Internet Draft                                   Hilarie Orman
draft-orman-public-key-lengths-02.txt            Novell, Inc.
March 19, 2001                                   Paul Hoffman
Expires in six months                            IMC & VPNC

                Determining Strengths For Public Keys Used
                     For Exchanging Symmetric Keys

Status of this memo

This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

       The list of current Internet-Drafts can be accessed at

       The list of Internet-Draft Shadow Directories can be accessed at


Implementors of systems that use public key cryptography to exchange
symmetric keys need to make the public keys resistant to some
predetermined level of attack. That level of attack resistance is the
strength of the system, and the symmetric keys that are exchanged must
be at least as strong as the system strength requirements. The three
quantities, system strength, symmetric key strength, and public key
strength, must be consistently matched for any network protocol usage.

While it is fairly easy to express the system strength requirements in
terms of a symmetric key length and to choose a cipher that has a key
length equal to or exceeding that requirement, it is harder to choose a
public key that has a cryptographic strength meeting a symmetric key
strength requirement. This document explains how to determine the
length of an asymmetric key as a function of the length of a symmetric
key. Some rules of thumb for estimating equivalent resistance to
large-scale attacks on various algorithms are given. The document also
addresses how changing the sizes of the underlying large integers
(moduli, group sizes, exponents, and so on) changes the time to use the
algorithms for key exchange.

1. Model of Protecting Symmetric Keys with Public Keys

Many books on cryptography and security explain the need to exchange
symmetric keys in public as well as the many algorithms that are used
for this purpose. However, few of these discussions explain how the
strengths of the public keys and the symmetric keys are related.

To understand this, picture a house with a strong lock on the front
door. Next to the front door is a small lockbox that contains the key
to the front door. A would-be burglar who wants to break into the house
through the front door has two options: attack the lock on the front
door, or attack the lock on the lockbox in order to retrieve the key.
Clearly, the burglar is better off attacking the weaker of the two
locks. The homeowner in this situation must make sure that adding the
second entry option (the lockbox containing the front door key) is at
least as strong as the lock on the front door in order not to make the
burglar's job easier.

An implementor designing a system for exchanging symmetric keys using
public key cryptography must make a similar decision. Assume that an
attacker wants to learn the contents of a message that is encrypted with a
symmetric key, and that the symmetric key was exchanged between the
sender and recipient using public key cryptography. The attacker has
two options to recover the message: a brute-force attempt to determine
the symmetric key by repeated guessing, or mathematical determination
of the private key used as the key exchange key. A smart attacker will
work on the easier of these two problems.

A simple-minded answer to the implementor's problem is to be sure that
the key exchange system is always significantly stronger than the
symmetric key; this can be done by choosing a very long public key.
Such a design is usually not a good idea because the key exchanges
become much more expensive in terms of processing time as the length of
the public keys go up. Thus, the implementor is faced with the task
of trying to match the difficulty of an attack on the symmetric key
with the difficulty of an attack on the public key encryption. This
analysis is not unnecessary if the key exchange can be performed with
extreme security for almost no cost in terms of elapsed time or CPU
effort; unfortunately, this is no the case for public key methods today.

A third consideration is the minimum security requirement of the user.
Assume the user is encrypting with CAST-128 and requires a symmetric
key with a resistance time against brute-force attack of 20 years. He
might start off by choosing a key with 86 random bits, and then use a
one-way function such as SHA-1 to "boost" that to a block of 160 bits,
and then take 128 of those bits as the key for CAST-128. In such a
case, the key exchange algorithm need only match the difficulty of 86
bits, not 128 bits. The selection rule is:

1. Determine the number of symmetric key bits matching the security
requirement of the application (n).

2. Choose a symmetric cipher that has a key with at least n bits, and a
cryptanalytic strength of at least that much.

3. Choose a key exchange algorithm with a resistance to attack of at
least n bits.

A fourth consideration might be the public key authentication method
used to establish the identity of a user. This might be an RSA digital
signature or a DSA digital signature. If the modulus for the
authentication method isn't large enough, then the entire basis for
trusting the communication might fall apart. The following step
is thus added:

4. Choose an authentication algorithm with a resistance to attack of at
least n bits.

1.2 The key exchange algorithms

The Diffie-Hellman method uses a group, a generator, and exponents. In
today's Internet standards, the group operation is based on modular
multiplication. Here, the group is defined by the multiplicative group
of an integer, typically a prime p = 2q + 1, where q is a prime, and
the arithmetic is done modulo p; the generator (which is often simply
2) is denoted by g.

In Diffie-Hellman, Alice and Bob first agree (in public or in private)
on the values for g and p. Alice chooses a secret large random integer
(a), and Bob chooses a secret random large integer (b). Alice sends Bob
A, which is g^a mod p; Bob sends Alice B, which is g^b mod p. Next,
Alice computes B^a mod p, and Bob computes A^b mod p. These two numbers
are equal, and the participants use a simple function of this number as
the symmetric key k.

Note that Diffie-Hellman key exchange can be done over different kinds
of group representations. For instance, elliptic curves defined over
finite fields are a particularly efficient way to compute the key
exchange [SCH95].

For RSA key exchange, assume that Bob has a public key (m) which is
equal to p*q, where p and q are two secret prime numbers, and an
encryption exponent e, and a decryption exponent d. For the key
exchange, Alice sends Bob E = k^e mod m, where k is the secret
symmetric key being exchanged. Bob recovers k by computing E^d mod m,
and the two parties use k as their symmetric key. While Bob's
encryption exponent e can be quite small (e.g., 17 bits), his
decryption exponent d will have as many bits in it as m does.

2. Determining the Effort to Factor

The RSA public key encryption method is immune to brute force guessing
attacks because the modulus will have at least 512 bits. The Diffie-
Hellman exchange is also secure against guessing because the exponents
will have at least twice as many bits as the symmetric keys that will
be derived from them. However, both methods are susceptible to
mathematical attacks that determine the structure of the public keys.

Factoring an RSA modulus will result in complete compromise of the
security of the private key. Solving the discrete logarithm problem for
a Diffie-Hellman modular exponentiation system will similarly destroy
the security of all key exchanges using the particular modulus. This
document assumes that the difficulty of solving the discrete logarithm
problem is equivalent to the difficulty of factoring numbers that are
the same size as the modulus. In fact, it is slightly harder because it
requires more memory; based on empirical evidence so far, the ratio of
difficulty is at least 20, possibly as high as 64. Solving either
problem requires a great deal of memory for the last stage of the
algorithm, the matrix reduction step. Whether or not this memory
requirement will be the limiting factor in solving larger integer
problems remains to be seen. At the current time it is not, and advances
in parallel matrix algorithms are expected to mitigate the memory
requirements in the near future.

Nearly all cryptographers consider the number field sieve (NFS) [GOR93]
[LEN93] the best method today for solving the discrete logarithm
problem. The formula for estimating the number of simple arithmetic
operations needed to factor an integer, n, using the NFS method is:

     L(n) = k * e^((1.92 + o(1)) * cubrt(ln(n) * (ln(ln(n)))^2))

Many people prefer to discuss the number of MIPS years (MYs) that are
needed for large operations such as the number field sieve. For such an
estimation, an operation in the L(n) formula is one computer
instruction. Empirical evidence indicates that 4 or 5 instructions
might be a closer match, but this is a minor factor and this document
sticks with one operation/one instruction for this discussion.

2.1 Choosing parameters for the equation

The expression above has two parameters that must be estimated by
empirical means: k and o(1). Different authors take different
approaches to choosing the parameters:

- Some authors assume that k is 1 and o(1) is 0. This is reasonably
valid if the expression is only used for estimating relative effort
(instead of actual effort) and one assumes that the o(1) term is very
small over the range of the numbers that are to be factored.

- Other authors implicitly assume that o(1) is small and roughly
constant and thus its value can be folded into k; they then estimate k
from reported amounts of effort spent factoring large integers in

This document uses the second approach.

Sample values from recent work with the number field sieve,
collected by RSA Labs, include:

Test name   Number of   Number of   MYs of effort
              decimal     bits
RSA130      130         430            500
RSA140      140         460           2000
RSA155      155         512           8000

There are no precise measurements of the amount of time used for these
factorizations. In most factorization tests, hundreds or thousands of
computers are used over a period of several months, but the number of
their cycles were used for the factoring project, the precise
distribution of processor types, speeds, and so on are not usually
reported. However, in all cases, the amount of effort used was far less
than the L(n) formula would predict if k was 1 and o(1) was 0.

2.2 Choosing k from empirical reports

By solving for k from the empirical reports, it appears that k is
approximately 0.02. This means that the "effective key strength" of the
RSA algorithm is about 5.5 bits less than is implied by the naive
application of equation L(n) (that is, setting k to 1 and o(1) to 0).
These estimates of k are fairly stable over the numbers reported in the
table. The estimate is limited to a single significant digit of k
because it expresses real uncertainties; however, the effect of
additional digits would have make only tiny changes to the recommended
key sizes.

The factorers of RSA130 used about 1700 MYs, but they felt that this
was unrealistically high for prediction purposes; by using more memory
on their machines, they could have easily reduced the time to 500 MYs.
Thus, the value used in preparing the table above was 500. This story
does, however, underscore the difficulty in getting an accurate measure
of effort. This document takes the reported effort for factoring RSA155
as being the most accurate measure.

As a result of examining the empirical data, it appears that the L(n)
formula can be used with the o(1) term set to 0 and with k set to 0.02
when talking about factoring numbers in the range of 100 to 200 decimal
digits. The equation becomes:

    L(n) =  0.02 * e^(1.92 * cubrt(ln(n) * (ln(ln(n)))^2))

To convert L(n) from simple math instructions to MYs, divide by
3*10^13. The equation for the number of MYs needed to factor an integer
n then reduces to:

    MYs = 6 * 10^(-16) * e^(1.92 * cubrt(ln(n) * (ln(ln(n)))^2))

With what confidence can this formula be used for predicting the
difficulty of factoring slightly larger numbers?  The answer is that it
should be a close upper bound, but each factorization effort is usually
marked by some improvement in the algorithms or their implementations
that makes the running time somewhat shorter than the formula would

2.3 Pollard's rho method

In Diffie-Hellman exchanges, there is a second attack, Pollard's rho
method [POL78]. The algorithm relies on finding collisions between
values computed in a large number space; its success rate is
proportional to the square root of the size of the space. Because of
Pollard's rho method, the search space in a DH key exchange for the key
(the exponent in a g^a term), must be twice as large as the symmetric
key. Therefore, to securely derive a key of K bits, an implementation
must use an exponent with at least 2*K bits.

When the Diffie-Hellman key exchange is done using an elliptic curve
method, the NFS methods are of no avail. However, the collision
method is still effective, and the need for an exponent (called a
multiplier in EC's) with 2*K bits remains. However, the modulus
used for the computation can also be 2*K bits, and this will be
substantially smaller than the modulus needed for modular exponentiation
methods as the desired security level increases past 64 bits of
brute-force attack resistance.

2.4 Limits of large memory and many machines

Robert Silverman has examined the question of when it will be
practical to factor RSA moduli larger than 512 bits. His is based not
just on the theoretical number of operations that underlies this
document, but it includes expectations about the availability of
actual machines for performing the work. He examine the question of
whether or not we can expect there be enough machines, memory, and
communication to factor a very large number.

The best factoring methods need a lot of random access memory for
collecting data relations (sieving) and a critical final step that
does a row reduction on a large matrix. The memory requirements are
related to the size of the number being factored (or subjected to
discrete logarithm solution). Silverman [Silv2000] has argued
that there is a practical limit to the number of machines and the
amount of RAM that be brought to bear on a single problem in the
foreseeable future. He sees two problems in attacking a 1024-bit RSA
modulus: the machines doing the sieving will need 64-bit address
spaces and the matrix row reduction machine will need 6 terabytes of
memory. Silverman notes that very few 64-bit machines have been sold,
and none of those machines have the 170 gigabytes of memory needed for
sieving. Nearly a billion such machines are necessary for the sieving
in a reasonable amount of time (a year or two).

Silverman's conclusion is that 1024-bit RSA moduli will not be factored
until about 2037. This implies a much longer lifetime to RSA keys
than the theoretical analysis indicates. He argues that predictions
about how many machines and memory modules will be available can be
with great confidence, based on Moore's Law extrapolations and the
recent history of factoring efforts.

One should give the practical considerations a great deal of weight,
but in a risk analysis, perhaps the physical world is less
predicatable than trend graphs would indicate. In considering how
much trust to put into the inability of the computer industry to
satisfy the voracious needs of factorers, one must have some insight
into economic considerations that are more complicated than the
mathematics of factoring. The demand for computer memory is hard to
predict because it is based on applications - a "killer app" might
come along any day and send the memory industry into a frenzy of
sales. The number of processors available on desktops may be limited
by the number of desks, but very capable embedded systems account for
more processor sales than desktops. As embedded systems absorb
networking functions, it is not unimaginable that millions of 64-bit
processors with gigabytes of memory will pervade our environment.

The bottom line on this is that the key length recommendations
predicted by theory may be overly conservative. This question
is one that should be reconsidered in light of current technology
on a regular basis.

2.5 Strong Enough Key, Not Enough Bits

If the key exchange or data protection method has a strength matched
to the strength of the needed symmetric key, there remains one
possible additional step, and that is to securely derive the actual
symmetric key. The usual recommendation is to use a good one-way hash
function applied to he base material (the result of the key exchange)
and to use a subset of the hash function output for the key. However,
if the desired key length is greater than the output of the hash
function, one might wonder how to reconcile the two.

The step of deriving extra key bits must satisfy these requirements:

- The bits must not reveal any information about the key exchange secret

- The bits must not be correlated with each other

- The bits must depend on all the bits of the key exchange secret

Any good cryptographic hash function satisfies these three
requirements. Note that the number of bits of output of the hash
function is not specified. That is because even a hash function with
a very short output can be iterated to produce more uncorrelated bits
with just a little bit of care.

Appendix B of [RFC2409] describes how to derive long keys from short
hash functions. Note that this does not increase the key strength at
all; it just produces a good, safe, set of bits for a long key. The
trick is to make sure the hash function is applied repeatedly to all
the bits of the key exchange and one or more additional varying (but
not secret) bits. At each stage, the output bits of the hash function
can be collected into the output key bits. The RFC 2409 method gets
the additional bits from the output of the previous stage:

               K1 = hash(keyexchangesecret | 0 )
               K2 = hash(keyexchangesecret | K1)
               . . .
               KN = hash(keyexchangesecret | KN-1)

This concatenation of K1 through KN constitutes a good set of
key bits.

3. Time to Use the Algorithms

This section describes how long it takes to use the algorithms to
perform key exchanges. Again, it is important to consider the increased
time it takes to exchange symmetric keys when increasing the length of
public keys in order to not choose unfeasibly long public keys.

3.1 Diffie-Hellman Key Exchange

A Diffie-Hellman key exchange is done with a group G with a generator g
and an exponent x. As noted in the Pollard's rho method section, the
exponent has twice as many bits as are needed for the final key. Let
the size of the group G be p, let the number of bits in the base 2
representation of p be j, and let the number of bits in the exponent be

In doing the operations that result in a shared key, a generator is
raised to a power. The most efficient way to do this involves squaring
a number K times and multiplying it several times along the way. Each
of the numbers has j/w computer words in it, where w is the number of
bits in a computer word (today that will be 32 or 64 bits).
A naive assumption is that you will need
to do j squarings and j/2 multiplies; fortunately, an efficient
implementation will need fewer. For the remainder of this section,
n represents j/w.

A squaring operation does not need to use quite as many operations as a
multiplication; a reasonable estimate is that squaring takes .6 the
number of machine instructions of a multiply. If one prepares a table
ahead of time with several values of small integer powers of the
generator g, then only about one fifth as many multiplies are needed as
the naive formula suggests. Therefore, one needs to do the work of
approximately .8*K multiplies of n-by-n word numbers. Further, each
multiply and squaring must be followed by a modular reduction, and a
good assumption is that it is as hard to do a modular reduction as it
is to do an n-by-n word multiply. Thus, it takes K reductions for the
squarings and .2*K reductions for the multiplies. Summing this, the
total effort for a Diffie-Hellman key exchange with K bit exponents and
a modulus of n words is approximately 2*K n-by-n-word multiplies.

For 32-bit processors, integers that use less than about 30 computer
words in their representation require at least n^2 instructions for an
n-by-n-word multiply. Larger numbers will use less time, using
Karatsuba multiplications, and they will scale as about n^(1.58) for larger
n, but that is ignored for the current discussion. Note that 64-
bit processors push the "Karatsuba cross-over" number out to even more

The basic result is: if you double the size of the Diffie-Hellman
modular exponentiation group, you quadruple the number of operations
needed for the computation.

3.1.1 Diffie-Hellman with elliptic curve groups

Note that the ratios for computation effort as a function of
modulus size hold even if you are using an elliptic curve
(EC) group for Diffie-Hellman. However, for equivalent security, one
can use smaller numbers in the case of elliptic curves. Assume that
someone has chosen an modular exponentiation group with an 2048 bit
modulus as being an appropriate security measure for a Diffie-Hellman
application and wants to determine what advantage there would be to
using an EC group instead. The calculation is relatively
straightforward, if you assume that on the average, it is about 20
times more effort to do a squaring or multiplication in an EC group
than in a modular exponentiation group. A rough estimate is that an EC
group with equivalent security has about 200 bits in its
representation. Then, assuming that the time is dominated by n-by-n-
word operations, the relative time is computed as:

    ((2048/200)^2)/20 ~= 5

showing that an elliptic curve implementation should be five times as
fast as a modular exponentiation implementation.

3.2 RSA encryption and decryption

Assume that an RSA public key uses a modulus with j bits; its factors
are two numbers of about j/2 bits each. The expected computation time
for encryption and decryption are different. Denote the number of words
in the machine representation of the modulus by the symbol n.

Most implementations of RSA use a small exponent for encryption. An
encryption may involve as few as 16 squarings and one multiplication,
using n-by-n-word operations. Each operation must be followed by a
modular reduction, and therefore the time complexity is about
16*(.6 + 1) + 1 + 1 ~= 28 n-by-n-word multiplies.

RSA decryption must use an exponent that has as many bits as the
modulus, j. However, the Chinese Remainder Theorem applies, and all the
computations can be done with a modulus of only n/2 words and an
exponent of only j/2 bits. The computation must be done twice, once for
each factor. The effort is equivalent to  2*(j/2) (n/2 by n/2)-word
multiplies. Because multiplying numbers with n/2 words is only 1/4 as
difficult as multiplying numbers with n words, the equivalent effort
for RSA decryption is j/4 n-by-n-word multiplies.

If you double the size of the modulus for RSA, the n-by-n multiplies
will take four times as long. Further, the decryption time doubles
because the exponent is larger. The overall scaling cost is a factor of
4 for encryption, a factor of 8 for decryption.

3.3 Real-world examples

To make these numbers more real, here are a few examples of software
implementations run on current hardware. The examples are included to
show rough estimates of reasonable implementations; they are not
benchmarks. As with all software, the performance will depend on the
exact details of specialization of the code to the problem and the
specific hardware.

The best time informally reported for a 1024-bit modular exponentiation
(the decryption side of 2048-bit RSA), is 0.9 ms (about 450,000 CPU
cycles) on a 500 MHz Itanium processor. This shows that newer
processors are not losing ground on big number operations; the number of
instructions is less than a 32-bit processor uses for a 256-bit modular

For less advanced processors timing, the following two tables (computed
by Tero Monenen at SSH Communications) for modular exponentiation, such
as would be done in a Diffie-Hellman key exchange.

Celeron 400 MHz; compiled with GNU C compiler, optimized, some platform
specific coding optimizations:

    group  modulus   exponent    time
    type    size       size
     mod    768       ~150       18 msec
     mod   1024       ~160       32 msec
     mod   1536       ~180       82 msec
     ecn    155       ~150       35 msec
     ecn    185       ~200       56 msec

The group type is from RFC2409 and is either modular exponentiation
("mod") or elliptic curve ("ecn"). All sizes here and in subsequent
tables are in bits.

Alpha 500 MHz compiled with Digital's C compiler, optimized, no
platform specific code:

    group  modulus    exponent       time
    type    size       size
     mod    768       ~150          12 msec
     mod   1024       ~160          24 msec
     mod   1536       ~180          59 msec
     ecn    155       ~150          20 msec
     ecn    185       ~200          27 msec

The following two tables (computed by Eric Young) were originally
for RSA signing operations, using the Chinese Remainder representation.
For ease of understanding, the parameters are presented here to show the
interior calculations, i.e., the size of the modulus and exponent used
by the software.

Dual Pentium II-350:

     equiv      equiv         equiv
    modulus    exponent       time
     size        size
      256        256         1.5 ms
      512        512         8.6 ms
     1024       1024        55.4 ms
     2048       2048       387   ms

Alpha 264 600mhz:

     equiv       equiv        equiv
    modulus     exponent      time
     size        size
     512         512         1.4 ms

Current chips that accelerate exponentiation can perform 1024-bit
exponentiations (1024 bit modulus, 1024 bit exponent) in about 3

4. Equivalences of Key Sizes

In order to determine how strong a public key is needed to protect a
particular symmetric key, you first need to determine how much effort
is needed to break the symmetric key. Most Internet security protocols
require the use of TripleDES for strong symmetric encryption, and it is
expected that the Advanced Encryption Standard (AES) will be adopted on
the Internet in the coming years. Therefore, these two
algorithms are discussed here.

If one could simply determine the number of MYs it takes to break
TripleDES, the task of computing the public key size of equivalent
strength would be easy. Unfortunately, that isn't the case here because
there are many examples of DES-specific hardware that encrypt faster
than DES in software on a standard CPU. Instead, one must determine the
equivalent cost for a system to break TripleDES and a system to break
the public key protecting a TripleDES key.

In 1998, the Electronic Frontier Foundation (EFF) built a DES-cracking
machine [GIL98] for US$130,000 that could test about 1e11 DES keys per
second (additional money was spent on the machine's design). The
machine's builders fully admit that the machine is not well optimized,
and it is estimated that ten times the amount of money could probably
create a machine about 50 times as fast. Assuming more optimization by
guessing that a system to test TripleDES keys runs about as fast as a
system to test DES keys, so approximately US$1 million might test 5e12
TripleDES keys per second.

In case your adversaries are much richer than EFF, you may want to
assume that they have US$1 trillion, enough to test 5e18 keys per
second. An exhaustive search of the TripleDES space of 2^112 keys with
this quite expensive system would take about 1e15 seconds or about 33
million years. (Note that such a system would also need 2^60 bytes of
RAM [MH81], which is considered free in this calculation). This seems a
needlessly conservative value. However, if computer logic speeds
continue to increase in accordance with Moore's Law (doubling in speed
every 1.5 years), then one might expect that in about 50 years, the
computation could be completed in only one year. For the purposes of
illustration, this 50 year resistance against a trillionaire is assumed
to be the minimum security requirement for a set of applications.

If 112 bits of attack resistance is the system security requirement,
then the key exchange system for TripleDES should have equivalent
difficulty; that is to say, if the attacker has US$1 trillion, you want
him to spend all his money to buy hardware today and to know that he
will "crack" the key exchange in not less than 33 million years.
(Obviously, a rational attacker would wait for about 45 years before
actually spending the money, because he could then get much better
hardware, but all attackers benefit from this sort of wait equally.)

It is estimated that a typical PC CPU today can generate about 500 MIPs
and can be purchased for about US$100 in quantity; thus you get about 5
MIPs/US$. For one trillion US dollars, an attacker can get 5e12 MIP
years of computer instructions. This figure is used in the following
estimates of equivalent costs for breaking key exchange systems.

4.1 Key equivalence against special purpose brute force hardware

If the trillionaire attacker is to use conventional CPU's to "crack" a
key exchange for a 112 bit key in the same time that the special
purpose machine is spending on brute force search for the symmetric
key, the key exchange system must use an appropriately large modulus.
Assume that the trillionaire performs 5e12 MIPs of instructions per
year. Use the following equation to estimate the modulus size to use
with RSA encryption or DH key exchange:

    5*10^33 = (6*10^-16)*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))

Solving this approximately for n yields:

    n = 10^(625) = 2^(2077)

Thus, assuming similar logic speeds and the current efficiency of the
number field sieve, moduli with about 2100 bits will have about the
same resistance against attack as an 112-bit TripleDES key. This
indicates that RSA public key encryption should use a modulus with
around 2100 bits; for a Diffie-Hellman key exchange, one could use a
slightly smaller modulus, but it not a significant difference.

4.2 Key equivalence against conventional CPU brute force attack

An alternative way of estimating this assumes that the attacker has a
less challenging requirement: he must only "crack" the key exchange in
less time than a brute force key search against the symmetric key would
take with general purpose computers. This is an "apples-to-apples"
comparison, because it assumes that the attacker needs only to have
computation donated to his effort, not built from a personal or
national fortune. The public key modulus will be larger than the one
in 4.1, because the symmetric key is going to be viable for a longer
period of time.

Assume that the number of congenial CPU instructions to encrypt a
block of material using TripleDES is 300. The estimated number of
computer instructions to break 112 bit TripleDES key:

    300 * 2^112
    = 1.6 * 10^(36)
    = .02*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))

Solving this approximately for n yields:

    n = 10^(734) = 2^(2439)

Thus, for general purpose CPU attacks, you can assume that moduli with
about 2400 bits will have about the same strength against attack as an
112-bit TripleDES key. This indicates that RSA public key encryption
should use a modulus with around 2400 bits; for a Diffie-Hellman key
exchange, one could use a slightly smaller  modulus, but it not a
significant difference.

Note that some authors assume that the algorithms underlying the number
field sieve will continue to get better over time. These authors
recommend an even larger modulus, over 4000 bits, for protecting a 112-
bit symmetric key for 50 years. This points out the difficulty of
long-term cryptographic security: it is all but impossible to predict
progress in mathematics and physics over such a long period of time.

4.3 A One Year Attack

Assuming a trillionaire spends his money today to buy hardware, what
size key exchange numbers could he "crack" in one year?  He can perform
5*e12 MYs of instructions, or

    3*10^13 * 5*10^12 = .02*e^(1.92*cubrt(ln(n)*(ln(ln(n)))^2))

Solving for an approximation of n yields

    n = 10^(360) = 2^(1195)

This is about as many operations as it would take to crack an 80-bit
symmetric key by brute force.

Thus, for protecting data that has a secrecy requirement of one year
against an incredibly rich attacker, a key exchange modulus with about
1200 bits protecting an 80-bit symmetric key is safe even against a
nation's resources.

4.4 Key equivalence for other ciphers

Extending this logic to the AES is straightforward. For purposes of
estimation for key searching, one can think of the 128-bit AES as being
at least 16 bits stronger than TripleDES but about 5 times as fast. The
time and cost for a brute force attack is approximately 2^(14) more than
for TripleDES, and thus the recommended key exchange modulus sizes are
more than 600 bits longer (based on the difficulty of breaking a
discrete log).

If it is possible to design hardware for AES cracking that is
considerably more efficient than hardware for DES cracking, then the
moduli for protecting the key exchange can be made smaller. However, the
existence of such designs is only a matter of speculation at this early
moment in the AES lifetime.

The AES ciphers have key sizes of 128 bits up to 256 bits. Should a
prudent minimum security requirement, and thus the key exchange moduli,
have similar strengths? The answer to this depends on whether or not
one expect Moore's Law to continue unabated. If it continues, one would
expect 128 bit keys to be safe for about 60 years, and 256 bit keys
would be safe for another 400 years beyond that, far beyond any
imaginable security requirement. But such progress is difficult to
predict, as it exceeds the physical capabilities of today's devices and
would imply the existence of logic technologies that are unknown or
infeasible today. Quantum computing is a candidate, but too little is
known today to make confident predictions about its applicability to
cryptography (which itself might change over the next 100 years!).

If Moore's Law does not continue to hold, if no new computational
paradigms emerge, then keys of over 100 bits in length might well be
safe "forever". Note, however that others have come up with estimates
based on assumptions of new computational paradigms emerging. For
example, Lenstra and Verheul's web-based paper "Selecting Cryptographic
Key Sizes" chooses a more conservative analysis than the one in this

4.5 Table of effort comparisons

In this table it is assumed that attackers use general purpose
computers, that the hardware is purchased in the year 2000, and that
mathematical knowledge relevant to the problem remains the same as
today. This is an pure "apples-to-apples" comparison demonstrating how
the time for a key exchange scales with respect to the strength
requirement. The subgroup size for DSA is included, if that is being
used for supporting authentication as part of the protocol; the DSA
modulus must be as long as the DH modulus, but the size of the "q"
subgroup is also relevant.

   Symm. key    RSA or DH      DSA subgroup
   size         modulus size   size
   (bits)       (bits)         (bits)

     70           947          128
     80          1228          145
     90          1553          153
    100          1926          184
    150          4575          279
    200          8719          373
    250         14596          475

5. Security Considerations

The equations and values given in this document are meant to be as
accurate as possible, based on the state of the art in general purpose
computers at the time that this document is being written. No
predictions can be completely accurate, and the formulas given here are
not meant to be definitive statements of fact about cryptographic
strengths. For example, some of the empirical results used in
calibrating the formulas in this document are probably not completely
accurate, and this inaccuracy affects the estimates. It is the authors'
hope that the numbers presented here vary from real world experience as
little as possible.

6. References

[DL] B. Dodson, A.K. Lenstra, NFS with four large primes: an explosive
experiment, Proceedings Crypto 95, Lecture Notes in Comput. Sci. 963,
(1995) 372-385.

[GIL98] Cracking DES: Secrets of Encryption Research, Wiretap Politics
& Chip Design , Electronic Frontier Foundation, John Gilmore (Ed.), 272
pages, May 1998, O'Reilly & Associates; ISBN: 1565925203

[GOR93] D. Gordon, "Discrete logarithms in GF(p) using the number field
sieve", SIAM Journal on Discrete Mathematics, 6 (1993), 124-138.

[LEN93] A. K. Lenstra, H. W. Lenstra, Jr. (eds), The development of the
number field sieve, Lecture Notes in Math, 1554, Springer Verlag,
Berlin, 1993.

[MH81] Merkle, R.C., and Hellman, M., "On the Security of Multiple
Encryption", Communications of the ACM, v. 24 n. 7, 1981, pp. 465-467.

[ODL95] RSA Labs Cryptobytes, Volume 1, No. 2 - Summer 1995; The Future
of Integer Factorization, A. M. Odlyzko

[ODL99] A. M. Odlyzko, Discrete logarithms: The past and the future,
Designs, Codes, and Cryptography (1999). To appear.

[POL78] J. Pollard, "Monte Carlo methods for index computation mod p",
Mathematics of Computation, 32 (1978), 918-924.

[RFC2409] D. Harkens and D. Carrel, "Internet Key Exchange (IKE)",
RFC 2409.

[SCH95] R. Schroeppel, et al., Fast Key Exchange With Elliptic Curve
Systems, In Don Coppersmith, editor, Advances in Cryptology -- CRYPTO
'95, volume 963 of Lecture Notes in Computer Science, pages 43-56, 27-
31 August 1995. Springer-Verlag

[SIL99] R. D. Silverman, RSA Laboratories Bulletin, Number 12 - May 3,
1999; An Analysis of Shamir's Factoring Device

[SIL00] R. D. Silverman, RSA Laboratories Bulletin, Number 13 - April 2000,
A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths

A. Authors' Addresses

Hilarie Orman
Novell, Inc.
1800 South Novell Place
Provo, UT 84606

Paul Hoffman
Internet Mail Consortium and VPN Consortium
127 Segre Place
Santa Cruz, CA  95060 USA and