Cryptographic Key Length Recommendation

In most cryptographic functions, the key length is an important security parameter. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security. Despite the availability of these publications, choosing an appropriate key size to protect your system from attacks remains a headache as you need to read and understand all these papers.

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

Choose a Method
NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. Recommendations in this report [4] are aimed to be use by Federal agencies and provide key sizes together with algorithms. The first table provides cryptoperiod for 19 types of key uses. A cryptoperiod is the time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. The second table presents the key length recommendations.
Key Type
Move the cursor over a type for description
Cryptoperiod
Originator Usage Period (OUP) Recipient Usage Period
Private Signature Key
1-3 years -
Public Signature Key Several years (depends on key size)
Symmetric Authentication Key
≤ 2 years ≤ OUP + 3 years
Private Authentication Key 1-2 years
Public Authentication Key 1-2 years
Symmetric Data Encryption Key
≤ 2 years ≤ OUP + 3 years
Symmetric Key Wrapping Key
≤ 2 years ≤ OUP + 3 years
Symmetric RBG keys
See SP 800-90 -
Symmetric Master Key
About 1 year -
Private Key Transport Key ≤ 2 years (1)
Public Key Transport Key 1-2 years
Symmetric Key Agreement Key 1-2 years (2)
Private Static Key Agreement Key 1-2 years (3)
Public Static Key Agreement Key 1-2 years
Private Ephemeral Key Agreement Key One key agreement transaction
Public Ephemeral Key Agreement Key One key agreement transaction
Symmetric Authorization Key ≤ 2 years
Private Authorization Key ≤ 2 years
Public Authorization Key ≤ 2 years
In some cases risk factors affect the cryptoperiod selection (see section 5.3.1 in report [4]).
(1) In certain email applications where received messages are stored and decrypted at a later time, the cryptoperiod of a private key-transport key may exceed the cryptoperiod of the public key-transport Key.
(2) In certain email applications where received messages are stored and decrypted at a later time, the key's recipient-usage period key may exceed the originator-usage period.
(3) In certain email applications where received messages are stored and decrypted at a later time, the cryptoperiod of a private static key-agreement key may exceed the cryptoperiod of the corresponding public static key-agreement key.
TDEA (Triple Data Encryption Algorithm) and AES are specified in [10].
Hash (A): Digital signatures and other applications requiring collision resistance.
Hash (B): HMAC, KMAC, key derivation functions and random bit generation.
Date Security Strength Symmetric Algorithms Factoring
Modulus
Discrete Logarithm
Key Group
Elliptic Curve Hash (A) Hash (B)
Legacy (1) 80 2TDEA 1024
160 1024
160 SHA-1 (2)
2019 - 2030 112 (3TDEA) (3)
AES-128
2048
224 2048
224 SHA-224
SHA-512/224
SHA3-224
2019 - 2030
& beyond
128 AES-128 3072
256 3072
256 SHA-256
SHA-512/256
SHA3-256
SHA-1
KMAC128
2019 - 2030
& beyond
192 AES-192 7680
384 7680
384 SHA-384
SHA3-384
SHA-224
SHA-512/224
SHA3-224
2019 - 2030
& beyond
256 AES-256 15360
512 15360
512 SHA-512
SHA3-512
SHA-256
SHA-512/256
SHA-384
SHA-512
SHA3-256
SHA3-384
SHA3-512
KMAC256
All key sizes are provided in bits. These are the minimal sizes for security.
Click on a value to compare it with other methods.
(1) Algorithms and key lengths for 80-bit security strengh may be used because of their use in legacy applications (i.e., they can be used to process cryptographically protected data). They shall not be used for applying cryptographic protection (e.g., encrypting).
(2) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures, which require collision resistance. In 2020, the security strength against digital signature collisions remains a subject of speculation.
(3) Although 3TDEA is listed as providing 112 bits of security strength, its use has been deprecated (see SP 800-131A) through 2023, after which it will be disallowed for applying cryptographic protection. The use of a deprecated algorithm means that the algorithm or key length may be used if the risk of doing so is acceptable.

Remarks:
  • In the case of HMAC and KMAC, which require keys, the estimated security strength assumes that the length and entropy used to generate the key are at least equal to the security strength. The same remark applies for key derivation functions and random bit generation that needs adequate and sufficient entropy to support the desired security strength.
  • It is always acceptable to use a hash function with a higher estimated maximum security strength.
  • When selecting a block cipher cryptographic algorithm (e.g. AES or TDEA), the block size may also be a factor that should be considered. More information on this issue is provided in this page.
  • The security-strength estimates for algorithms based on factoring modulus (RSA) and elliptic-curve cryptography (ECDSA, EdDSA, DH, MQV) will be significantly affected when quantum computing becomes a practical consideration.

© 2024 BlueKrypt - v 32.3 - May 24, 2020
Author: Damien Giry
Approved by Prof. Jean-Jacques Quisquater
Contact:
Surveys of laws and regulations on cryptology: Crypto Law Survey / Digital Signature Law Survey.
Bibliography[1] Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, Journal Of Cryptology, vol. 14, p. 255-293, 2001.
[2] Key Lengths, Arjen K. Lenstra, The Handbook of Information Security, 06/2004.
[3] Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, 02/2018.
[4] Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 5, NIST, 05/2020.
[5] Mécanismes cryptographiques - Règles et recommandations, Rev. 2.03, ANSSI , 02/2014.
[6] Commercial National Security Algorithm, National Security Agency (NSA), 01/2016.
[7] Determining Strengths for Public Keys Used for Exchanging Symmetric Keys, RFC 3766, H. Orman and P. Hoffman, 04/2004.
[8] Cryptographic Mechanisms: Recommendations and Key Lengths, TR-02102-1 v2020-01, BSI, 03/2020.
[10] Block Cipher Techniques, NIST.
Privacy Policy  |  Disclaimer / Copyright  |  Release Notes