0

I'm just read this article from Atmel corporation in comparing RSA with ECC cryptography algorithms.

First of all please read these two paragraphs quoted from the article:

P1: Strength of an algorithm

The level of security in systems is becoming a primary concern as you would expect. Most cryptographic experts recommend that current systems offer at least 128 bits of security, but what does that really mean? Note that this is not the same thing as key length as many may think. Security comes from the combination of the specific algorithm and its key length. For example, it is generally thought that 128 bits of security can be achieved with 128-bit AES keys, 256-bit Elliptic Curve keys, and 3072-bit RSA keys. If implementation issues are ignored, then these algorithms with those specified key lengths will generally have the same level of security.

P2: Performance of an algorithm

When it comes to performance at 128-bit security levels, RSA is generally reported to be 10-times slower than ECC for private key operations such as signature generation or key management. The performance disparity expands dramatically at 256-bit security levels, where RSA is 50- to 100-times slower. RSA’s key generation is also very slow compared to ECC key generation, with the RSA’s being 100- to 1000-times slower. However, this may or may not be a significant consideration in systems that generate keys infrequently. It does matter for certain protocols or policies that require more frequent key generation. Public key signature validation is generally faster with RSA compared to ECC, which can provide a benefi

Well, I feel conflicts between these paragraphs. As far as I know, Required time to break an algorithm (An empty of bug one!) is the only thing that determine strength of that algorithm.

And what is this Required-Time depends on?

  1. NK --> Number of forms of key that is 2^(key-length).
  2. NI --> Number of instruction required to check a single key.

In the other words, algorithm A is stronger than algorithm B, only if NK*NI for algorithm A was greater than NK*NI for algorithm B. Am I right?

If so, why ECC-160 is stronger than RSA-1024? I mean, okay, based on the performance paragraph, RSA is only 10 times slower than ECC in this security level, but in return the attacker must check 2^1024 different keys in RSA instead of 2^160 keys of ECC!

Ebrahim Ghasemi
  • 185
  • 1
  • 10
  • 1
    For good symmetric ciphers brute-force at cost $2^{n-1}$ is the best attack. For ECC you can use a form of meet-in-the-middle attack (e.g. pollard's rho) to break it in $2^{n/2}$ time. For RSA you'd use a specialized algorithm called GNFS, which only has cost of about $2^{80}$ when factoring a 1024 bit modulus. – CodesInChaos Nov 17 '15 at 12:11
  • @CodesInChaos Thanks. 1- Why 2^(n-1)? Shouldn't it be 2^n?(n bit key length, have 2^n forms). – Ebrahim Ghasemi Nov 17 '15 at 12:23
  • @CodesInChaos 2- So both RSA and ECC need 2^80 operations. But RSA is slower than ECC., So RSA must be stronger, right? – Ebrahim Ghasemi Nov 17 '15 at 12:24
  • 1
  • The 2^80 for RSA is only a rough estimation of what the equivalent symmetric key strength would be. 2) Work factor is generally not used as precise cost, since the base value of "one operation" is context dependent. Since we generally aim for a security level much above what's feasible to break, we don't really care about those differences. Both RSA-1024 and ECC-160 are at the level were a well funded adversary might be able to break them. You should use RSA-2028 or ECC-224 nowadays which are a few billion times more expensive to break.
    • – CodesInChaos Nov 17 '15 at 12:35