Keylength.com - BSI Cryptographic Key Length Report for Digital Signature (2007)

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers. This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection.

The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Please enable JavaScript to fully utilize this website (Privacy Policy)

Choose a method



			This report [8] describes recommendations from the German federal office for information security, BSI. It provides optimal cryptographic key length for electronic signature algorithm.

Date

Asymmetric

Discrete Logarithm
Key		Size

Elliptic Curve

Hash

2007

1024

160

1024

180

SHA-1
RIPEND-160
SHA-224

SHA-256
SHA-384
SHA-512

2008

1280

160

1280

180

SHA-1*
RIPEND-160
SHA-224

SHA-256
SHA-384
SHA-512

2009

1536

160

1536

180

SHA-1*
RIPEND-160
SHA-224

SHA-256
SHA-384
SHA-512

2010

1728

224

2048

224

SHA-224
SHA-256

SHA-384
SHA-512

2011 - 2013

1976

224

2048

224

SHA-224
SHA-256

SHA-384
SHA-512

(*) For digital certificates only.
All key sizes are provided in bits. These are the minimal sizes for security.
Click on a value to compare it with other methods.

Remarks for RSA:

Recommended algorithm: ISO/IEC 14888-3.
For long-term security level, 2048 bits is recommended.

Remarks for discret logarithm:

Recommended algorithms: ISO/IEC 14888-3 and FIPS 186-2.
For long-term security level, a size of 2048 bits is recommended.

Remarks and recommended algorithms for elliptic curve:

EC-DSA: IEEE P1363, FIPS 186-2, ANSI X9.62-2005 and ISO/IEC 15946-2.
EC-KDSA and EC-GDSA: ISO/IEC 15946-2.
Nyberg-Rueppel: ISO/IEC 9796-3 and ISO/IEC 15946-4.

GF(p): until end of 2009, p must be at least 192 bits.
GF(2ⁿ): until end of 2009, n must have at least 191 bits.

This report must be used for cryptographic key length in electronic signatures only.


© 2008		Keylength.com - v 17.10 - November 19, 2007
		Author: Damien Giry Approved by Prof. Jean-Jacques Quisquater Contact:

Surveys of laws and regulations on cryptology: Crypto Law Survey / Digital Signature Law Survey.


Bibliography	[1]	Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, PKC2000: p. 446-465, 01/2000.
	[2]	Handbook of Information Security, Arjen K. Lenstra, 06/2004.
	[3]	Yearly Report on Algorithms and Keysizes (2006), D.SPA.21 Rev. 1.1, IST-2002-507932 ECRYPT, 01/2007.
	[4]	Recommendation for Key Management, Special Publication 800-57 Part 1, NIST, 03/2007.
	[5]	Mécanismes cryptographiques - Règles et recommandations "standards", Rev. 1.10, DCSSI , 12/2006.
	[6]	Fact Sheet Suite B Cryptography, NSA, 02/2005.
	[7]	Determining Strengths for Public Keys Used for Exchanging Symmetric Keys, RFC 3766, H. Orman and P. Hoffman, 04/2004.
	[8]	Algorithms for Qualified Electronic Signatures, BNetzA, BSI, 02/2007 updated with BSI Draft, 07/2007.


Privacy Policy (P3P) \| Disclaimer / Copyright \| Release Notes