Keylength - Lenstra Cryptographic Key Length Equations (2004)

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers.

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Please enable JavaScript to fully utilize this website (Privacy Policy)

Choose a Method



			In 2004, Prof. Arjen K. Lenstra described mathematical formulas providing key length recommendations for most cryptographic systems [2]. This is an updated version of the first publication [1]. This method is more understandable since the number of parameters to be managed by the user is reduced and easier to grasp.

Enter basic parameter

You can enter the year until when your system should be protected and see the corresponding key sizes or you can enter a key/hash/group size and see until when you would be protected.



		bits

Advanced options

This security value is defined as the year until when a user is willing to trust the DES. In 1980, W. Diffie described a special purpose hardware of $50 Million that breaks the DES system in 2 days but the price for this attack could be considered too expensive. The default value 1982 could be considered too weak. It is commonly assumed that the DES offered enough security for commercial applications but not that well-funded government agencies were unable to break it.

On the same equipment, the cost of factorizing drops by a factor 2 every 18 months and according to Moore's traditional law, the equipment cost also drops by a factor 2 every 18 months. As a result of the combination of these two independent effects, the cost of factorizing any fixed modulus drops by a factor 2 every 9 months. This is the double Moore's factorizing law. If it is argued that due to economies of scale and high parallelism, a double Moore law already applies to the technology component alone; then a triple Moore's factorizing law should be considered: the cost of factoring any fixed modulus drops by a factor 2 every 6 months.

Double Moore factorizing law

Triple Moore factoring law

Click here to hide advanced options

Reset to default

Click here to see options


© 2024		BlueKrypt - v 32.3 - May 24, 2020
		Authors: Damien Giry, Philippe Bulens Approved by Prof. Jean-Jacques Quisquater Contact:

I would like to thank Prof. Arjen K. Lenstra for his kind authorization and comments.
Surveys of laws and regulations on cryptology: Crypto Law Survey / Digital Signature Law Survey.


Bibliography	[1]	Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, Journal Of Cryptology, vol. 14, p. 255-293, 2001.
	[2]	Key Lengths, Arjen K. Lenstra, The Handbook of Information Security, 06/2004.
	[3]	Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, 02/2018.
	[4]	Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 5, NIST, 05/2020.
	[5]	Mécanismes cryptographiques - Règles et recommandations, Rev. 2.03, ANSSI , 02/2014.
	[6]	Commercial National Security Algorithm, National Security Agency (NSA), 01/2016.
	[7]	Determining Strengths for Public Keys Used for Exchanging Symmetric Keys, RFC 3766, H. Orman and P. Hoffman, 04/2004.
	[8]	Cryptographic Mechanisms: Recommendations and Key Lengths, TR-02102-1 v2020-01, BSI, 03/2020.