2

I'm trying to figure out how long the modulus $n$ has to be in the Rabin Signature scheme, to provide 128 bit security.

We assume that the used hash function is "secure enough". Then the naive approach would be the following:

Since forging a signature is prooven to be as hard as factorization of $n$, the security level of the signature scheme is approx. equal to the bit length of $n$. Therefore for 128 bit security, $n$ should be at least a number,such that the fastest factoring algorithms take 2^180 tries. But how long is such a number?

Of course I know, that its said that RSA keys should be around 3072bit to achieve 128bit sec. On the other hand RSA has no tight reduction to number factorization in contrast to Rabin.

Can someone therefore explain how to estimate Rabin modulus size?

Mark Neuhaus
  • 175
  • 6

1 Answers1

2

With proper choice of key and padding, the most efficient purely cryptographic known attack on Rabin signature and RSA (encryption and signature) is the same: factoring the public modulus. Therefore, size recommendations for the public modulus are the same. If 3072-bit RSA achieves 128-bit security by some criteria, Rabin does.

Beware that there can be implementation attacks specific to Rabin and its Jacobi computation, that do not apply to RSA. Also, Rabin signature is unforgiving to some poor padding (especially deterministic): it can degenerate into a total break (factorization of the public modulus), when it remains an existential forgery in RSA signature.

fgrieu
  • 149,326
  • 13
  • 324
  • 622