In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a

cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...

hash function A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually ...

— achieves. Security level is usually expressed as a number of "

bit The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represented a ...

s of security" (also security strength), where ''n''-bit security means that the attacker would have to perform 2^''n'' operations to break it, but other methods have been proposed that more closely model the costs for an attacker. This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a

hybrid cryptosystem In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiv ...

, so there is no clear weakest link. For example,

AES AES may refer to: Businesses and organizations Companies * AES Corporation, an American electricity company * AES Data, former owner of Daisy Systems Holland * AES Eletropaulo, a former Brazilian electricity company * AES Andes, formerly AES Gener ...

-128 ( key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a

RSA RSA may refer to: Organizations Academia and education * Rabbinical Seminary of America, a yeshiva in New York City *Regional Science Association International (formerly the Regional Science Association), a US-based learned society *Renaissance S ...

using 3072-bit key. In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.

In symmetric cryptography

Symmetric algorithms usually have a strictly defined security claim. For symmetric ciphers, it is typically equal to the key size of the cipher — equivalent to the

complexity Complexity characterises the behaviour of a system or model whose components interact in multiple ways and follow local rules, leading to nonlinearity, randomness, collective dynamics, hierarchy, and emergence. The term is generally used to c ...

of a brute-force attack.

Cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output ...

s with output size of ''n'' bits usually have a collision resistance security level ''n''/2 and a

preimage resistance In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage (set of possible inputs). In the context of attack, the ...

level ''n''. This is because the general birthday attack can always find collisions in 2^''n/2'' steps. For example, SHA-256 offers 128-bit collision resistance and 256-bit preimage resistance. However, there are some exceptions to this. The Phelix and Helix are 256-bit ciphers offering a 128-bit security level. The SHAKE variants of SHA-3 are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.

In asymmetric cryptography

The design of most asymmetric algorithms (i.e.

public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic a ...

) relies on neat

mathematical problem A mathematical problem is a problem that can be represented, analyzed, and possibly solved, with the methods of mathematics. This can be a real-world problem, such as computing the orbits of the planets in the solar system, or a problem of a more ...

s that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than brute-force search of the key space. Their security level isn't set at design time, but represents a computational hardness assumption, which is adjusted to match the best currently known attack. Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies. For the

RSA cryptosystem RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publi ...

at 128-bit security level,

NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sc ...

and

ENISA The European Union Agency for Cybersecurity – self-designation ENISA from the abbreviation of its original name – is an agency of the European Union. It is fully operational since September 1, 2005. The Agency is located in Athens, Greece an ...

recommend using 3072-bit keys and

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and ...

3253 bits. Elliptic curve cryptography requires shorter keys, so the recommendations are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF).

Typical levels

The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation for Key Management. ^† DES was deprecated in 2003

Meaning of "broken"

A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 2⁴⁰ operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 2^61.2 attack on SHA-1, which took 2 months on 900 GTX 970 GPUs, and cost US$75,000 (although the researchers estimate only $11,000 was needed to find a collision). Aumasson draws the line between practical and impractical attacks at 2⁸⁰ operations. He proposes a new terminology: * A ''broken'' primitive has an attack taking ≤ 2⁸⁰ operations. An attack can be plausibility carried out. * A ''wounded'' primitive has an attack taking between 2⁸⁰ and around 2¹⁰⁰ operations. An attack is not possible right now, but future improvements are likely to make it possible. * An ''attacked'' primitive has an attack that is cheaper than the security claim, but much costlier than 2¹⁰⁰. Such an attack is too far from being practical. * Finally, an ''analyzed'' primitive is one with no attacks cheaper than its security claim.

In symmetric cryptography

In asymmetric cryptography

Typical levels

Meaning of "broken"

References

Further reading

See also