Cryptographic Key Length Recommendation

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers. This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection.

The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.
Choose a method
ECRYPT is a network of excellence in cryptology. This report [3] is driven by the "Security Level" you want to reach. To each of these levels corresponds a symmetric key size from which equivalent asymmetric key sizes are built in a similar way as the one used in NESSIE.
Level Protection  Symmetric  Asymmetric
Discrete Logarithm
Key Group
Elliptic Curve Hash
1 Attacks in "real-time" by individuals
Only acceptable for authentication tag size		 32 -
- -
- -
2 Very short-term protection against small organizations
Should not be used for confidentiality in new systems		 64 816
128 816
128 128
3 Short-term protection against medium organizations, medium-term protection against small organizations 72 1008
144 1008
144 144
4 Very short-term protection against agencies, long-term protection against small organizations
Smallest general-purpose level,
protection from 2008 to 2010		 80 1248
160 1248
160 160
5 Legacy standard level
Use of 2-key 3DES restricted to 106 plaintext/ciphertexts,
protection from 2008 to 2016		 96 1776
192 1776
192 192
6 Medium-term protection
protection from 2008 to 2026		 112 2432
224 2432
224 224
7 Long-term protection
Generic application-independent recommendation,
protection from 2008 to 2036		 128 3248
256 3248
256 256
8 "Foreseeable future"
Good protection against quantum computers		 256 15424
512 15424
512 512
All key sizes are provided in bits. These are the minimal sizes for security.
Click on a value to compare it with other methods.
The 32 and 64-bit levels should not be used for confidentiality protection; 32-bit keys offer no confidentiality at all relative to any attacker, and 64-bit offers only very poor protection. Nevertheless, there are applications where these levels may be necessary if security is to be provided at all, e.g. for integrity tags.
While both 80 and 128-bit keys provide sufficient security against brute force key-search attacks (on symmetric primitives) by the most reasonable adversaries, it should be noted that 80 bits would be practically breakable and 128 bits might correspond to an effective 80-bit level, if one considers attack models based on pre-computation and large amounts of available storage. As a simple rule of thumb, one may choose to double the key size to mitigate threats from such attacks.

The main consideration for a secure hash function is the size of the outputs. If the application requires collisions to be difficult to find, the output must be twice the desired security level. This is the case e.g. when used with digital signatures. When used as a keyed hash for message authentication, however, the outputs may often be truncated.

As a remark, 256-bit symmetric key offers good protection against quantum computers.
© 2008 Keylength.com - v 17.10 - November 19, 2007
Author: Damien Giry
Approved by Prof. Jean-Jacques Quisquater
Contact:
Surveys of laws and regulations on cryptology: Crypto Law Survey / Digital Signature Law Survey.
Bibliography[1] Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, PKC2000: p. 446-465, 01/2000.
[2] Handbook of Information Security, Arjen K. Lenstra, 06/2004.
[3] Yearly Report on Algorithms and Keysizes (2006), D.SPA.21 Rev. 1.1, IST-2002-507932 ECRYPT, 01/2007.
[4] Recommendation for Key Management, Special Publication 800-57 Part 1, NIST, 03/2007.
[5] Mécanismes cryptographiques - Règles et recommandations "standards", Rev. 1.10, DCSSI , 12/2006.
[6] Fact Sheet Suite B Cryptography, NSA, 02/2005.
[7] Determining Strengths for Public Keys Used for Exchanging Symmetric Keys, RFC 3766, H. Orman and P. Hoffman, 04/2004.
[8] Algorithms for Qualified Electronic Signatures, BNetzA, BSI, 02/2007 updated with BSI Draft, 07/2007.
Privacy Policy (P3P)  |  Disclaimer / Copyright  |  Release Notes