In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of " bits of security" (also security strength), where ''n''-bit security means that the attacker would have to perform 2^''n'' operations to break it, but other methods have been proposed that more closely model the costs for an attacker. This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a

hybrid cryptosystem In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and recei ...

, so there is no clear weakest link. For example, AES-128 ( key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key. In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.

In symmetric cryptography

Symmetric algorithms usually have a strictly defined security claim. For

symmetric cipher Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go betwe ...

s, it is typically equal to the key size of the cipher — equivalent to the complexity of a brute-force attack.

Cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output ...

s with output size of ''n'' bits usually have a

collision resistance In cryptography, collision resistance is a property of cryptographic hash functions: a hash function ''H'' is collision-resistant if it is hard to find two inputs that hash to the same output; that is, two inputs ''a'' and ''b'' where ''a'' ≠ '' ...

security level ''n''/2 and a preimage resistance level ''n''. This is because the general birthday attack can always find collisions in 2^''n/2'' steps. For example, SHA-256 offers 128-bit collision resistance and 256-bit preimage resistance. However, there are some exceptions to this. The Phelix and Helix are 256-bit ciphers offering a 128-bit security level. The SHAKE variants of SHA-3 are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.

In asymmetric cryptography

The design of most asymmetric algorithms (i.e.

public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic a ...

) relies on neat mathematical problems that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than brute-force search of the key space. Their security level isn't set at design time, but represents a computational hardness assumption, which is adjusted to match the best currently known attack. Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies. For the RSA cryptosystem at 128-bit security level, NIST and ENISA recommend using 3072-bit keys and

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements an ...

3253 bits.

Elliptic curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provid ...

requires shorter keys, so the recommendations are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF).

Typical levels

The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation for Key Management. ^† DES was deprecated in 2003

Meaning of "broken"

A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 2⁴⁰ operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 2^61.2 attack on SHA-1, which took 2 months on 900

GTX 970 The GeForce 900 series is a family of graphics processing units developed by Nvidia, succeeding the GeForce 700 series and serving as the high-end introduction to the Maxwell microarchitecture, named after James Clerk Maxwell. They are produced ...

GPUs, and cost US$75,000 (although the researchers estimate only $11,000 was needed to find a collision). Aumasson draws the line between practical and impractical attacks at 2⁸⁰ operations. He proposes a new terminology: * A ''broken'' primitive has an attack taking ≤ 2⁸⁰ operations. An attack can be plausibility carried out. * A ''wounded'' primitive has an attack taking between 2⁸⁰ and around 2¹⁰⁰ operations. An attack is not possible right now, but future improvements are likely to make it possible. * An ''attacked'' primitive has an attack that is cheaper than the security claim, but much costlier than 2¹⁰⁰. Such an attack is too far from being practical. * Finally, an ''analyzed'' primitive is one with no attacks cheaper than its security claim.

In symmetric cryptography

In asymmetric cryptography

Typical levels

Meaning of "broken"

References

Further reading

See also