In cryptography, security level is a measure of the strength that a

cryptographic primitive Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash functions and ...

— such as a

cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode ...

or hash function — achieves. Security level is usually expressed as a number of " bits of security" (also security strength), where ''n''-bit security means that the attacker would have to perform 2^''n'' operations to break it, but other methods have been proposed that more closely model the costs for an attacker. This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a

hybrid cryptosystem In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and recei ...

, so there is no clear weakest link. For example, AES-128 ( key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key. In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.

In symmetric cryptography

Symmetric algorithms usually have a strictly defined security claim. For

symmetric cipher Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go betwe ...

s, it is typically equal to the key size of the cipher — equivalent to the

complexity Complexity characterises the behaviour of a system or model whose components interact in multiple ways and follow local rules, leading to nonlinearity, randomness, collective dynamics, hierarchy, and emergence. The term is generally used to ch ...

of a brute-force attack.

Cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output ...

s with output size of ''n'' bits usually have a

collision resistance In cryptography, collision resistance is a property of cryptographic hash functions: a hash function ''H'' is collision-resistant if it is hard to find two inputs that hash to the same output; that is, two inputs ''a'' and ''b'' where ''a'' ≠ '' ...

security level ''n''/2 and a preimage resistance level ''n''. This is because the general

birthday attack A birthday attack is a type of cryptographic attack that exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likel ...

can always find collisions in 2^''n/2'' steps. For example, SHA-256 offers 128-bit collision resistance and 256-bit preimage resistance. However, there are some exceptions to this. The Phelix and Helix are 256-bit ciphers offering a 128-bit security level. The SHAKE variants of

SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like struc ...

are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.

In asymmetric cryptography

The design of most asymmetric algorithms (i.e.

public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic a ...

) relies on neat

mathematical problem A mathematical problem is a problem that can be represented, analyzed, and possibly solved, with the methods of mathematics. This can be a real-world problem, such as computing the orbits of the planets in the solar system, or a problem of a more ...

s that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than

brute-force search In computer science, brute-force search or exhaustive search, also known as generate and test, is a very general problem-solving technique and algorithmic paradigm that consists of systematically enumerating all possible candidates for the soluti ...

of the key space. Their security level isn't set at design time, but represents a

computational hardness assumption In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently (where ''efficiently'' typically means "in polynomial time"). It is not known how to prove (unconditio ...

, which is adjusted to match the best currently known attack. Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies. For the

RSA cryptosystem RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publi ...

at 128-bit security level,

NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...

and

ENISA The European Union Agency for Cybersecurity – self-designation ENISA from the abbreviation of its original name – is an agency of the European Union. It is fully operational since September 1, 2005. The Agency is located in Athens, Greece a ...

recommend using 3072-bit keys and

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements an ...

3253 bits.

Elliptic curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provid ...

requires shorter keys, so the recommendations are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF).

Typical levels

The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation for Key Management. ^† DES was deprecated in 2003

Meaning of "broken"

A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 2⁴⁰ operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 2^61.2 attack on SHA-1, which took 2 months on 900

GTX 970 The GeForce 900 series is a family of graphics processing units developed by Nvidia, succeeding the GeForce 700 series and serving as the high-end introduction to the Maxwell microarchitecture, named after James Clerk Maxwell. They are produced ...

GPUs, and cost US$75,000 (although the researchers estimate only $11,000 was needed to find a collision). Aumasson draws the line between practical and impractical attacks at 2⁸⁰ operations. He proposes a new terminology: * A ''broken'' primitive has an attack taking ≤ 2⁸⁰ operations. An attack can be plausibility carried out. * A ''wounded'' primitive has an attack taking between 2⁸⁰ and around 2¹⁰⁰ operations. An attack is not possible right now, but future improvements are likely to make it possible. * An ''attacked'' primitive has an attack that is cheaper than the security claim, but much costlier than 2¹⁰⁰. Such an attack is too far from being practical. * Finally, an ''analyzed'' primitive is one with no attacks cheaper than its security claim.

In symmetric cryptography

In asymmetric cryptography

Typical levels

Meaning of "broken"

References

Further reading

See also