GNFS

https://crypto.stackexchange.com/questions/8687/security-strength-of-rsa-in-relation-with-the-modulus-size

 

 

这是GNFS的复杂性（摘自链接的Wikipedia文章）：

 

 

 

哪里 𝑛ñ是要考虑的数字。评估以上表达式 2𝑏2b 是因数a所需的时间的近似值 𝑏b位整数。下表显示了评估的位长21024，22048，…21024，22048，…：

Strength  RSA modulus size   Complexity bit-length
  80        1024              86.76611925028119
 112        2048              116.8838132958159
 128        3072              138.7362808527251
 192        7680              203.01873594417665
 256       15360              269.38477262128384

 

 

Those appear to be based on the complexity of the General Number Field Sieve, one of the fastest (if not the fastest) classical factoring algorithms. I confirmed this in Mathematica.

Here is the complexity for the GNFS (source):

 

exp((649‾‾‾√3+𝑜(1))(ln𝑛)13(lnln𝑛)23)exp⁡((6493+o(1))(ln⁡n)13(ln⁡ln⁡n)23)

 

where 𝑛n is a number to factor. Evaluating the above expression at 2𝑏2b is a rough approximation of the the time needed to factor a 𝑏b-bit integer. Here's a table showing the bit-length of the evaluation at 21024,22048,…21024,22048,…:

Strength  RSA modulus size   Complexity bit-length
  80        1024               86.76611925028119
 112        2048              116.8838132958159
 128        3072              138.7362808527251
 192        7680              203.01873594417665
 256       15360              269.38477262128384

I generated these numbers with the following Mathematica code:

({#, N@Log2@gnfsComplexity[2^#]} &) /@ {1024, 2048, 3072, 7680, 15360}

where gnfsComplexity is defined as:

gnfsComplexity[n_] := Exp[(64/9 * Log[n])^(1/3) * (Log[Log[n]])^(2/3)]

which is not the prettiest thing I've ever written, but it seems accurate. (For those unfamiliar with Mathematica, the second code snippet defines a function that's a transliteration of the above GNFS complexity for a number 𝑛n. The first code snippet evaluates that complexity at 𝑛=21024,22048n=21024,22048, etc., takes the logarithm base 2, and converts it to a numerical approximation — a decimal number — instead of an exact result like a fraction.)

As for the reasoning behind the larger key sizes for RSA, the explanation's not too difficult. If you look at the document in the question, you will notice that the "bits of security" for block ciphers correlate almost perfectly with the size (in bits) of the keys for that block cipher (with rare exceptions). This is because our best attack on a secure block cipher essentially is a brute-force search for the key, which on average takes 2𝑛−12n−1 time where 𝑛n is the bit-length of the key.

However, for RSA, our best line of attack is not to execute a brute-force search for the key; instead, we "simply" factor the (public) modulus, so the security of the scheme revolves around the efficiency of factoring. The GNFS has a sub-exponential but still super-polynomial time complexity, and one can use this time complexity to roughly approximate the security offered by the scheme. I believe that's what the NIST is doing here.