Join Log in
Score:4
crypt avatar Crypto

Security Strength of Symmetric vs Asymmetric Ciphers

cn flag
crypt

NIST SP 800-57 Part 1 rev 5 section 5.6.1.1 gives following comparison between different encryption types. For example, it shows that 3TDEA, RSA-2048, ECC224 provides security strength of 112 bits.

Does it mean that with computational power of $2^{112}$, chances of breaking 3TDEA, RSA-2048 and ECC224 are equal? or breaking one of these cipher is difficult than other?

enter image description here

469
1 + 0
Score:5
Maarten Bodewes avatar Crypto
in flag
Maarten Bodewes

It means that you should be able to retrieve a key using $2^{112}$ operations, assuming a normal attack scenario and the most efficient method of attack at this time, assuming that the rest of the system is secure.

Some algorithms such as classic DH (relying on the discrete logarithm problem or DLP, called Finite Field Cryptography or FFC in the table) will allow more effective attacks if the key can get calculated, but note that generally these figures are out of reach.

However, generally being able to retrieve a key doesn't amount to breaking the algorithm. A break of the algorithm would allow an attacker to do it in (significantly) fewer operations than the number of operations mentioned. You'd just get a single key.

Usually we don't care if it is a bit or so off. These are ballpark figures. There is an attack that would allow AES-128 to be broken in about $2^{126.1}$ operations (using a lot of memory), but we generally still indicate that it has 128 bit security.

Note that NIST doesn't recommend a 112 bit key strength anymore. Cryptographers will generally recommend to aim for at least a 128 bit key strength. Lower key strengths may be prone to be broken and should only be used for realtime applications, only when needed and after careful analysis of the situation.

Of course, the above table doesn't take fully operational, capable quantum computers into consideration.

I'd specifically recommend against using DH or ECDHE with a security margin of 112 bits though as it might be possible that an adversary can reach the number of operations mentioned, or if a slightly more efficient attack is found. DH is vulnerable to attacks using precomputation, and classic Elliptic Curve cryptography is relatively vulnerable against attacks using quantum computers.

+ 7
fgrieu avatar
ng flag
fgrieu
_"You'd just get a single key"_ holds for symmetric key algorithms, IFC/RSA, and AFAIK ECC. But for FCC that applies only to some attacks (those that target a low value of $N$, like Pollard's rho and Pollard's kangaroo). As noted in [this answer](https://crypto.stackexchange.com/a/103929/555), there are other plausible attacks (those that target a low value of $L$, like index calculus, Function Field Sieve, I think NFS) that compromise all keys using the same group parameters $p$ and $q$.
1
Reply
crypt avatar
cn flag
crypt
*"Of course, the above table doesn't take fully operational, capable quantum computers into consideration."* how many bits of security will be reduced by taking into account quantum computers?
0
Reply
poncho avatar
my flag
poncho
@crypt: if you have a crypto relevant quantum computer, FFC, IFC and ECC can be solved quickly (in polynomial time). For symmetric key algorithms (e.g. 3DES), it reduces it somewhat (depending on how long the attacker is willing to wait for the answer - if he's willing to wait millions of years, it effectively halves the key strength - it reduces it less if he is more impatient)
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
@fgrieu Good point. I've always assumed that such an attack would also translate to ECDH though, but without any mathematical backing.
0
Reply
poncho avatar
my flag
poncho
@MaartenBodewes: as far as we know, elliptic curves don't have anything analogous to a factor base, hence those sorts of 'do the computation once, reuse the computation to solve a number of instances quickly' attacks do not appear to apply.
1
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
@poncho Alright, I assumed that EC was also affected. I thought that as using quantum cryptography would bring the security of both schemes to ~0 bits that it was the precomputation attack that caused this. Is this entirely unrelated and is there another reason why we think that the security of both DH and ECDH is next to zero? Or should I ask this in a separate question?
0
Reply
poncho avatar
my flag
poncho
@MaartenBodewes: it's unrelated to precomputation attacks - instead, the standard Quantum algorithm to factor/compute discrete log's is Shor's algorithm, which can be used to do either (and doesn't generate any side data that can be reused to attack similar instances)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.