Blog

Categories:
2. 11. 2024
Cryptography
Security equivalent and key length

Security equivalent and key length

Different key material lengths are often used when using cryptography, yet it is claimed that they have the same resistance. Aren't we counting apples and pears together?

Why is the security equivalent important? Is the key length a correct rating?

Cryptographic protection is based on encryption, and some key material is always needed for encryption. However, for symmetric ciphers, the key is very short and for asymmetric ciphers, the key is very long, apart from which the algorithm differs from the algorithm. So does it make sense to work with the key length at all? And how does the security of the algorithm be determined? For a start, before we go any further, it is necessary to quickly stop at the term key, because everyone understands something different under it.

Password and key

In a very simplified way, the password is input from the user, but the key is generated by the system. Generally based on user input. Unfortunately, a password like a user input is often predictable and not random enough. That's why reasonable programs have methods for distilling sufficiently random and unpredictable key material from a password. These functions are called the key derivation function (KDF). If your software doesn't use it or doesn't know it, stay alert and get your money back. In this article, we'll deal with the key material and its properties, and the password itself doesn't interest us all that much.

Key material for asymmetric ciphers

Asymmetrical ciphers have the biggest differences in key length. Asymmetrical, because the key is used asymmetrically. For example, a private key is designed for signing a document, and a public key (which is derived from a private key) allows all of its holders to verify the authenticity of the signature. But how come the RSA algorithm with a 3072b key and the ECDSA algorithm with a 256b key have the same security? I guess the question is whether there's some kind of betrayal. But there really isn't. Security can be compared quite simply, using the so-called security equivalent. And according to the said equivalent, all is well. The length of the keys, on the other hand, is used as a recommendation to avoid mistakes. Especially if someone doesn't know the security equivalent. So, how is it possible to calculate this equivalent?

What is the security equivalent

If I have a task, I can fairly accurately express its complexity. Whether I will need a thousand, a million, a billion operations or more. Since we are talking about the world of computers, I can express complexity as a power, for example, 2^20, 2^64, 2^128. So how many operations do I need to successfully solve the problem. And here's the important figure. The security equivalent of 128b means that I need 2^128 operations. And the number 2^128 can be expressed as a 128b number. So it's not appropriate to calculate the length of the key, but the complexity. And complexity is nothing else than the difficulty of solving the problem. At the same time, such a statement of complexity can be used as a universal translation of the ability to protect symmetric and asymmetric algorithms, hashes and, under certain conditions, passwords. The truth is that in the case of passwords, this is already an extreme interpretation of the security equivalent.

Security equivalent for RSA algorithm

The RSA algorithm is currently (2024) still used for the purposes of digital signature and key agreement. Its security provides the difficulty of factoring large numbers. In translation, this means a way to find two primes whose mutual multiplication produces this large number. Currently, the most effective method on classical computers is the so-called General Number Field Sieve (GNFS), on quantum computers the Shorr algorithm (based on QFT - Quantum Fourier Transformation). In the case of GNFS, our ability to attack this algorithm is very limited. Another disadvantage of the RSA algorithm is its sub-exponential complexity. In translation, this means that its resistance to attacks grows more slowly than the size of the key. Thanks to this, we can easily encounter technical limitations e.g. in popular protocols SSL/TLS, SSH, IPSec and others. For an idea of these dependencies, it is possible to provide a table for conversion to and from the security equivalent, which looks like this. An explanation of the impacts of quantum computers on asymmetric algorithms will be in another article.

RSA Key Width51276810242048307240968192163843276865536
Security equivalent647787117139157209326365481
Security equivalent6480112128168192224256384512
RSA Key Width51485118552540485767109763135503710076608

Security equivalent for algorithms: Diffie-Hellman, ElGamal, Schnorr signature and DSA

These algorithms use the discrete logarithm problem in a body for protection. In this case, under a numerical body, we mean additive (i.e. single numbers are increased by a certain number each time, usually by 1 or 2, resulting in the remainder after division by a prime number) or multiplicative (single numbers are multiplied by a certain number, resulting in the remainder after division by a prime number) group. In simple terms, it's easy to raise some numbers in such a body, but practically impossible to square those numbers. To give you an idea, if we use modular multiplication (i.e. multiply by two numbers, multiply by divide by the chosen prime number, resulting in the remainder), we can easily write 5*8 mod 13 = 1. In this case, it's challenging, but still possible, to find which number multiplied by 5. But even if we have 5^8 mod 13, the situation is much worse. We're not able to figure out if it was 8, 10, 92 ... or maybe it was another number? In any case, it is still a primary school curriculum. To derive complexity, it is possible to use the so-called. Pollard's algorithm, which allows classical computers to attack this structure, on quantum computers it is again a modified Shore algorithm algorithm (uses QFT - Quantum Fourier Transformation). Interestingly, although the complexity of attacking these algorithms is significantly higher, is a key of similar size to RSA. However, this is due to the design of the key. It contains both a body definition and a generator (i.e. from what point starts with the calculation), so the public key. Because the information is quite large, a similar situation arises with the size of the resulting keys like the RSA. Therefore, for simplicity, the key size corresponding to the previous table is given. In reality, however, the width of secret key is important. An explanation of the impacts of quantum computers on asymmetric algorithms will be in another article.

Key File20483072358440965120614481929216135501638432768
Private Key224256288320352384416448480512544
Security equivalent112128144160176192208224240256272
Security equivalent566480112128168192224256384512
Private Key1121281602242563363844485127681024
Key File20483072358440965120614481929216135501638432768

Note: Because of other data that are part of the key, the resulting size of the key file is approximately equivalent to the size of the keys in RSA and therefore resistance is considered in a similar way.

Security equivalent for algorithms based on elite curves: ECDH, ECDSA, EdDSA

Algorithms based on elliptic curves use a similar principle as the algorithms Diffie-Hellman, ElGamal, Schnorr signature and DSA. Unlike them, however, they do not use general bodies, but bodies above elliptic curves. These add an additional layer of complexity. In fact, this is again an elementary school curriculum, only the mentioned body arises above an equation, usually a quadratic one. The other parts of the procedure are the same, i.e. again a division with the rest is used, a kind of "size limiter" of the body. In terms of the complexity of the attack, it is again possible to use the Pollard algorithm on a digital computer, the modified Shor algorithm on a quantum computer (it uses two QFTs - Quantum Fourier Transformation). Explanation of the effects of quantum computers on asymmetric algorithms will be in another article. Dependence on security is more complicated here, therefore only a simplified explanation is given. The key file is at the moment corresponding to the size of the key bit width, therefore the key file is significantly smaller.

Key width224256288320352384416448480512544
Security equivalent112128144160176192208224240256272
Security equivalent566480112128168192224256384512
Key width1121281602242563363844485127681024

Security equivalent of symmetric encryption algorithms

For symmetric encryption algorithms, the bit width of the key is used as the security equivalent. However, new attacks are emerging and each of these methods may result in weakening of existing resistance. An example of such weakening is the RC-4 algorithm, which, although it may have a 128b key, is breakable in a matter of seconds. And there are more examples.

Security equivalent of hash functions

For hash functions, the security equivalent is based on the birthday paradox, i.e. the probability of two identical texts with similar output. In simple terms, therefore, it can be argued that the security equivalent is roughly half the output width of the hash function, i.e. length/2. For quantum computers, this is a similar value, which should be length/3

Hash functionSHA-256SHA-384SHA-512SHA-512/256SHA3-256SHA3-384SHA3-512SHAKE128SHAKE256
Security Equivalent12819225612825619225664128
Quantum Security Equivalent8512817085851281704285

Note: Explanation of the Birthday Paradox

Mathematicians are special people, able to entertain themselves at celebrations by calculating probabilities. For example, how many people could have the same birthday, hence the birthday paradox. But a mathematician is not looking for a specific example where someone will have the same birthday as the birthday boy, he is looking for a general case. This means that anyone at a celebration can have the same birthday as someone else. Surprisingly, only 23 people are needed for a 50% probability. These can be calculated using the following procedure.
Probability = (1 − variation (365, participants) / variation with repetition (365, participants))

Conclusion

Whatever cryptography is involved, it is advisable to deploy approximately the same security equivalent. Otherwise, the weakest algorithm may compromise the security of the more heavily protected, i.e. algorithms with a higher security equivalent. As for the stronger algorithms, on the other hand, they unnecessarily burn machine time on tasks that are unnecessarily demanding. At such a moment, computing can only become an overpriced direct-fuel. Currently, the corresponding security equivalent is 128b, but due to the risks posed by quantum computers, there are significant changes, for symmetric algorithms the requirement of a key width of 192b to 256b is being considered. Classical asymmetric algorithms are no longer sufficient and their substitution is being addressed.

Appendix:

List of problems of classical asymmetric cryptography and their explanation, taken from prof. Bill Buchannan asecurity [1]

(GDLP) There is a number for which it is necessary to find the exponent in such a way that it is possible to get a certain number.
Factorization Problem(FACTORING) Find two primes greater than 1 that multiply to give N.
RSA Problem(RSAP) This is a "reverse" RSA problem.
Quadratic Residuosity Problem(QRP) If two numbers are available, decide if the number is a quadratic residual after the square root of the number in the body modulo n.
Square Root Problem(SQROOT - Square Roots modulo N) If the remainder is available after the square root of the number in the body, determine what number it was originally.
Discrete logarithm problem(DLP) There is a number for which it is necessary to find the exponent in such a way that a certain remainder can be obtained.
General Discrete Logarithm Problem
Diffie Hellman Problem(DHP) - If there are two powers of numbers in a body, find the sum of those powers in that body.
General Diffie Hellman Problem(GDHP) - If there are remnants of power in a body, find the modular product of those powers.
Subset Sum Problem(SUBSET-SUM) If I have a set of numbers and a sum, determine whether the sum of the parts is part of the total.

Reference:

  1. After 60 Years, Another Busy Beaver Problem Solved
    Zdroj: https://medium.com/
  2. Cryptographic Key Lenght Recommendation
    Zdroj: https://www.keylength.com/

Autor článku:

Jan Dušátko
Jan Dušátko

Jan Dušátko has been working with computers and computer security for almost a quarter of a century. In the field of cryptography, he has cooperated with leading experts such as Vlastimil Klíma or Tomáš Rosa. Currently he works as a security consultant, his main focus is on topics related to cryptography, security, e-mail communication and Linux systems.

Podobné články

Sharing files with SMB protocol and cryptography
16. 9. 2024
Sharing files with SMB protocol and cryptography
Sharing files with NFS protocol and cryptography
17. 9. 2024
Sharing files with NFS protocol and cryptography
Quantum computer resistant algorithms
27. 9. 2024
Quantum computer resistant algorithms
Storing password with Crypt interface
8. 10. 2024
Storing password with Crypt interface
logo

Your learning platform for cryptography
and security.

Jan Dušátko
info@cryptosession.cz
+420 602 427 840

Pod Harfou 938/58
190 00, Praha 9

IČ: 43479766
DIČ: CZ 7208253041

Bank no.:
78-7768770207/0100

© 2024 Cryptosession.cz Design: Lukáš Kejha, Development: Karel Tropp

1. Introductory Provisions

1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).
1.2. The contracting parties in the general terms and conditions are meant to be the trainer and the ordering party, where the ordering party may also be the mediator of the contractual relationship.
1.3. Issues that are not regulated by these terms and conditions are dealt with according to the Czech Civil Code, i.e. Act No.89/2012 Coll.
1.4. All potential disputes will be resolved according to the law of the Czech Republic.

2. Creation of a contract by signing up for a course

2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.
2.2. By submitting the application, the Client agrees with these General Terms and Conditions and declares that he has become acquainted with them.
2.3. The application is deemed to have been received at the time of confirmation (within 2 working days by default) by the trainer or intermediary. This confirmation is sent to the data box or to the contact e-mail.
2.4. The standard time for registration is no later than 14 working days before the educational event, unless otherwise stated. In the case of a natural non-business person, the order must be at least 28 working days before the educational event.
2.5. More than one participant can be registered for one application.
2.6. If there are more than 10 participants from one Client, it is possible to arrange for training at the place of residence of the intermediary or the Client.
2.7. Applications are received and processed in the order in which they have been received by the Provider. The Provider immediately informs the Client of all facts. These are the filling of capacity, too low number of participants, or any other serious reason, such as a lecturer's illness or force majeure. In this case, the Client will be offered a new term or participation in another educational event. In the event that the ordering party does not agree to move or participate in another educational event offered, the provider will refund the participation fee. The lack of participants is notified to the ordering party at least 14 days before the start of the planned term.
2.8. The contract between the provider and the ordering party arises by sending a confirmation from the provider to the ordering party.
2.9. The contract may be changed or cancelled only if the legal prerequisites are met and only in writing.

3. Termination of the contract by cancellation of the application

3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.
3.2. The customer has the right to cancel his or her application for the course 14 days before the course takes place without any fees. If the period is shorter, the subsequent change takes place. In the interval of 7-13 days, an administrative fee of 10% is charged, cancellation of participation in a shorter interval than 7 days then a fee of 25%. In case of cancellation of the application or order by the customer, the possibility of the customer's participation in an alternative period without any additional fee is offered. The right to cancel the application expires with the implementation of the ordered training.
3.3. In case of cancellation of the application by the trainer, the ordering party is entitled to a full refund for the unrealized action.
3.4. The ordering party has the right to request an alternative date or an alternative training. In such case, the ordering party will be informed about all open courses. The alternative date cannot be enforced or enforced, it depends on the current availability of the course. If the alternative training is for a lower price, the ordering party will pay the difference. If the alternative training is for a lower price, the trainer will return the difference in the training prices to the ordering party.

4. Price and payment terms

4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.
4.2. In case of multiple participants registered with one application, a discount is possible.
4.3. The participation fee must be paid into the bank account of the company held with the company Komerční banka č. 78-7768770207/0100, IBAN:CZ5301000000787768770207, BIC:KOMBCZPPXXX. When making the payment, a variable symbol must be provided, which is indicated on the invoice sent to the client by the trainer.
4.4. The participation fee includes the provider's costs, including the training materials. The provider is a VAT payer.
4.5. The client is obliged to pay the participation fee within 14 working days of receipt of the invoice, unless otherwise stated by a separate contract.
4.6. If the person enrolled does not attend the training and no other agreement has been made, his or her absence is considered a cancellation application at an interval of less than 7 days, i.e. the trainer is entitled to a reward of 25% of the course price. The overpayment is returned within 14 days to the sender's payment account from which the funds were sent. Payment to another account number is not possible.
4.7. An invoice will be issued by the trainer no later than 5 working days from the beginning of the training, which will be sent by e-mail or data box as agreed.

5. Training conditions

5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.
5.2. If the client is not a student of the course, he is obliged to ensure the distribution of this information to the end participants. The trainer is not responsible for failure to comply with these terms and conditions.
5.2. By default, the training takes place from 9 a.m. to 5 p.m. at a predetermined location.
5.3. The trainer can be available from 8 a.m. to 9 a.m. and then from 17 a.m. to 6 p.m. for questions from the participants, according to the current terms and conditions.
5.4. At the end of the training, the certificate of absorption is handed over to the end users.
5.5. At the end of the training, the end users evaluate the trainer's approach and are asked to comment on the evaluation of his presentation, the manner of presentation and the significance of the information provided.

6. Complaints

6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.
6.2. The reasons for dissatisfaction are recorded in the minutes in two copies on the same day. One is handed over to the client and one is held by the trainer.
6.3. A statement on the complaint will be submitted by e-mail within two weeks. A solution will then be agreed within one week.
6.4. The customer's dissatisfaction may be a reason for discontinuing further cooperation, or financial compensation up to the price of the training, after deduction of costs.

7. Copyright of the provided materials

7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.
7.2. None of the training materials or any part thereof may be further processed, reproduced, distributed or used for further presentations or training in any way without the prior written consent of the trainer.

8. Liability

8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.
8.2. The trainer does not assume responsibility for injuries, damages and losses incurred by the participants in the training events or caused by the participants. Such costs, caused by the above circumstances, shall be borne exclusively by the participant in the training event.

9. Validity of the Terms

9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.

Consent to the collection and processing of personal data

According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.
Although the collection of data is ubiquitous, the operation of this website is based on the right to privacy of each user. For this reason, the collection of information about users takes place to the extent absolutely necessary and only if the user decides to contact the operator. We consider any further collection and processing of data unethical.

Information about the records of access to the web presentation

This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.
Logging of access takes place only at the system level, the reason being the identification of any technical or security problems. Other reasons are overview access statistics. No specific data is collected or monitored in this area and all access records are deleted after three months.

Information about contacting the operator of the site

The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.

Information about the order form

In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.

Information about the course completion document

Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.

Rights of the personal data subject

The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.
Furthermore, the customer/visitor of this website may request restriction of processing or object to the processing of personal data and has the right to withdraw his/her consent to the processing of personal data at any time in writing, without prejudice to the lawfulness of their processing prior to such withdrawal. For this purpose, the contact e-mail address support@cryptosession.cz is used.
The customer/visitor has the right to file a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.