1 /** 2 * Public Key Work Factor Functions 3 * 4 * Copyright: 5 * (C) 1999-2007 Jack Lloyd 6 * (C) 2014-2015 Etienne Cimon 7 * 8 * License: 9 * Botan is released under the Simplified BSD License (see LICENSE.md) 10 */ 11 module botan.pubkey.workfactor; 12 13 import botan.constants; 14 static if (BOTAN_HAS_PUBLIC_KEY_CRYPTO): 15 16 import botan.utils.types; 17 import std.algorithm : max; 18 import std.math : pow, log; 19 20 /** 21 * Estimate work factor for discrete logarithm 22 * Params: 23 * prime_group_size = size of the group in bits 24 * Returns: estimated security level for this group 25 */ 26 size_t dlWorkFactor(size_t prime_group_size) 27 { 28 /* 29 Based on GNFS work factors. Constant is 1.43 times the asymptotic 30 value; I'm not sure but I believe that came from a paper on 'real 31 world' runtimes, but I don't remember where now. 32 33 Sample return values: 34 |512| . 64 35 |1024| . 86 36 |1536| . 102 37 |2048| . 116 38 |3072| . 138 39 |4096| . 155 40 |8192| . 206 41 42 For DL algos, we use an exponent of twice the size of the result; 43 the assumption is that an arbitrary discrete log on a group of size 44 bits would take about 2^n effort, and thus using an exponent of 45 size 2^(2*n) implies that all available attacks are about as easy 46 (as e.g Pollard's kangaroo algorithm can compute the DL in sqrt(x) 47 operations) while minimizing the exponent size for performance 48 reasons. 49 */ 50 51 __gshared immutable size_t MIN_WORKFACTOR = 64; 52 53 // approximates natural logarithm of p 54 const double log_p = prime_group_size / 1.4426; 55 56 const double strength = 2.76 * pow(log_p, 1.0/3.0) * pow(log(log_p), 2.0/3.0); 57 58 return max(cast(size_t)(strength), MIN_WORKFACTOR); 59 }