Keylength - NIST Report on Cryptographic Key Length and Cryptoperiod (2020)

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers.

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Please enable JavaScript to fully utilize this website (Privacy Policy)

NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. Recommendations in this report [4] are aimed to be use by Federal agencies and provide key sizes together with algorithms. The first table provides cryptoperiod for 19 types of key uses. A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. The second table presents the key length recommendations.

Key Type Move the cursor over a type for description

In some cases risk factors affect the cryptoperiod selection (see section 5.3.1 in report [4]). (1) In certain email applications where received messages are stored and decrypted at a later time, the cryptoperiod of a private key-transport key may exceed the cryptoperiod of the public key-transport Key. (2) In certain email applications where received messages are stored and decrypted at a later time, the key's recipient-usage period key may exceed the originator-usage period. (3) In certain email applications where received messages are stored and decrypted at a later time, the cryptoperiod of a private static key-agreement key may exceed the cryptoperiod of the corresponding public static key-agreement key.

TDEA (Triple Data Encryption Algorithm) and AES are specified in [10]. Hash (A): Digital signatures and other applications requiring collision resistance. Hash (B): HMAC, KMAC, key derivation functions and random bit generation.

All key sizes are provided in bits. These are the minimal sizes for security. Click on a value to compare it with other methods.

(1) Algorithms and key lengths for 80-bit security strengh may be used because of their use in legacy applications (i.e., they can be used to process cryptographically protected data). They shall not be used for applying cryptographic protection (e.g., encrypting).

(2) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures, which require collision resistance. In 2020, the security strength against digital signature collisions remains a subject of speculation.

(3) Although 3TDEA is listed as providing 112 bits of security strength, its use has been deprecated (see SP 800-131A) through 2023, after which it will be disallowed for applying cryptographic protection. The use of a deprecated algorithm means that the algorithm or key length may be used if the risk of doing so is acceptable.

Remarks:

In the case of HMAC and KMAC, which require keys, the estimated security strength assumes that the length and entropy used to generate the key are at least equal to the security strength. The same remark applies for key derivation functions and random bit generation that needs adequate and sufficient entropy to support the desired security strength.

It is always acceptable to use a hash function with a higher estimated maximum security strength.

When selecting a block cipher cryptographic algorithm (e.g. AES or TDEA), the block size may also be a factor that should be considered. More information on this issue is provided in this page.

The security-strength estimates for algorithms based on factoring
modulus (RSA) and elliptic-curve cryptography (ECDSA, EdDSA, DH, MQV) will be significantly affected when quantum computing becomes a practical consideration.