Why is the NIST recommendation for the private key exponent so much smaller than the modulus?

Question

NIST recommends a 256-bit private key exponent for DLP with a 3072-bit modulus. This question answered how the modulus was chosen/calculated, however, why isn't the private key size closer to the modulus size? It would seem that if one achieves order equal to $2^{256}$, this would be a sufficient number of random private key exponent possibilities to make a brute force attack computationally infeasible? So why the disparity between $2^{256}$ private key and $2^{3072}$ modulus?

score 4 · Accepted Answer · edited Jul 19 '19 at 04:39

Generic algorithms for solving the DLP, like Shanks baby step-giant step or pollard rho are of complexity of order $\mathcal{O}(|G|^{0.5})$. That is, for $|G|=2^{256}$ you get a complexity of $\mathcal{O}(2^{128})$. However, for the index calculus method, that is operated on the modulus, for complexity of $\mathcal{O}(2^{128})$ you would need a modulus of size 3072 bits. You may use larger exponent, but this will result in more complex calculations, while the security remains $\mathcal{O}(2^{128})$

Why is the NIST recommendation for the private key exponent so much smaller than the modulus?

1 Answers1