In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a

cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...

hash function A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually u ...

— achieves. Security level is usually expressed as a number of "

bit The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represente ...

s of security" (also security strength), where ''n''-bit security means that the attacker would have to perform 2^''n'' operations to break it, but other methods have been proposed that more closely model the costs for an attacker. This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 (

key size In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher). Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the fastest ...

128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key. In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.

In symmetric cryptography

Symmetric algorithms usually have a strictly defined security claim. For symmetric ciphers, it is typically equal to the

of the cipher — equivalent to the

complexity Complexity characterises the behaviour of a system or model whose components interaction, interact in multiple ways and follow local rules, leading to nonlinearity, randomness, collective dynamics, hierarchy, and emergence. The term is generall ...

of a

brute-force attack In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correc ...

Cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output re ...

s with output size of ''n'' bits usually have a

collision resistance In cryptography, collision resistance is a property of cryptographic hash functions: a hash function ''H'' is collision-resistant if it is hard to find two inputs that hash to the same output; that is, two inputs ''a'' and ''b'' where ''a'' ≠ '' ...

security level ''n''/2 and a

preimage resistance In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage (set of possible inputs). In the context of attack, the ...

level ''n''. This is because the general

birthday attack A birthday attack is a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likeli ...

can always find collisions in 2^''n/2'' steps. For example,

SHA-256 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...

offers 128-bit collision resistance and 256-bit preimage resistance. However, there are some exceptions to this. The Phelix and Helix are 256-bit ciphers offering a 128-bit security level. The SHAKE variants of

SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like struct ...

are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.

In asymmetric cryptography

The design of most asymmetric algorithms (i.e.

public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

) relies on neat mathematical problems that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than

brute-force search In computer science, brute-force search or exhaustive search, also known as generate and test, is a very general problem-solving technique and algorithmic paradigm that consists of systematically enumerating all possible candidates for the soluti ...

of the key space. Their security level isn't set at design time, but represents a

computational hardness assumption In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently (where ''efficiently'' typically means "in polynomial time"). It is not known how to prove (uncondition ...

, which is adjusted to match the best currently known attack. Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies. For the

RSA cryptosystem RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly ...

at 128-bit security level,

NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...

and ENISA recommend using 3072-bit keys and

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

3253 bits.

Elliptic curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide e ...

requires shorter keys, so the recommendations are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF).

Typical levels

The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation for Key Management. ^† DES was deprecated in 2003

Meaning of "broken"

A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 2⁴⁰ operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 2^61.2 attack on SHA-1, which took 2 months on 900

GTX 970 The GeForce 900 series is a family of graphics processing units developed by Nvidia, succeeding the GeForce 700 series and serving as the high-end introduction to the Maxwell microarchitecture, named after James Clerk Maxwell. They are produced ...

GPUs, and cost US$75,000 (although the researchers estimate only $11,000 was needed to find a collision). Aumasson draws the line between practical and impractical attacks at 2⁸⁰ operations. He proposes a new terminology: * A ''broken'' primitive has an attack taking ≤ 2⁸⁰ operations. An attack can be plausibility carried out. * A ''wounded'' primitive has an attack taking between 2⁸⁰ and around 2¹⁰⁰ operations. An attack is not possible right now, but future improvements are likely to make it possible. * An ''attacked'' primitive has an attack that is cheaper than the security claim, but much costlier than 2¹⁰⁰. Such an attack is too far from being practical. * Finally, an ''analyzed'' primitive is one with no attacks cheaper than its security claim.

In symmetric cryptography

In asymmetric cryptography

Typical levels

Meaning of "broken"

References

Further reading

See also