This article is about strength in cryptography. For business security policy, seesecurity level management.
Measure of cryptographic strength
In cryptography,security level is a measure of the strength that acryptographic primitive — such as acipher orhash function — achieves. Security level is usually expressed as a number of "bits of security" (alsosecurity strength),[1] wheren-bit security means that the attacker would have to perform 2n operations to break it,[2] but other methods have been proposed that more closely model the costs for an attacker.[3] This allows for convenient comparison between algorithms and is useful when combining multiple primitives in ahybrid cryptosystem, so there is no clear weakest link. For example,AES-128 (key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to aRSA using 3072-bit key.
In this context,security claim ortarget security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is consideredbroken.[4][5]
However, there are some exceptions to this. ThePhelix and Helix are 256-bit ciphers offering a 128-bit security level.[5][8] The SHAKE variants ofSHA-3 are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.[9]
The design of most asymmetric algorithms (i.e.public-key cryptography) relies on neatmathematical problems that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster thanbrute-force search of the key space. Their security level isn't set at design time, but represents acomputational hardness assumption, which is adjusted to match the best currently known attack.[6]
Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies.
For theRSA cryptosystem at 128-bit security level,NIST andENISA recommend using 3072-bit keys[10][11] andIETF 3253 bits.[12][13] The conversion from key length to a security level estimate is based on the complexity of theGNFS.[14]: §7.5
Diffie–Hellman key exchange and DSA are similar to RSA in terms of the conversion from key length to a security level estimate.[14]: §7.5
Elliptic curve cryptography requires shorter keys, so the recommendations for 128-bit are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF). The conversion from key sizef to security level is approximatelyf / 2: this is because the method to break the Elliptic CurveDiscrete Logarithm Problem, the rho method, finishes in 0.886 sqrt(2f) additions.[15]
The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation forKey Management.[16]: Table 2
^abDEA (DES) was deprecated in 2003 in the context of NIST recommendations.
Under NIST recommendation, a key of a given security level should only be transported under protection using an algorithm of equivalent or higher security level.[14]
The security level is given for the cost of breaking one target, not the amortized cost for group of targets. It takes 2128 operations to find a AES-128 key, yet the same number of amortized operations is required for any numberm of keys. On the other hand, breakingm ECC keys using the rho method require sqrt(m) times the base cost.[15][17]
A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 240 operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 261.2 attack onSHA-1, which took 2 months on 900GTX 970 GPUs, and cost US$75,000 (although the researchers estimate only $11,000 was needed to find a collision).[18]
Aumasson draws the line between practical and impractical attacks at 280 operations. He proposes a new terminology:[19]
Abroken primitive has an attack taking ≤ 280 operations. An attack can be plausibly carried out.
Awounded primitive has an attack taking between 280 and around 2100 operations. An attack is not possible right now, but future improvements are likely to make it possible.
Anattacked primitive has an attack that is cheaper than the security claim, but much costlier than 2100. Such an attack is too far from being practical.
Finally, ananalyzed primitive is one with no attacks cheaper than its security claim.
Most quantum attacks on symmetric ciphers provide a square-root speedup to their classical counterpart, thereby halving the security level provided. (The exception is theslide attack withSimon's algorithm, though it has not proved useful in attacking AES.) For example, AES-256 would provide 128 bits of quantum security, which is still considered plenty.[20][21]
Shor's algorithm promises a massive speedup in solving the factoring problem, the discrete logarithm problem, and the period-finding problem, so long as a sufficiently large quantum computer on the order of millions of cubits is available. This would spell the end of RSA, DSA, DH, MQV, ECDSA, EdDSA, ECDH, and ECMQV in their current forms.[22]
Even though quantum computers capable of these operations have yet to appear, adversaries of today may choose to "harvest now, decrypt later": to store intercepted ciphertexts so that they can be decrypted when sufficiently powerful quantum computers become available. As a result, governments and businesses have already begun work on moving to quantum-resistant algorithms. Examples of these effort include Google and Cloudflare's tests of hybrid post-quantum TLS on the Internet and[23] NSA's release ofCommercial National Security Algorithm Suite 2.0 in 2022.
