In cryptography, security level is a measure of the strength that a
cryptographic primitive — such as a
cipher
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...
or
hash function
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually u ...
— achieves. Security level is usually expressed as a number of "
bit
The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...
s of security" (also security strength), where ''n''-bit security means that the attacker would have to perform 2
''n'' operations to break it, but other methods have been proposed that more closely model the costs for an attacker. This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a
hybrid cryptosystem, so there is no clear weakest link. For example,
AES-128 (
key size
In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher).
Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest ...
128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a
RSA using 3072-bit key.
In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.
In symmetric cryptography
Symmetric algorithms usually have a strictly defined security claim. For
symmetric ciphers, it is typically equal to the
key size
In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher).
Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest ...
of the cipher — equivalent to the
complexity
Complexity characterises the behaviour of a system or model whose components interaction, interact in multiple ways and follow local rules, leading to nonlinearity, randomness, collective dynamics, hierarchy, and emergence.
The term is generall ...
of a
brute-force attack
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correc ...
.
Cryptographic hash function
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
s with output size of ''n'' bits usually have a
collision resistance
In cryptography, collision resistance is a property of cryptographic hash functions: a hash function ''H'' is collision-resistant if it is hard to find two inputs that hash to the same output; that is, two inputs ''a'' and ''b'' where ''a'' ≠ '' ...
security level ''n''/2 and a
preimage resistance
In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage (set of possible inputs).
In the context of attack, the ...
level ''n''. This is because the general
birthday attack
A birthday attack is a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likeli ...
can always find collisions in 2
''n/2'' steps. For example,
SHA-256
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
offers 128-bit collision resistance and 256-bit preimage resistance.
However, there are some exceptions to this. The
Phelix and Helix are 256-bit ciphers offering a 128-bit security level.
The SHAKE variants of
SHA-3
SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like struct ...
are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.
In asymmetric cryptography
The design of most asymmetric algorithms (i.e.
public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
) relies on neat
mathematical problems that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than
brute-force search
In computer science, brute-force search or exhaustive search, also known as generate and test, is a very general problem-solving technique and algorithmic paradigm that consists of systematically enumerating all possible candidates for the soluti ...
of the key space. Their security level isn't set at design time, but represents a
computational hardness assumption
In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently (where ''efficiently'' typically means "in polynomial time"). It is not known how to prove (uncondition ...
, which is adjusted to match the best currently known attack.
Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies. For the
RSA cryptosystem
RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly ...
at 128-bit security level,
NIST
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
and
ENISA recommend using 3072-bit keys and
IETF
The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
3253 bits.
Elliptic curve cryptography
Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide e ...
requires shorter keys, so the recommendations are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF).
Typical levels
The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation for Key Management.
† DES was deprecated in 2003
Meaning of "broken"
A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 2
40 operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 2
61.2 attack on SHA-1, which took 2 months on 900
GTX 970
The GeForce 900 series is a family of graphics processing units developed by Nvidia, succeeding the GeForce 700 series and serving as the high-end introduction to the Maxwell microarchitecture, named after James Clerk Maxwell. They are produced ...
GPUs, and cost US$75,000 (although the researchers estimate only $11,000 was needed to find a collision).
Aumasson draws the line between practical and impractical attacks at 2
80 operations. He proposes a new terminology:
* A ''broken'' primitive has an attack taking ≤ 2
80 operations. An attack can be plausibility carried out.
* A ''wounded'' primitive has an attack taking between 2
80 and around 2
100 operations. An attack is not possible right now, but future improvements are likely to make it possible.
* An ''attacked'' primitive has an attack that is cheaper than the security claim, but much costlier than 2
100. Such an attack is too far from being practical.
* Finally, an ''analyzed'' primitive is one with no attacks cheaper than its security claim.
References
Further reading
*
See also
*
Computational hardness assumption
In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently (where ''efficiently'' typically means "in polynomial time"). It is not known how to prove (uncondition ...
*
40-bit encryption
*
Cipher security summary
*
Hash function security summary
This article summarizes publicly known cryptanalysis, attacks against cryptographic hash functions. Note that not all entries may be up to date. For a summary of other hash function parameters, see comparison of cryptographic hash functions.
Tabl ...
{{Cryptography navbox
Cryptography
Computational hardness assumptions