DH prime size required to force an attack of $2^N$ steps

Question

Why the size of a DH prime $p$ should be about 6800 bits long to force an attacker to perform $2^{128}$ steps to attack the system?

How is this relationship 6800-128 established?

score 2 · Answer 1 · edited Oct 07 '21 at 07:59

How do we pick a group size for a 128-bit security level?

Estimate the cost of mounting an attack as a function of the group size.
Find the group size that puts that cost estimate above $2^{128}$.

In this case, for appropriately selected groups, without back doors, like the RFC 3526 groups, the best attack algorithm is the general number field sieve, GNFS. The usual (single-target) cost estimate for the GNFS is $L^{\sqrt[3]{64/9} + o(1)} \approx L^{1.92999 + o(1)}$ where $L = e^{(\log p)^{1/3} (\log \log p)^{2/3}}$ and $p$ is the modulus. Where 6800 came from is unclear to me; the usual consensus is that 3072 is plenty for a 128-bit security level, even if the $\sqrt[3]{64/9}$ figure is optimistic. Of course, you can get much better performance, and much better implementation security, if you use X25519 instead.

DH prime size required to force an attack of $2^N$ steps

1 Answers1