(see3.2.2).SoforsymmetrickeyandECsystemsnocorrectionsarenecessary.Classicalasymmetricsystems.Forclassicalasymmetricsystems,Mips-Yearsaresupposedly26timesasexpensive,see3.2.5.ForourcomputationalpurposesonlythisisequivalenttoassumingthattheDESoffersacceptablesecurityuntilabout1997,since1230,2iscloseto26100(DefaultSettingVII,3.2.5),and19821997.Thus,usingSection4.4,classicalasymmetrickeysizesthatareequipmentcostequivalenttosymmetricandECkeysizesforyearcanbefoundinTable1intheclassicalasymmetrickeysizecolumnforyearTheresultingkeysizes,roundeduptothenearestmultipleof32,aregivenasthesecondentryintheclassicalasymmetrickeysizescolumnofTable1.BreakingsuchkeysrequiresasubstantiallysmallernumberofMips-YearsthantheinfeasiblenumberofMips-Yearsforyear,butacquiringtherequiredMips-Yearsissupposedtobeprohibitivelyexpensive.Notethatthisvalueisroundeduptothenextmultipleof32,despiteRemark4.1.1,reßectingtheinherentlyinaccuratechoice100inDefaultSettingVII(see3.2.5).SDLsystems.Forsubgroupdiscretelogarithmsystemsinyear,letthesubgroupandÞniteÞeldsize,respectively,foryear,andletbetheÞniteÞeldsizeforyear8.ForcostequivalencewithsymmetricandECkeysizesinyearsubgroupsofsizeoverÞniteÞeldsofsize.Asaruleofthumb,subgroupsofsize2overÞniteÞeldsofsizewilldo.Asanexample,intheyear2000thefollowingkeysizesaremoreorlessequipmentcostequivalent:70-bitsymmetrickeys,682-bitclassicalasymmetrickeys,127-bitsubgroupswith682-bitÞniteÞelds,and132-bitECkeys.Asimilarstraightforwardanalysiscanbecarriedoutforanyothersettingforthe.Forinstance,for10or1000the8shouldbechangedinto6or10,respectively.KeySizesCurrentlyEquivalenttoGivenSymmetricKeySizeFormulasforkeysizesequivalenttosymmetrickeysize.SupposethatkeysizeshavetobedeterminedthatarecurrentlyatleastequivalenttoasymmetrickeysizeNotethattheresultingformulasmustbeindependentofourassumptionsonsecuritymargin,hardwareadvances,orcryptanalyticprogress.Theonlysettingsusedhereare(see3.2.5)and(see4.2.2),becausetheyaretheonlysettingsrelevantforthecurrentComparedwithbreakinga56-bitDESkeyatanexpectedcostof5Mips-Years,breakingakeyofsizeusedinconjunctionwithasymmetrickeysystemthatisslowerthantheDEScanbeexpectedtotakeMips-Years,standsforÒEquivalentnumberofMips-Years.Ó SelectingCryptographicKeySizes287Iftheclassicalasymmetrickeysizeischosensuchthat EMY.d/¸L[2512] (see4.2.3),thenthesecurityofferedbyclassicalasymmetricsystemsiscurrentlyatleastcomputationallyequivalenttothesecurityofferedbyasymmetrickeyofsizeHowever,iftheclassicalasymmetrickeysizeischosensuchthat EMY.d/¸L[2512] (see4.2.3),thenthesecurityofferedbyclassicalasymmetricsystemsiscurrentlyatleastcostequivalenttothesecurityofferedbyasymmetrickeyofsizeIftheECkeysizeischosensuchthat EMY.d/¸2109=2¤1092 (see4.2.4),thenthesecurityofferedbyECsystemsiscurrentlyatleastcomputationallyandcostequivalenttothesecurityofferedbyasymmetrickeyofsizeIftheSDLsubgroupsize Nk2¤p (see4.2.5),whereistheÞniteÞeldsize,thenthesecurityofferedbySDLsystemsiscurrentlyatleastequivalenttothesecurityofferedbyasymmetrickeyofsizecomputationallyequivalentifandcostequivalentif,withabove.FromtheformulasgivenhereandinSection4.2itisobvioushowformulasshouldbeobtainedforkeysizesequivalenttoagivensymmetrickeysizeinagivenyear:usetheformulasfromSection4.2with)replacedbyLookingupcurrentlycomputationallyequivalentkeysizes.Assumingthede-faultsettings,Table1canalsobeusedtolookupthekeysizesthatfollowfromtheformulasin4.6.1.Givenasymmetrickeysize,asymmetrickeysizesthatarecurrentlycomputationallyequivalenttoitcanbelookedupasfollows.ForclassicalasymmetricsystemslookuptheclassicalasymmetrickeysizeforyearThisformulafollowsbysolvingtheequation(see4.2.1).FortheothersystemsletbetheyearinTable1inwhichinthesymmetrickeysizecolumn.ForSDLlookuptheSDLkeysizeforyear,theclassicalasymmetrickeysizeforyear,andtheclassicalasymmetrickeysize;thensubgroupsofsizeoveraÞeldofsizeoffersecuritythatiscurrentlycomputationallyequivalent,intheyear1999,tosymmetrickeysofsize.ForECsimplylookuptheECkeysizeforyearandÒ0.Ó 288A.K.LenstraandE.R.VerheulGivenaclassicalasymmetrickeysize,thecurrentlycomputationallyequivalentsymmetrickeysizecanbefoundbylookinguptheyearinwhichoccurs,andbyusingsymmetrickeysize432;thisfollowsimmediatelyfromAsanexample,forasymmetrickeyofsize85weÞndthat2019and1.Currentlycomputationallyequivalentkeysizesare:about1375bitsforclassicalasymmetrickeys,subgroupsofsize150152over1375bitsÞelds,andECsystemsof160-bits.Similarly,foraclassicalasymmetrickeyofsize1024weÞndthat2002andthatacurrentlycomputationallyequivalentsymmetrickeysizeisgivenby4374.ThelattercorrespondstoacurrentlycomputationallyequivalentECkeysizeof139bits.Lookingupcurrentlycost-equivalentkeysizes.Givenasymmetrickeysize,asymmetrickeysizesthatarecurrentlycostequivalenttoitcanbelookedupinaverysimilarway:justreplace1950.8and2796.2from4.6.2by1942.9and2784.9,respectively.Thisformulafollowsbysolvingtheequation .HereweuseDefaultSettingVII(i.e.,100,see3.2.5)asinSection4.5.Asanexample,forasymmetrickeyofsize85weÞndthat2019and2.Currentlycost-equivalentkeysizesare:about1036bitsforclassicalasymmetrickeys,subgroupsofsize150152over1036bitsÞelds,andECsystemsof160bits.Similarly,foraclassicalasymmetrickeyofsize1024weÞndthat2002andthatacurrentlycost-equivalentsymmetrickeysizeisgivenby435.PracticalConsequencesTheUSDigitalSignatureStandard(DSS)uses160-bitsubgroupswithÞeldsizesrangingfrom512to1024bits,anda160-bithashfunction.AccordingtoTable1onlythelargestÞeldsize(1024)canberecommendedforcommercialapplicationsandthenonlyuntiltheyear2002.Theothersizescanberecommendeduntil2013forthehashfunction,anduntil2026forthesubgroupsize.Assumingthedefaultsettings,thesecurityofferedbytheDSSmaybecomeinadequateverysoon,unlesstheDSSisusedincombinationwitha1513-bitÞniteÞelduntil2013.AchangeintheÞeldsizedoesnotaffectthesizeoftheDSSsignatures.Beyond2013the160-bitsizeofSHA-1,thecryptographichashfunctionusedinconjunctionwiththeDSS,maynolongerbeadequate.Note,however,thatthehashsizemayhavetomatchthesubgroupsize,sothatchangingthehashsizemayforceachangeinthesubgroupsizethatwouldotherwisenothavebeennecessaryuntil2026.Accordingto[25],NISTisworkingonarevisionfortheDSS,withkeysizesasreportedinTable2(andhashsizematchingthesizeof).Thesevaluesareinclose SelectingCryptographicKeySizes289Table2.ProposedkeysizesfortherevisedDSS. 16025638451210243072768015,360 agreementwiththevaluesthatfollowfromourcurrentcostequivalencemodelasinSection4.5(i.e.,withDefaultSettingVII100,see3.2.5).However,itfollowsfromTable1thatthesizeshavetogrowmuchfasterthanproposedinTable2ifcurrentcryptanalytictrendspersistandifequivalencebetweenthesizesofhastobemaintainedinthefuture.EffectonCryptosystemSpeedRSAkeysthataresupposedtobesecureuntil2040areaboutthreetimeslargerthanthepopular1024-bitRSAkeysthatarecurrentlysecure.Thatmakesthoselargekeys9Ð27timesslowertouse:9forsignatureveriÞcationorencryptionassumingaÞxedlengthpublicexponent,27forthecorrespondingsignaturegenerationordecryption.TDLsystemswillslowdownbyafactorof27comparedwiththosethatarecurrentlysecure.SDLsystemsslowdownbyaboutafactorof11comparedwithcurrentlysecureSDLsystems,becauseofthegrowthoftheunderlyingÞniteÞeldcombinedwiththegrowthofsubgroupsize.ThespeedofECsystems,however,ishardlyaffected:aslowdownbyafactorofatmost4,assumingcryptanalyticprogresswith18.Withinafewyears,however,fasterprocessorswillhavesolvedtheseperformanceproblemsifourdefaultsettingforturnsouttobereasonable.Note,however,thatthismaynotbethecaseinmorerestrictedenvironmentssuchassmartcards,wherebandwidthandpowerconsumptionconstraintsalsohaveamorelimitingeffectonkeysizes.5.3.512-BitRSAKeysDespitethefactthattheywerealreadyconsideredtobesuspiciousin1990,512-bitRSAkeysarestillwidelyusedallovertheWeb.Forinstance,512-bitRSAmoduliareusedintheinternationalversionofSecureSocketLayer(SSL)securedwebserverstoexchangesessionkeys.AnattackerwhobreaksanSSLRSAmoduluswillbeabletoaccessallsessionkeysusedbytheSSLserver,andhenceallinformationprotectedbythosekeys.AccordingtoTable1,512-bitRSAkeysshouldnothavebeenusedbeyond1986.Itshouldbenotedthat,apartfromthesecurityriskofusing512-bitRSAkeys,therearealsoconsiderablepublicityrisksinusingthem:organizationsusingthemmaygetbadmedia-coveragewhenitisfoundout,becausea512-bitRSAkeywasfactoredinAugust1999.AlthoughthisresultistheÞrstpublishedfactorizationofa512-bitRSAmodulus,itwouldbenaõvetobelievethatitistheÞrsttimesuchafactorizationhasbeenobtained(Remark1.4.1and2.4.5).5.4.768-BitRSAKeysAccordingtoTable1usageof768-bitRSAkeyscannolongerberecommended.Eveninthecost-equivalentmodel768-bitRSAkeyswillsoonnolongeroffersecuritycom-parablewiththesecurityoftheDESin1982. 290A.K.LenstraandE.R.VerheulRSAandECIfoneevaluatesaluates1024](see2.4.4)omittingthetheresultisclosetothenumberof32-bitoperationstobeperformedbyanattackusingPollardÕsrhomethodona160-bitECsystem.Itwasshownin2.4.6,however,thatthatn]substantiallyoverestimatestheactualnumberofoperationstobeperformedbytheNFSfactorizationof.Nevertheless,inthe(commercial)cryptographicliterature1024-bitRSAand160-bitECsystemsareoftenadvertisedasofferingmoreorlessthesamelevelofsecurity.Ifoneisinterestedincurrentlycomputationallyequivalentsecurity,then1024-bitRSAand139-bitECsystemsor1375-bitRSAand160-bitECsystemsmaybeconsideredtobecomparable,asfollowsfromtheexamplein4.6.2.Forcurrentlycost-equivalentsecuritytheexamplein4.6.3suggeststhat1024-bitto1035-bitRSAand160-bitECsystemsmaybecomparable.Thislastcomparisondependsstronglyonthesettingonedeemsreasonablefortheparameter,asexplainedin3.2.5andSection4.5.SDLandECThegapbetweenthesuggestedSDLandECkeysizeswidensslowly.ThisisduetotherapidlygrowingsizeoftheunderlyingÞniteÞeldsinSDL,whichmakestheÞniteÞeldoperationsrequiredforanattackusingPollardÕsrhomethodrelativelyslow.NotethattheÞeldsizeforSDLsystemscanbefoundintheclassicalasymmetrickeysizecolumnofTable1.EffectivenessofGuessingThesizessuggestedinTable1fortheyear2000orlatergivekeysthatareinpracticeinfeasibletoguess.EffectivenessofIncompleteAttacksSpendingonlyafractionofthefulleffort(see4.2.1)requiredtobreakasystemusingthekeysizessuggestedforyearleadstosuccessprobability1forex-haustivesearch(symmetricsystems;see2.2.7),0forthe(DL)NFS(classicalasymmetricsystems,see2.4.9;fortheECMseeSection5.9),or1forPollardÕsrhomethod(SDLandEC;see2.5.6and2.6.7).Thisimpliesthatonaverageincompleteattackscannotbeexpectedtopayoff.Despitethelackofappreciableeconomicincentiveanattackermaynonethelesstrytoharnessasmallfractionoftherequiredruntimeandgetanon-negligiblechancethathiseffortsbearfruit.AsnotedinRemark3.1.4,however,ifourdeÞnitionofsecuritymargin(see3.1.2)isacceptable,thenthisriskisacceptableaswell.EffectivenessofEllipticCurveMethodTheEllipticCurveMethod(ECM)Þndsa167-bitfactorofa768-bitnumberwithprobability0.63afterspending6200Mips-Years,undertheassumptionthatsuchafactorexists[47].Basedonthisdatapoint,wehavecomputedtheprobabilitythattheECMsuccessfullyfactorsRSAmoduliofthesizesspeciÞedinTable1,assumingweinvesttheMips-Years(see4.2.1)ineachfactoringattempt:fora952-bitRSAmodulustheprobabilityofsuccessis2afterspending7Mips-Years SelectingCryptographicKeySizes2912000),deterioratingtoprobability1fora1149-bitmodulusin2005,andfor1369bitsin2010.Itfollowsthat,despitetheimpossiblylargeinvestment,theECMcannotbeexpectedtobreakkeysofthesuggestedsizes.TheECMsuccessprobabilityvanisheswiththeyears,consistentwiththefactthattheNFSisasymptoticallysuperiortotheECM.NotethattheseprobabilitiesapplyonlytoregularRSAwherethemodulushastwoprimefactorsofaboutequalsize.Iftheprimeshavedifferentsizes[32]oriftherearemoreprimesdividingthemodulus([31]:theÒMultiprimeÓvariationofRSA),thesuccessprobabilityoftheECMisconsiderablyhigher.WassenaarArrangementforMassMarketApplicationsCurrentlytheWassenaarArrangementallows64-bitsymmetrickeysand512-bitclas-sicalasymmetrickeysformassmarketapplications.AccordingtoTable1andpubliclyavailabledataonsuccessfulattacksitwouldbeadvisable(in2001)toincreasethe512-bitboundforclassicalasymmetrickeystoamorereasonableboundsuchas736or832bits.Thecontentsofthisarticlearethesoleresponsibilityofitsauthorsandnotoftheiremployers.Theauthorsortheiremployersdonotacceptanyresponsibilityfortheuseofthecryptographickeysizesrecommendedinthisarticle.TheauthorsdonothaveanyÞnancialorothermaterialinterestsintheconclusionsattainedinthisarticle,norweretheyinspiredorsponsoredbyanypartywithcommercialinterestsincryptographickeysizeselection.Thedatapresentedinthisarticlewereobtainedinatwostageapproachthatwasstrictlyadheredto:formulationofthemodelandcollectionofthedatapoints,followedbycomputationofthelowerbounds.NoattempthasbeenmadetoaltertheresultingdatasoastomatchtheauthorsÕ(andpossiblyothersÕ)expectationsortastebetter.Theauthorsmadeeveryattempttobeunbiasedastotheirchoiceoffavoritecryptosystem,ifany.Althoughtheanalysisandtheresultingguidelinesseemtobequiterobust,thiswillnolongerbethecaseifthereissomeÒoff-the-chartÓcryptanalyticorcomputationalprogressaffectinganyofthecryptosystemsconsideredhere.Indeed,accordingtoatleastoneofthepresentauthors,stronglong-termrelianceonanycurrentcryptosystemwithoutverystrongphysicalprotectionofallkeysinvolvedÑincludingpubliconesÑisirresponsible.ThisdoesnotnecessarilyimplylackoftrustinpublickeycryptosystemsÑitreßectsmixedfeelingsaboutthewaytheyareimplementedorembeddedinapplications.AcknowledgmentsTheauthorsthankStuartHaberforhisextensivecommentsonseveralversionsofthisarticle,KaiPuolamakiforprovidingtheJavaappletthatallowseasycomputationofthekeysizeformulas,JoeBuhler,BruceDodson,DonJohnson,PaulLeyland,AlfredMenezes,AndrewOdlyzko,MichaelWiener,andPaulZimmermannfortheirhelpfulremarks,andtwoanonymousrefereesfortheirmuchappreciatedcomments(see3.1.2andRemark4.1.1). 292A.K.LenstraandE.R.VerheulReferences[1]R.Anderson,Whycryptosystemsfail,CommunicationsoftheACM(11)(1994),32Ð40.[2]E.Biham,AfastnewDESimplementationinsoftware,ProceedingsofFastSoftwareEncryption,LNCS1267,pp.260Ð272,Springer-Verlag,Berlin,1997.[3]M.Blaze,W.DifÞe,R.L.Rivest,B.Schneier,T.Shimomura,E.Thompson,M.Wiener,Minimalkeylengthsforsymmetriccipherstoprovideadequatecommercialsecurity,www.bsa.org/policy/encryption/ c.html,January1996.[4]A.Bosselaers,EvenfasterhashingonthePentium,rumpsessionpresentationatEurocryptÕ97,May13,1997;www.esat.kuleuven.ac.be/÷cosicart/pdf/AB-9701.[pdf,ps.gz].[5]J.R.T.Brazier,PossibleNSAdecryptioncapabilities,jya.com/nsa-study.htm.[6]S.Cavallar,B.Dodson,A.K.Lenstra,W.Lioen,P.L.Montgomery,B.Murphy,H.J.J.teRiele,etal.,Factorizationofa512-bitRSAmodulus,ProceedingsEurocrypt2000,LNCS1807,pp.1Ð17,Springer-Verlag,Berlin,2000.[7]www.certicom.com,1997.[8]www.counterpane.com/speed.html.[9]M.Davio,Y.Desmedt,J.Goubert,F.Hoornaert,J.J.Quisquater,EfÞcienthardwareandsoftwareimplementationsoftheDES,ProceedingsCryptoÕ84,Springer-Verlag,Berlin,1984.[10]W.DifÞe,BNRInc.report,1980.[11]W.DifÞe,E.Hellman,ExhaustivecryptanalysisoftheNBSDataEncryptionStandard,(1977),74Ð84.[12]B.Dixon,A.K.Lenstra,FactoringintegersusingSIMDsieves,ProceedingsEurocryptÕ93,LNCS765,pp.28Ð39,Springer-Verlag,Berlin,1993.[13]ElectronicFrontierFoundation,CrackingDES,OÕReilly,SanFrancisco,CA,July1998.[14]R.Gallant,Personalcommunication,August1999.[15]R.Gallant,R.Lambert,S.Vanstone,ImprovingtheparallelizedPollardlambdasearchonbinaryanoma-louscurves;availablefromwww.certicom.com/chal/down-load/paper.ps,1998.[16]D.B.Johnson,ECC,futureresiliencyandhighsecuritysystems,March30,1999,availablefromwww.certicom.com.[17]A.Joux,AoneroundprotocolfortripartiteDifÞeÐHellman,ProceedingsANTSIV,LNCS1838,pp.358Ð394,Springer-Verlag,Berlin,2000.[18]A.Joux,K.Nguyen,SeparatingDecisionDifÞeÐHellmanfromDifÞeÐHellmanincryptographicgroups,availablefromhttp://eprint.iacr.org,2000.[19]P.C.Kocher,BreakingDES,RSALaboratoriesÕCryptobytes(2)(1999),1Ð5;alsoatwww.rsasecurity.[20]P.C.Kocher,Personalcommunication,September1999.[21]A.K.Lenstra,A.Shamir,AnalysisandoptimizationoftheTWINKLEfactoringdevice,ProceedingsEurocrypt2000,LNCS1807,pp.35Ð52,Springer-Verlag,Berlin,2000.[22]A.K.Lenstra,E.R.Verheul,Selectingcryptographickeysizes,ProceedingsPKC2000,LNCS1751,pp.446Ð465,Springer-Verlag,Berlin,2000;fullversionavailablefromwww.cryptosavvy.com.[23]A.K.Lenstra,E.R.Verheul,TheXTRpublickeysystem,ProceedingsCrypto2000,LNCS1880,pp.1Ð19,Springer-Verlag,Berlin,2000;availablefromwww.ecstr.com.[24]P.Leyland,Personalcommunication,September1999ÐFebruary2001.[25]A.J.Menezes,Personalcommunication,September1999.[26]P.L.Montgomery,lettertotheeditorofIEEEComputer,August1999.[27]V.I.Nechaev,Complexityofadeterminatealgorithmforthediscretelogarithm,MathematicalNotes(2)(1994),155Ð172.TranslatedfromMatematicheskieZametki(2)(1994),91Ð101.Thisresultdatesfrom1968.[28]Tiniestcircuitsholdprospectofexplosivecomputerspeeds,TheNewYorkTimes,July16,1999;Chipdesignerslookforlifeaftersilicon,TheNewYorkTimes,July19,1999.[29]A.M.Odlyzko,Thefutureofintegerfactorization,RSALaboratoriesÕCryptobytes(2)(1995),5Ð12;alsoatwww.research.att.com/amo/doc/crypto.htmlorwww.rsasecurity.com/rsalabs/pubs/cryptobytes.[30]K.Puolamaki,Javaappletonwww.cryptosavvy.com.[31]www.rsa.comandwww.rsasecurity.com.[32]A.Shamir,RSAforparanoids,RSALaboratoriesÕCryptobytes(3)(1995),1Ð4. SelectingCryptographicKeySizes293[33]A.Shamir,FactoringintegersusingtheTWINKLEdevice,ProceedingsCHESÕ99,LNCS1717,pp.1Ð12,Springer-Verlag,Berlin,1999.[34]P.W.Shor,Algorithmsforquantumcomputing:discretelogarithmsandfactoring,ProceedingsofthethAnnualSymposiumonFoundationsofComputerScience,pp.124Ð134,1994.[35]V.Shoup,Lowerboundsfordiscretelogarithmsandrelatedproblems,ProceedingsEurocryptÕ97,LNCS1233,pp.256Ð266,Springer-Verlag,Berlin,1997.[36]R.D.Silverman,rumpsessionpresentationatCryptoÕ97.[37]R.D.Silverman,ExposingthemythicalMips-Year,IEEEComputer,August1999,22Ð26.[38]R.D.Silverman,Acost-basedsecurityanalysisofsymmetricandasymmetrickeylengths,RSALabo-ratoriesBulletin,number13,April2000.[39]SimonSinghÕscipherchallenge,www.simonsingh.com/cipher.htm.[40]P.C.vanOorschot,M.J.Wiener,Parallelcollisionsearchwithcryptanalyticapplications,JournalofCryptology(1999),1Ð28.[41]E.R.Verheul,EvidencethatXTRismoresecurethansupersingularellipticcurves,ProceedingsEurocrypt2001,LNCS2045,pp.195Ð210,Springer-Verlag,Berlin,2001.[42]www.wassenaar.org.[43]M.J.Wiener,EfÞcientDESkeysearch,manuscript,Bell-NorthernResearch,August20,1993.[44]M.J.Wiener,Performancecomparisonofpublic-keycryptosystems,RSALaboratoriesÕCryptobytes(1)(1998),1Ð5;alsoatwww.rsasecurity.com/rsalabs/pubs/cryptobytes.[45]M.J.Wiener,Personalcommunication,1999.[46]M.J.Wiener,R.J.Zuccherato,Fasterattacksonellipticcurvecryptosystems,inS.TavaresandH.Meijer,SelectedAreasinCryptographyÕ98,LNCS1556,pp.190Ð200,Springer-Verlag,Berlin,1999.[47]P.Zimmermann,Personalcommunication,1999.