0

Recently I have been researching asymmetric encryption algorithms for a class, I cannot find any information anywhere on the key lengths used in any of the algorithms I'm looking into (ElGamal & Elliptic Curve Cryptography).

Is there a range of valid key sizes?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • Please focus your question on something that is answerable. There is a lot of information on how encryption works. If you did not find any yet, you didn't look hard enough. "Is there a range of valid key sizes?" can be answered. Providing literature is off topic here. –  Jan 24 '18 at 07:19
  • 1
    @S.L.Barth “Applied Cryptography” is seriously dated and focuses on algorithm descriptions and not on the general concepts. Ever since Cryptography Engineering came out, that's the book to recommend instead. But Schneier has competition nowadays. I suggest Boneh and Shoup's book whose draft is even freely available. – Gilles 'SO- stop being evil' Jan 24 '18 at 07:50
  • 1
    A useful source is for key length recommendations for several algorithms is NIST Special Publication 800-57 Part 1 Revision 4 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf – Jonathan Rosenne Jan 24 '18 at 20:01
  • 3
    https://keylength.com contains not just tables with key sizes but also pointers to the most important literature on the subject. – Maarten Bodewes Jan 24 '18 at 23:35

3 Answers3

2

Key size and encryption system

Encryption systems are often grouped into families. Common families include symmetric systems (e.g. AES) and asymmetric systems (e.g. RSA); they may alternatively be grouped according to the central algorithm used (e.g. elliptic curve cryptography).

As each of these is of a different level of cryptographic complexity, it is usual to have different key sizes for the same level of security, depending upon the algorithm used. For example, the security available with a 1024-bit key using asymmetric RSA is considered approximately equal in security to an 80-bit key in a symmetric algorithm.

The actual degree of security achieved over time varies, as more computational power and more powerful mathematical analytic methods become available. For this reason cryptologists tend to look at indicators that an algorithm or key length shows signs of potential vulnerability, to move to longer key sizes or more difficult algorithms. For example, as of May 2007, a 1039 bit integer was factored with the special number field sieve using 400 computers over 11 months. The factored number was of a special form; the special number field sieve cannot be used on RSA keys. The computation is roughly equivalent to breaking a 700 bit RSA key. However, this might be an advance warning that 1024 bit RSA used in secure online commerce should be deprecated, since they may become breakable in the near future. Cryptography professor Arjen Lenstra observed that "Last time, it took nine years for us to generalize from a special to a nonspecial, hard-to-factor number" and when asked whether 1024-bit RSA keys are dead, said: "The answer to that question is an unqualified yes."

The 2015 Logjam attack revealed additional dangers in using Diffie-Helman key exchange when only one or a few common 1024-bit or smaller prime moduli are in use. This common practice allows large amounts of communications to be compromised at the expense of attacking a small number of primes.

Acording to this Wiki Page

Also here are some more links to visit if you want to learn more about asymmetric cryptography:

asymmetric cryptography (public key cryptography)

Elliptic-curve cryptography

Elliptic-curve Cryptography Key Sizes

This 3rd link for Key Sizes is where it gets into some pretty complex methods, but if you really want to know Key length / sizes, then you will want to review that section.

WatchDog
  • 29
  • 2
  • Just posting links and quoting the wikipedia article does not constitute a valid answer. Try fleshing it out a little bit. What are the main points here that answer the OP's question? –  Jan 24 '18 at 07:10
  • I was trying to find links with the most amount of information since @Owen said he wasn't yet familiar with asymmetric cryptography. Also since it's a very large subject I knew it would get lengthy explaining it all out. – WatchDog Jan 24 '18 at 07:15
  • He also requested resources which is what the links were – WatchDog Jan 24 '18 at 07:16
  • The answer gives the impression that the 2015 Logjam attack has shown practical attacks of communications using (non-EC) DH with practical 1024-bit moduli, when that's not the case AFAIK. At this size, if there's a practical attack, those able to make it remain tight-lipped, AFAIK. – fgrieu Jan 26 '18 at 08:20
1

ElGamal encryption using arithmetic modulo a prime $p$ is fine till year 2030 regarding parameter size according to the recommendations of many (if not all) major security authorities, if:

  • $p$ is 3072 bits or more (that's $3\cdot2^{10}$ bits or 925 decimal digits), and randomly seeded (this excludes special form $p=r^k\pm s$ with small $r$ and $s$; see answers to this for why, and more generally what attacks the stated conditions are intended to prevent);
  • $p-1$ has a large prime factor $q$ of 256 bits or more (that's $2^8$ bits or about 77 decimal digits), up to an including one less bit than $p$ if $q=(p-1)/2$ is prime;
  • the generator $g$ used is of prime order $q$ and randomly seeded, and the message restricted to the subgroup generated by $g$ (however, it is fine to use order multiple of $q$ including $p-1$, and a random message used as secret for a key derivation function, as common with hybrid encryption).

This is believed to be on the safe side by a large margin, if we discount the possibility that quantum computers become usable for cryptanalysis.

Similarly, for ElGamal encryption using Elliptic Curve groups over field $\mathbb Z_p$ with $p$ prime, both $p$ and the order of the generator $g$ should be at least 256 bits; and the Elliptic Curve should obey a number of complex criteria, still being debated.

The classical reference site surveying recommendations on key size is keylength.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 1
    Note that many ECC implementations do no accept any key size; you can only select particular curves with named pre-generated domain parameters. – Maarten Bodewes Jan 26 '18 at 09:39
1

The Right answer is the one that crpyto developers use as a standard which is the RFC and usually related to FIPS within the US, National Instittue for standards and technology (NIST). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf see page 27 for example, is probably the biggest defacto standard for how to do ECDSA outside the of the RFC's themselves.

And one of the RFCs for ECDSA Mathmatics: https://www.rfc-editor.org/rfc/rfc6090

EC is different because different standard specify different curves, and I think the can very depending on what your using it for.

Community
  • 1
sk8ermeb
  • 11
  • 1