Cryptographic Key Length Recommendation

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers.

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Choose a Method
This is the recommendations from the French Network and Information Security Agency (ANSSI) [5] that contribute to the definition and the expression of the French government policy concerning information systems security.
Date Symmetric Factoring
Modulus
Discrete Logarithm
Key Group
Elliptic Curve
GF(p)  GF(2n)
Hash
2014 - 2020 100 2048
200 2048
200 200
200
2021 - 2030 128 2048
200 2048
256 256
256
> 2030 128 3072
200 3072
256 256
256
All key sizes are provided in bits. These are the minimal sizes for security.
Click on a value to compare it with other methods.
Remarks and recommended algorithms for symmetric schemes:
  • 128-bit is the recommended symmetric size.
  • 64-bit is the minimal bloc length for bloc ciphers (128-bit recommended and mandatory after 2020).
  • It is counseled to use bloc ciphers instead of stream ciphers.
  • Encryption algorithm: AES-CBC (FIPS 197)
  • Authentication and integrity algorithm: CBC-MAC "retail" with AES and 2 distinct keys.
Remarks and recommended algorithms for asymmetric schemes:
  • For RSA encryption, public exponents must be strictly higher than 216=65536.
  • The secret exponents must have the same length as the modulus (3072-bit recommended).
  • The prime factors of the RSA modulus must be chosen uniformly at random among the integers that are half the size of the modulus.
  • Encryption algorithm: RSAES-OAEP (PKCS#1 v2.1)
  • Signature algorithm: RSA-SSA-PSS (PKCS#1 v2.1)
  • Signature algorithm: ECDSA/ECKCDSA with FRP256v1 or P-256, P-384, P-521, B-283, B-409, B-571 in FIPS 186-2
  • Elliptic curves GF(p): FRP256v1 and P-256, P-384, P-521 in FIPS 186-2
  • Elliptic curves GF(2n): B-283, B-409 and B-571 (FIPS 186-2)
Recommended algorithm for hash functions: SHA-256 (FIPS 180-2)
© 2017 BlueKrypt - v 30.4 - February 23, 2017
Author: Damien Giry
Approved by Prof. Jean-Jacques Quisquater
Contact:
Surveys of laws and regulations on cryptology: Crypto Law Survey / Digital Signature Law Survey.
Bibliography[1] Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, Journal Of Cryptology, vol. 14, p. 255-293, 2001.
[2] Key Lengths, Arjen K. Lenstra, The Handbook of Information Security, 06/2004.
[3] Yearly Report on Algorithms and Keysizes (2012), D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012.
[4] Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 4, NIST, 01/2016.
[5] Mécanismes cryptographiques - Règles et recommandations, Rev. 2.03, ANSSI , 02/2014.
[6] Commercial National Security Algorithm, Information Assurance Directorate at the NSA, 01/2016.
[7] Determining Strengths for Public Keys Used for Exchanging Symmetric Keys, RFC 3766, H. Orman and P. Hoffman, 04/2004.
[8] Kryptographische Verfahren: Empfehlungen und Schlüssellängen, TR-02102-1 v2017-01, BSI, 02/2017.
Privacy Policy (P3P)  |  Disclaimer / Copyright  |  Release Notes