You are on page 1of 79

UNIT2PUBLICKEYENCRYPTION

NumberTheory Primenumber
Modulararithmetic Euclidsalgorithm
Fermets andEulerstheorem Primality
Chineseremaindertheorem Discrete
logarithm
PublickeycryptographyandRSA
Keydistribution Keymanagement
Diffie Hellmankeyexchange
Ellipticcurvecryptography
Slides CourtesyofWilliamStallings,Cryptography&NetworkSecurity,PearsonEducation,4thEdition
Chapter1NumberTheory

Primenumber
Modulararithmetic
Euclidsalgorithm
Fermets andEulerstheorem
Primality
Chineseremaindertheorem
Discretelogarithm
PrimeNumbers

primenumbersonlyhavedivisorsof1andself
theycannotbewrittenasaproductofothernumbers
note:1isprime,butisgenerallynotofinterest
eg.2,3,5,7areprime,4,6,8,9,10arenot
primenumbersarecentraltonumbertheory
listofprimenumberlessthan200is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
PrimeFactorisation

tofactor anumbern istowriteitasaproduct


ofothernumbers:n=a x b x c
notethatfactoringanumberisrelativelyhard
comparedtomultiplyingthefactorstogether
togeneratethenumber
the primefactorisation ofanumbern iswhen
itswrittenasaproductofprimes
eg.91=7x13 ; 3600=24x32x52
RelativelyPrime
Numbers&GCD
twonumbersa, b arerelativelyprime ifhaveno
commondivisors apartfrom1
eg.8&15arerelativelyprimesincefactorsof8are1,2,4,8
andof15are1,3,5,15and1istheonlycommonfactor
converselycandeterminethegreatestcommon
divisorbycomparingtheirprimefactorizationsand
usingleastpowers
eg.300=21x31x52 18=21x32 hence
GCD(18,300)=21x31x50=6
ModularArithmetic

definemodulooperator a mod n tobe


remainderwhenaisdividedbyn
usethetermcongruence for:a = b mod n
whendividedbyn, a&bhavesameremainder
eg.100=34mod11
biscalledaresidue ofamodn
sincewithintegerscanalwayswrite:a = qn + b
usuallychosesmallestpositiveremainderasresidue
ie.0 <= b <= n-1
processisknownasmoduloreduction
eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7
Divisors

sayanonzeronumberb divides a ifforsome


m havea=mb (a,b,m allintegers)
thatisb dividesintoa withnoremainder
denotethisb|a
andsaythatb isadivisor ofa
eg.allof1,2,3,4,6,8,12,24divide24
ModularArithmeticOperations

is'clockarithmetic'
usesafinitenumberofvalues,andloopsback
fromeitherend
modulararithmeticiswhendoaddition&
multiplicationandmoduloreduceanswer
candoreductionatanypoint,ie
a+b mod n = [a mod n + b mod n] mod n
ModularArithmetic

candomodulararithmeticwithanygroupof
integers: Zn = {0, 1, , n-1}
formacommutativeringforaddition
withamultiplicativeidentity
notesomepeculiarities
if(a+b)=(a+c) mod n
then b=c mod n
butif(a.b)=(a.c) mod n
then b=c mod n onlyif a isrelativelyprimeto n
Modulo8AdditionExample

+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6
GreatestCommon
Divisor(GCD)
acommonprobleminnumbertheory
GCD(a,b)ofaandbisthelargestnumberthat
dividesevenlyintobothaandb
egGCD(60,24)=12
oftenwantnocommonfactors (except1)and
hencenumbersarerelativelyprime
egGCD(8,15)=1
hence8&15arerelativelyprime
EuclideanAlgorithm

anefficientwaytofindtheGCD(a,b)
usestheoremthat:
GCD(a,b) = GCD(b, a mod b)
EuclideanAlgorithmtocomputeGCD(a,b)is:
EUCLID(a,b)
1. A = a; B = b
2. if B = 0 return A = gcd(a, b)
3. R = A mod B
4. A = B
5. B = R
6. goto 2
ExampleGCD(1970,1066)

1970 = 1 x 1066 + 904 gcd(1066, 904)


1066 = 1 x 904 + 162 gcd(904, 162)
904 = 5 x 162 + 94 gcd(162, 94)
162 = 1 x 94 + 68 gcd(94, 68)
94 = 1 x 68 + 26 gcd(68, 26)
68 = 2 x 26 + 16 gcd(26, 16)
26 = 1 x 16 + 10 gcd(16, 10)
16 = 1 x 10 + 6 gcd(10, 6)
10 = 1 x 6 + 4 gcd(6, 4)
6 = 1 x 4 + 2 gcd(4, 2)
4 = 2 x 2 + 0 gcd(2, 0)
Fermat'sTheorem

ap-1 = 1 (mod p)
wherep isprimeandgcd(a,p)=1
alsoknownasFermatsLittleTheorem
alsoap = p (mod p)
usefulinpublickeyandprimalitytesting
EulerTotientFunction(n)

whendoingarithmeticmodulon
completesetofresidues is:0..n-1
reducedsetofresidues isthosenumbers(residues)
whicharerelativelyprimeton
egforn=10,
completesetofresiduesis{0,1,2,3,4,5,6,7,8,9}
reducedsetofresiduesis{1,3,7,9}
numberofelementsinreducedsetofresiduesis
calledtheEulerTotientFunction(n)
EulerTotientFunction(n)

tocompute(n)needtocountnumberof
residuestobeexcluded
ingeneralneedprimefactorization,but
forp(pprime) (p) = p-1
forp.q(p,qprime) (pq) =(p-1)x(q-1)
eg.
(37) = 36
(21) = (31)x(71) = 2x6 = 12
Euler'sTheorem

ageneralisationofFermat'sTheorem
a(n) = 1 (mod n)
foranya,n wheregcd(a,n)=1
eg.
a=3;n=10; (10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; (11)=10;
hence 210 = 1024 = 1 mod 11
PrimalityTesting

oftenneedtofindlargeprimenumbers
traditionallysieve usingtrialdivision
ie.dividebyallnumbers(primes)inturnlessthanthe
squarerootofthenumber
onlyworksforsmallnumbers
alternativelycanusestatisticalprimalitytestsbased
onpropertiesofprimes
forwhichallprimesnumberssatisfyproperty
butsomecompositenumbers,calledpseudoprimes,also
satisfytheproperty
canuseaslowerdeterministicprimalitytest
ChineseRemainderTheorem

usedtospeedupmodulocomputations
ifworkingmoduloaproductofnumbers
eg.mod M = m1m2..mk
ChineseRemaindertheoremletsusworkin
eachmodulimiseparately
sincecomputationalcostisproportionalto
size,thisisfasterthanworkinginthefull
modulusM
ChineseRemainderTheorem

canimplementCRTinseveralways
tocomputeA(mod M)
firstcomputeallai = A mod mi separately
determineconstantsci below,whereMi = M/mi
thencombineresultstogetanswerusing:
PrimitiveRoots

fromEulerstheoremhavea(n)mod n=1
consideram=1 (mod n), GCD(a,n)=1
mustexistform = (n) butmaybesmaller
oncepowersreachm,cyclewillrepeat
ifsmallestism = (n) thena iscalledaprimitive
root
ifp isprime,thensuccessivepowersofa "generate"
thegroupmod p
theseareusefulbutrelativelyhardtofind
DiscreteLogarithms

theinverseproblemtoexponentiationistofindthe
discretelogarithm ofanumbermodulop
thatistofindx suchthaty = gx (mod p)
thisiswrittenasx = logg y (mod p)
ifgisaprimitiverootthenitalwaysexists,otherwise
itmaynot,eg.
x=log3 4mod13hasnoanswer
x=log2 3mod13=4bytryingsuccessivepowers
whilstexponentiationisrelativelyeasy,finding
discretelogarithmsisgenerallyahard problem
Summary

haveconsidered:
primenumbers
FermatsandEulersTheorems&(n)
PrimalityTesting
ChineseRemainderTheorem
DiscreteLogarithms
Chapter2Publickey
cryptography

Publickeycryptography
RSA
PrivateKeyCryptography

traditionalprivate/secret/singlekey
cryptographyusesone key
sharedbybothsenderandreceiver
ifthiskeyisdisclosedcommunicationsare
compromised
alsoissymmetric,partiesareequal
hencedoesnotprotectsenderfromreceiver
forgingamessage&claimingissentbysender
PublicKeyCryptography

probablymostsignificantadvanceinthe3000
yearhistoryofcryptography
usestwo keys apublic&aprivatekey
asymmetric sincepartiesarenot equal
usescleverapplicationofnumbertheoretic
conceptstofunction
complementsratherthan replacesprivatekey
crypto
WhyPublicKeyCryptography?

developedtoaddresstwokeyissues:
keydistribution howtohavesecure
communicationsingeneralwithouthavingtotrust
aKDCwithyourkey
digitalsignatures howtoverifyamessage
comesintactfromtheclaimedsender
publicinventionduetoWhitfieldDiffie&
MartinHellmanatStanfordUniin1976
knownearlierinclassifiedcommunity
PublicKeyCryptography

publickey/twokey/asymmetric cryptography
involvestheuseoftwo keys:
apublickey,whichmaybeknownbyanybody,andcanbe
usedtoencryptmessages,andverifysignatures
aprivatekey,knownonlytotherecipient,usedtodecrypt
messages,andsign (create) signatures
isasymmetric because
thosewhoencryptmessagesorverifysignaturescannot
decryptmessagesorcreatesignatures
PublicKeyCryptography
PublicKeyCharacteristics

PublicKeyalgorithmsrelyontwokeyswhere:
itiscomputationallyinfeasibletofinddecryptionkey
knowingonlyalgorithm&encryptionkey
itiscomputationallyeasytoen/decryptmessageswhen
therelevant(en/decrypt)keyisknown
eitherofthetworelatedkeyscanbeusedforencryption,
withtheotherusedfordecryption(forsomealgorithms)
PublicKeyCryptosystems
PublicKeyApplications

canclassifyusesinto3categories:
encryption/decryption (providesecrecy)
digitalsignatures (provideauthentication)
keyexchange (ofsessionkeys)
somealgorithmsaresuitableforalluses,
othersarespecifictoone
SecurityofPublicKeySchemes

likeprivatekeyschemesbruteforceexhaustive
search attackisalwaystheoreticallypossible
butkeysusedaretoolarge(>512bits)
securityreliesonalargeenough differencein
difficultybetweeneasy (en/decrypt)andhard
(cryptanalyse)problems
moregenerallythehard problemisknown,butis
madehardenoughtobeimpracticaltobreak
requirestheuseofverylargenumbers
henceisslow comparedtoprivatekeyschemes
RSA

byRivest,Shamir&AdlemanofMITin1977
bestknown&widelyusedpublickeyscheme
basedonexponentiationinafinite(Galois)fieldover
integersmoduloaprime
nb.exponentiationtakesO((logn)3)operations(easy)
useslargeintegers(eg.1024bits)
securityduetocostoffactoringlargenumbers
nb.factorizationtakesO(elognloglogn)operations(hard)
RSAKeySetup

eachusergeneratesapublic/privatekeypairby:
selectingtwolargeprimesatrandom p, q
computingtheirsystemmodulusn=p.q
note(n)=(p-1)(q-1)
selectingatrandomtheencryptionkeye
where1<e<(n), gcd(e,(n))=1
solvefollowingequationtofinddecryptionkeyd
e.d=1 mod (n) and 0dn
publishtheirpublicencryptionkey:PU={e,n}
keepsecretprivatedecryptionkey:PR={d,n}
RSAUse

toencryptamessageMthesender:
obtainspublickey ofrecipientPU={e,n}
computes:C = Me mod n,where0M<n
todecrypttheciphertextCtheowner:
usestheirprivatekeyPR={d,n}
computes:M = Cd mod n
notethatthemessageMmustbesmaller
thanthemodulusn(blockifneeded)
WhyRSAWorks

becauseofEuler'sTheorem:
a(n)mod n = 1 wheregcd(a,n)=1
inRSAhave:
n=p.q
(n)=(p-1)(q-1)
carefullychosee &d tobeinversesmod (n)
hencee.d=1+k.(n) forsomek
hence:
Cd = Me.d = M1+k.(n) = M1.(M(n))k
= M1.(1)k = M1 = M mod n
RSAExample KeySetup

1. Selectprimes:p=17 & q=11


2. Compute n = pq =17 x 11=187
3. Compute (n)=(p1)(q-1)=16 x 10=160
4. Selecte: gcd(e,160)=1; choosee=7
5. Determined: de=1 mod 160 andd < 160
Valueisd=23 since23x7=161= 10x160+1
6. PublishpublickeyPU={7,187}
7. KeepsecretprivatekeyPR={23,187}
RSAExample En/Decryption

sampleRSAencryption/decryptionis:
givenmessageM = 88 (nb.88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
Exponentiation

canusetheSquareandMultiplyAlgorithm
afast,efficientalgorithmforexponentiation
conceptisbasedonrepeatedlysquaringbase
andmultiplyingintheonesthatareneededto
computetheresult
lookatbinaryrepresentationofexponent
onlytakesO(log2 n)multiplesfornumbern
eg.75 = 74.71 = 3.7 = 10 mod 11
eg.3129 = 3128.31 = 5.3 = 4 mod 11
Exponentiation

c = 0; f = 1
for i = k downto 0
do c = 2 x c
f = (f x f) mod n
if bi == 1 then
c = c + 1
f = (f x a) mod n
return f
EfficientEncryption

encryptionusesexponentiationtopowere
henceifesmall,thiswillbefaster
oftenchoosee=65537(2161)
alsoseechoicesofe=3ore=17
butifetoosmall(ege=3)canattack
usingChineseremaindertheorem&3messages
withdifferentmodulii
ifefixedmustensuregcd(e,(n))=1
ierejectanyporqnotrelativelyprimetoe
EfficientDecryption

decryptionusesexponentiationtopowerd
thisislikelylarge,insecureifnot
canusetheChineseRemainderTheorem
(CRT)tocomputemodp&qseparately.then
combinetogetdesiredanswer
approx4timesfasterthandoingdirectly
onlyownerofprivatekeywhoknowsvalues
ofp&qcanusethistechnique
RSAKeyGeneration

usersofRSAmust:
determinetwoprimesatrandom p, q
selecteithere ord andcomputetheother
primesp,q mustnotbeeasilyderivedfrom
modulusn=p.q
meansmustbesufficientlylarge
typicallyguessanduseprobabilistictest
exponentse,d areinverses,souseInverse
algorithmtocomputetheother
RSASecurity

possibleapproachestoattackingRSAare:
bruteforcekeysearch(infeasiblegivensizeof
numbers)
mathematicalattacks(basedondifficultyof
computing(n),byfactoringmodulusn)
timingattacks(onrunningofdecryption)
chosenciphertextattacks(givenpropertiesof
RSA)
FactoringProblem

mathematicalapproachtakes3forms:
factorn=p.q,hencecompute(n) andthend
determine(n) directlyandcomputed
findddirectly
currentlybelieveallequivalenttofactoring
haveseenslowimprovementsovertheyears
asofMay05bestis200decimaldigits(663)bitwithLS
biggestimprovementcomesfromimprovedalgorithm
cfQStoGHFStoLS
currentlyassume10242048bitRSAissecure
ensurep,qofsimilarsizeandmatchingotherconstraints
TimingAttacks

developedbyPaulKocherinmid1990s
exploittimingvariationsinoperations
eg.multiplyingbysmallvslargenumber
orIF'svaryingwhichinstructionsexecuted
inferoperandsizebasedontimetaken
RSAexploitstimetakeninexponentiation
countermeasures
useconstantexponentiationtime
addrandomdelays
blindvaluesusedincalculations
ChosenCiphertextAttacks

RSA is vulnerable to a Chosen Ciphertext


Attack (CCA)
attackers chooses ciphertexts & gets
decrypted plaintext back
choose ciphertext to exploit properties of
RSA to provide info to help cryptanalysis
can counter with random pad of plaintext
or use Optimal Asymmetric Encryption
Padding (OASP)
Summary

haveconsidered:
principlesofpublickeycryptography
RSAalgorithm,implementation,security
Chapter3KeyManagement

Keydistribution Keymanagement Diffie


Hellmankeyexchange
KeyManagement

publickeyencryptionhelpsaddresskey
distributionproblems
havetwoaspectsofthis:
distributionofpublickeys
useofpublickeyencryptiontodistributesecret
keys
DistributionofPublicKeys

canbeconsideredasusingoneof:
publicannouncement
publiclyavailabledirectory
publickeyauthority
publickeycertificates
PublicAnnouncement

usersdistributepublickeystorecipientsor
broadcasttocommunityatlarge
eg.appendPGPkeystoemailmessagesorpostto
newsgroupsoremaillist
majorweaknessisforgery
anyonecancreateakeyclaimingtobesomeone
elseandbroadcastit
untilforgeryisdiscoveredcanmasqueradeas
claimeduser
PubliclyAvailableDirectory

canobtaingreatersecuritybyregisteringkeys
withapublicdirectory
directorymustbetrustedwithproperties:
contains{name,publickey}entries
participantsregistersecurelywithdirectory
participantscanreplacekeyatanytime
directoryisperiodicallypublished
directorycanbeaccessedelectronically
stillvulnerabletotamperingorforgery
PublicKeyAuthority

improvesecuritybytighteningcontrolover
distributionofkeysfromdirectory
haspropertiesofdirectory
andrequiresuserstoknowpublickeyforthe
directory
thenusersinteractwithdirectorytoobtain
anydesiredpublickeysecurely
doesrequirerealtimeaccesstodirectorywhen
keysareneeded
PublicKeyAuthority
PublicKeyCertificates

certificatesallowkeyexchangewithoutreal
timeaccesstopublickeyauthority
acertificatebindsidentity topublickey
usuallywithotherinfosuchasperiodofvalidity,
rightsofuseetc
withallcontentssigned byatrustedPublic
KeyorCertificateAuthority(CA)
canbeverifiedbyanyonewhoknowsthe
publickeyauthoritiespublickey
PublicKeyCertificates
PublicKeyDistribution
ofSecretKeys
usepreviousmethodstoobtainpublickey
canuseforsecrecyorauthentication
butpublickeyalgorithmsareslow
sousuallywanttouseprivatekeyencryption
toprotectmessagecontents
henceneedasessionkey
haveseveralalternativesfornegotiatinga
suitablesession
SimpleSecretKeyDistribution

proposedbyMerklein1979
Ageneratesanewtemporarypublickeypair
AsendsBthepublickeyandtheiridentity
BgeneratesasessionkeyKsendsittoA
encryptedusingthesuppliedpublickey
Adecryptsthesessionkeyandbothuse
problemisthatanopponentcaninterceptand
impersonatebothhalvesofprotocol
PublicKeyDistribution
ofSecretKeys
ifhavesecurelyexchangedpublickeys:
HybridKeyDistribution

retainuseofprivatekeyKDC
sharessecretmasterkeywitheachuser
distributessessionkeyusingmasterkey
publickeyusedtodistributemasterkeys
especiallyusefulwithwidelydistributedusers
rationale
performance
backwardcompatibility
DiffieHellmanKeyExchange

firstpublickeytypeschemeproposed
byDiffie&Hellmanin1976alongwiththe
expositionofpublickeyconcepts
note:nowknowthatWilliamson (UKCESG)
secretlyproposedtheconceptin1970
isapracticalmethodforpublicexchangeofa
secretkey
usedinanumberofcommercialproducts
DiffieHellmanKeyExchange

apublickeydistributionscheme
cannotbeusedtoexchangeanarbitrarymessage
ratheritcanestablishacommonkey
knownonlytothetwoparticipants
valueofkeydependsontheparticipants(andtheir
privateandpublickeyinformation)
basedonexponentiationinafinite(Galois)field
(moduloaprimeorapolynomial) easy
securityreliesonthedifficultyofcomputingdiscrete
logarithms(similartofactoring) hard
DiffieHellmanSetup

allusersagreeonglobalparameters:
largeprimeintegerorpolynomialq
a beingaprimitiverootmodq
eachuser(eg.A)generatestheirkey
choosesasecretkey(number):xA < q
xA
computetheirpublickey:yA = a mod q
eachusermakespublicthatkeyyA
DiffieHellmanKeyExchange

sharedsessionkeyforusersA&BisKAB:
xA.xB
KAB = a mod q
xB
= yA mod q (which B can compute)
x
= yB A mod q (which A can compute)
KAB isusedassessionkeyinprivatekeyencryption
schemebetweenAliceandBob
ifAliceandBobsubsequentlycommunicate,theywill
havethesame keyasbefore,unlesstheychoose
newpublickeys
attackerneedsanx,mustsolvediscretelog
DiffieHellmanExample

usersAlice&Bobwhowishtoswapkeys:
agreeonprimeq=353 anda=3
selectrandomsecretkeys:
AchoosesxA=97, BchoosesxB=233
computerespectivepublickeys:
97
yA=3 mod 353 = 40 (Alice)
233
yB=3 mod 353 = 248 (Bob)
computesharedsessionkeyas:
x 97
KAB= yB A mod 353 = 248 = 160 (Alice)
x 233
KAB= yA B mod 353 = 40 = 160 (Bob)
KeyExchangeProtocols

userscouldcreaterandomprivate/publicDH
keyseachtimetheycommunicate
userscouldcreateaknownprivate/publicDH
keyandpublishinadirectory,thenconsulted
andusedtosecurelycommunicatewiththem
bothofthesearevulnerabletoameetinthe
MiddleAttack
authenticationofthekeysisneeded
Chapter4Ellipticcurve
cryptography

Ellipticcurvecryptography
EllipticCurveCryptography

majorityofpublickeycrypto(RSA,DH)use
eitherintegerorpolynomialarithmeticwith
verylargenumbers/polynomials
imposesasignificantloadinstoringand
processingkeysandmessages
analternativeistouseellipticcurves
offerssamesecuritywithsmallerbitsizes
newer,butnotaswellanalysed
RealEllipticCurves

anellipticcurveisdefinedbyanequationin
twovariablesx&y,withcoefficients
consideracubicellipticcurveofform
y2 =x3 +ax+b
wherex,y,a,bareallrealnumbers
alsodefinezeropointO
haveadditionoperationforellipticcurve
geometricallysumofQ+Risreflectionof
intersectionR
RealEllipticCurveExample
FiniteEllipticCurves

Ellipticcurvecryptographyusescurveswhose
variables&coefficientsarefinite
havetwofamiliescommonlyused:
primecurvesEp(a,b) definedoverZp
useintegersmoduloaprime
bestinsoftware
binarycurvesE2m(a,b) definedoverGF(2n)
usepolynomialswithbinarycoefficients
bestinhardware
EllipticCurveCryptography

ECCadditionisanalogofmodulomultiply
ECCrepeatedadditionisanalogofmodulo
exponentiation
needhardproblemequivtodiscretelog
Q=kP,whereQ,Pbelongtoaprimecurve
iseasytocomputeQgivenk,P
buthardtofindkgivenQ,P
knownastheellipticcurvelogarithmproblem
Certicomexample:E23(9,17)
ECCDiffieHellman

candokeyexchangeanalogoustoDH
usersselectasuitablecurveEp(a,b)
selectbasepointG=(x1,y1)
withlargeorderns.t.nG=O
A&BselectprivatekeysnA<n, nB<n
computepublickeys:PA=nAG, PB=nBG
computesharedkey:K=nAPB, K=nBPA
samesinceK=nAnBG
ECCEncryption/Decryption

severalalternatives,willconsidersimplest
mustfirstencodeanymessageMasapointonthe
ellipticcurvePm
selectsuitablecurve&pointGasinDH
eachuserchoosesprivatekeynA<n
andcomputespublickeyPA=nAG
toencryptPm :Cm={kG, Pm+kPb},krandom
decryptCm compute:
Pm+kPbnB(kG) = Pm+k(nBG)nB(kG) = Pm
ECCSecurity

reliesonellipticcurvelogarithmproblem
fastestmethodisPollardrhomethod
comparedtofactoring,canusemuchsmaller
keysizesthanwithRSAetc
forequivalentkeylengthscomputationsare
roughlyequivalent
henceforsimilarsecurityECCofferssignificant
computationaladvantages
ComparableKeySizesfor
EquivalentSecurity

Symmetric ECC-based RSA/DSA


scheme scheme (modulus size
(key size in (size of n in in bits)
bits) bits)
56 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360
Summary

haveconsidered:
distributionofpublickeys
publickeydistributionofsecretkeys
DiffieHellmankeyexchange
EllipticCurvecryptography

You might also like