Cryptographic Key Length Recommendation

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers.

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Choose a Method
The goal of ECRYPT-CSA (Coordination & Support Action) is to strengthen European excellence in the area of cryptology. This report [3] on cryptographic algorithms, schemes, keysizes and protocols is a direct descendent of the reports produced by the ECRYPT I and II projects (2004-2012), and the ENISA reports (2013-2014). It provides rather conservative guiding principles, based on current state-of-the-art research, addressing construction of new systems with a long life cycle. This report is aimed to be a reference in the area, focusing on commercial online services that collect, store and process the data.
Protection Symmetric Factoring
Discrete Logarithm
Key Group
Legacy standard level
Should not be used in new systems
80 1024
160 1024
160 160
Near term protection
Security for at least ten years (2018-2028)
128 3072
256 3072
256 256
Long-term protection
Security for thirty to fifty years (2018-2068)
256 15360
512 15360
512 512
All key sizes are provided in bits. These are the minimal sizes for security.
Click on a value to compare it with other methods.
Recommended algorithms:
Block Ciphers: For near term use, AES-128 and for long term use, AES-256.
Hash Functions: For near term use, SHA-256 and for long term use, SHA-512 and SHA-3 with a 512-bit result.
Public Key Primitive: For near term use, 256-bit elliptic curves, and for long term use 512-bit elliptic curves.

Future algorithms (expected to remain secure in 10-50 year lifetime):
Block Ciphers: AES, Camellia, Serpent
Hash Functions: SHA2 (256, 384, 512, 512/256), SHA3 (256, 384, 512, SHAKE128, SHAKE256), Whirlpool-512, BLAKE (256, 584, 512)
Stream Ciphers: HC-128, Salsa20/20, ChaCha, SNOW 2.0, SNOW 3G, SOSEMANUK, Grain 128a

Legacy algorithms (secure currently, but better choices available):
Block Cipher: Three-Key-3DES, Two-Key-3DES, Kasumi, Blowfish (min 80-bit keys)
Hash Functions: RIPEMD-160, SHA2 (224, 512/224), SHA3-224
Stream Ciphers: Grain, Mickey 2.0, Trivium, Rabbit
© 2018 BlueKrypt - v 31.0 - June 10, 2018
Author: Damien Giry
Approved by Prof. Jean-Jacques Quisquater
Surveys of laws and regulations on cryptology: Crypto Law Survey / Digital Signature Law Survey.
Bibliography[1] Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, Journal Of Cryptology, vol. 14, p. 255-293, 2001.
[2] Key Lengths, Arjen K. Lenstra, The Handbook of Information Security, 06/2004.
[3] Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, 02/2018.
[4] Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 4, NIST, 01/2016.
[5] Mécanismes cryptographiques - Règles et recommandations, Rev. 2.03, ANSSI , 02/2014.
[6] Commercial National Security Algorithm, Information Assurance Directorate at the NSA, 01/2016.
[7] Determining Strengths for Public Keys Used for Exchanging Symmetric Keys, RFC 3766, H. Orman and P. Hoffman, 04/2004.
[8] Kryptographische Verfahren: Empfehlungen und Schlüssellängen, TR-02102-1 v2018-02, BSI, 05/2018.
Privacy Policy (P3P)  |  Disclaimer / Copyright  |  Release Notes