ECC vs RSA: how to compare key sizes?

Question

I know and I have understood the details of RSA, elliptic curve cryptography, (EC)DH and (EC)DSA.

I keep reading everywhere that (if we don't consider non-deterministic computers) "ECC can achieve the same level of security as RSA, but with lower key sizes". While I can guess why this is true, how do we mathematically prove that?

Here's what I think:

• The fastest algorithm for the ECC discrete logarithm problem is the Baby-step Giant-step, which is $O(2^{b/2})$ (https://en.wikipedia.org/wiki/Baby-step_giant-step).
• The fastest algorithm for the RSA problem/integer factorization is $O(\exp((64 b / 9)^{1/3} \cdot (\log b)^{2/3}))$ (http://en.wikipedia.org/wiki/Integer_factorization).

Here $b$ is the bit-length of the key/of the group order.

Therefore, an ECC key of $b_1$ bits has the same strength of an RSA key of $b_2$ bits when: $2^{b_1/2} \approx \exp((64 b_2 / 9)^{1/3} \cdot (\log b_2)^{2/3})$.

Using that formula I can calculate that if I have a 2048-bit RSA key, I can achieve the same level of security with a 273-bit ECC key. But this number (273) is too high.

My question is: is my reasoning wrong? Where is the mistake?

Answer 1

Your calculation is broken.

First as pointed out correctly the expected run-time of GNFS (general number field sieve) is: $$\text{O}\left(\exp\left[\left(\sqrt[3]{64/9}+\text{O}\left(1\right)\right)\cdot \sqrt[3]{\ln n}\cdot (\ln \ln n)^{2/3}\right]\right).$$

So next you can't just set these $\text{O}$s equal, as $\text{O}\left(f\left(x\right)\right)$ means $\text{O}\left(f\left(x\right)\right)< kf\left(x\right)$ which means this is an asymptotic upper bound meaning you need some reference point to find out the "$k$".

Now you'd need some way of comparing the "strengths" of the algorithms. In the paper of Lenstra and Verheul this is done using a reasonable recent attack on the cryptosystems, yielding the information that 1024 / 512 bit RSA takes needs X MIPS-Years and breaking 128-bit ECC takes Y MIPS-Years. Now as you know the growth functions you can calculate how the effort grows to obtain the effort you want to meet. This effort can be set equal to get a complex relation, which can only be solved numerically.

First data point: 512-bit number needs $10^4$ MIPS-Years.
Second data point: 108-bit attacked in $8\cdot 10^6$ MIPS-Years.

Formulas:

\begin{array}{lcr} E_{\text{RSA}}\left[2^{512}\right]={10}^4 & \Longrightarrow & \frac{E_{\text{RSA}}\left[2^x\right]}{E_{\text{RSA}}\left[2^{512}\right]}=\frac{X}{{10}^4} \\ E_{\text{ECC}}\left[2^{{108}}\right]=8 \cdot {10}^6 & \Longrightarrow & \frac{E_{\text{ECC}}[2^y]}{E_{\text{ECC}}[2^{108}]}= \frac{X}{(8\cdot {10}^6)} \\ \end{array}

Solving this for $X$ yields $$\frac{(8\cdot {10}^6)\cdot E_{\text{ECC}}\left[2^y\right]}{E_{\text{ECC}}\left[2^{108}\right]}=\frac{10^4 E_{\text{RSA}}\left[2^x\right]}{E_{\text{RSA}}\left[2^{512}\right]},$$ where $E_X\left[Y\right]$ denotes the effort required to attack the number $Y$ of scheme $X$ in MIPS-Years.

For $E_{\text{ECC}}\left[2^x\right]$ this is defined: $E_{\text{ECC}}\left[2^x\right]=2^{x/2}$ and for RSA on simply inserts $2^y$ into the formula of paragraph 2 (without the $\text{O}$).

My calculations yielded a 168-bit EC-key for 2048-bit RSA key, which is correct according to the Lenstra and Verheul paper if you want to compare now. They also consider comparing with "cryptanalytic progress for ECC enabled" yielding ~200 bits.