Cryptographic Key Length Recommendation

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers.

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Choose a Method
NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. Recommendations in this report [4] are aimed to be use by Federal agencies and provide key sizes together with algorithms. The first table provides cryptoperiod for 19 types of key uses. A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. The second table presents the key length recommendations.
Key Type
Move the cursor over a type for description
Originator Usage Period (OUP) Recipient Usage Period
Private Signature Key
1-3 years -
Public Signature Key Several years (depends on key size)
Symmetric Authentication Key
<= 2 years <= OUP + 3 years
Private Authentication Key 1-2 years
Public Authentication Key 1-2 years
Symmetric Data Encryption Key
<= 2 years <= OUP + 3 years
Symmetric Key Wrapping Key
<= 2 years <= OUP + 3 years
Symmetric RBG keys
Determined by design -
Symmetric Master Key
About 1 year -
Private Key Transport Key <= 2 years (1)
Public Key Transport Key 1-2 years
Symmetric Key Agreement Key 1-2 years (2)
Private Static Key Agreement Key 1-2 years (3)
Public Static Key Agreement Key 1-2 years
Private Ephemeral Key Agreement Key One key agreement transaction
Public Ephemeral Key Agreement Key One key agreement transaction
Symmetric Authorization Key <= 2 years
Private Authorization Key <= 2 years
Public Authorization Key <= 2 years
In some cases risk factors affect the cryptoperiod selection (see section 5.3.1 in report [4]).
(1) In certain email applications where received messages are stored and decrypted at a later time, the cryptoperiod of the Private Key Transport Key may exceed the cryptoperiod of the Public Key Transport Key.
(2) In certain email applications where received messages are stored and decrypted at a later time, the key's recipient-usage period key may exceed the originator-usage period.
(3) In certain email applications whereby received messages are stored and decrypted at a later time, the cryptoperiod of the Private Static Key Agreement Key may exceed the cryptoperiod of the Public Static Key Agreement Key.
TDEA (Triple Data Encryption Algorithm) and AES are specified in [10].
Hash (A): Digital signatures and hash-only applications.
Hash (B): HMAC, Key Derivation Functions and Random Number Generation.
The security strength for key derivation assumes that the shared secret contains sufficient entropy to support the desired security strength. Same remark applies to the security strength for random number generation.
Date Minimum of Strength Symmetric Algorithms Factoring
Discrete Logarithm
Key Group
Elliptic Curve Hash (A) Hash (B)
(Legacy) 80 2TDEA* 1024
160 1024
160 SHA-1**
2016 - 2030 112 3TDEA 2048
224 2048
224 SHA-224
2016 - 2030
& beyond
128 AES-128 3072
256 3072
256 SHA-256
2016 - 2030
& beyond
192 AES-192 7680
384 7680
384 SHA-384
2016 - 2030
& beyond
256 AES-256 15360
512 15360
512 SHA-512
All key sizes are provided in bits. These are the minimal sizes for security.
Click on a value to compare it with other methods.
It is always acceptable to use a hash function with a higher estimated maximum security strength. When selecting a block cipher cryptographic algorithm (e.g. AES or TDEA), the block size may also be a factor that should be considered. More information on this issue is provided in SP800-38.
(*) The assessment of at least 80 bits of security for 2TDEA is based on the assumption that an attacker has no more than 240 matched plaintext and ciphertext blocks.
(**) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures, which require collision resistance. In 2016, the security strength against digital signature collisions remains a subject of speculation.
© 2020 BlueKrypt - v 31.0 - June 10, 2018
Author: Damien Giry
Approved by Prof. Jean-Jacques Quisquater
Surveys of laws and regulations on cryptology: Crypto Law Survey / Digital Signature Law Survey.
Bibliography[1] Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, Journal Of Cryptology, vol. 14, p. 255-293, 2001.
[2] Key Lengths, Arjen K. Lenstra, The Handbook of Information Security, 06/2004.
[3] Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, 02/2018.
[4] Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 4, NIST, 01/2016.
[5] Mécanismes cryptographiques - Règles et recommandations, Rev. 2.03, ANSSI , 02/2014.
[6] Commercial National Security Algorithm, Information Assurance Directorate at the NSA, 01/2016.
[7] Determining Strengths for Public Keys Used for Exchanging Symmetric Keys, RFC 3766, H. Orman and P. Hoffman, 04/2004.
[8] Kryptographische Verfahren: Empfehlungen und Schlüssellängen, TR-02102-1 v2018-02, BSI, 05/2018.
[10] Approved algorithms for block ciphers, NIST.
Privacy Policy (P3P)  |  Disclaimer / Copyright  |  Release Notes