{{About|strength in cryptography|business security policy|Security level management}} {{short description|Measure of cryptographic strength}}

In cryptography, '''security level''' is a measure of the strength that a cryptographic primitive &mdash; such as a cipher or hash function &mdash; achieves. Security level is usually expressed as a number of "bits of security" (also '''security strength'''),<ref>[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf NIST Special Publication 800-57 Part 1, Revision 5. Recommendation for Key Management: Part 1 – General], p. 17.</ref> where ''n''-bit security means that the attacker would have to perform 2<sup>''n''</sup> operations to break it,<ref>{{Cite news|url=https://infoscience.epfl.ch/record/164539/files/NPDF-32.pdf|title=Key Lengths: Contribution to The Handbook of Information Security|last=Lenstra|first=Arjen K.|author-link=Arjen Lenstra}}</ref> but other methods have been proposed that more closely model the costs for an attacker.<ref>{{Cite book|chapter-url=https://cr.yp.to/nonuniform/nonuniform-20130914.pdf|title=Advances in Cryptology - ASIACRYPT 2013|last1=Bernstein|first1=Daniel J.|last2=Lange|first2=Tanja|author2-link=Tanja Lange|date=4 June 2012|isbn=978-3-642-42044-3|series=Lecture Notes in Computer Science|pages=321–340|language=en|chapter=Non-uniform cracks in the concrete: the power of free precomputation|doi=10.1007/978-3-642-42045-0_17|author-link=Daniel J. Bernstein}}</ref> This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 (key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key.

In this context, '''security claim''' or '''target security level''' is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered '''broken'''.<ref>{{Cite conference|url=https://media.blackhat.com/bh-ad-11/Aumasson/bh-ad-11-Aumasson-CryptanalysisVSReality_WP.pdf|first=Jean-Philippe|last=Aumasson|conference=Black Hat Abu Dhabi|year=2011|title=Cryptanalysis vs. Reality}}</ref><ref name=":0">{{Cite conference|url=https://cr.yp.to/snuffle/bruteforce-20050425.pdf|title=Understanding brute force|last=Bernstein|first=Daniel J.|author-link=Daniel J. Bernstein|date=25 April 2005|conference=ECRYPT STVL Workshop on Symmetric Key Encryption}}</ref>

== In symmetric cryptography ==

Symmetric algorithms usually have a strictly defined security claim. For symmetric ciphers, it is typically equal to the key size of the cipher — equivalent to the complexity of a brute-force attack.<ref name=":0" /><ref name=":1">{{Cite book|title=Advances in Cryptology — ASIACRYPT 2001|volume=2248|last=Lenstra|first=Arjen K.|date=9 December 2001|publisher=Springer, Berlin, Heidelberg|isbn=978-3-540-45682-7|pages=67–86|language=en|chapter=Unbelievable Security: Matching AES Security Using Public Key Systems|doi=10.1007/3-540-45682-1_5|chapter-url=https://www.iacr.org/archive/asiacrypt2001/22480067.pdf|series=Lecture Notes in Computer Science}}</ref> Cryptographic hash functions with output size of ''n'' bits usually have a collision resistance security level ''n''/2 and a preimage resistance level ''n''. This is because the general birthday attack can always find collisions in 2<sup>''n/2''</sup> steps.<ref>{{Cite book|url=http://cacr.uwaterloo.ca/hac/|title=Handbook of Applied Cryptography|page=336|chapter=Chapter 9 - Hash Functions and Data Integrity|chapter-url=http://cacr.uwaterloo.ca/hac/about/chap9.pdf|author=Alfred J. Menezes |author2=Paul C. van Oorschot |author3=Scott A. Vanstone }}</ref> For example, SHA-256 offers 128-bit collision resistance and 256-bit preimage resistance.

However, there are some exceptions to this. The Phelix and Helix are 256-bit ciphers offering a 128-bit security level.<ref name=":0" /><ref>{{Cite book|title=Fast Software Encryption|volume=2887|last1=Ferguson|first1=Niels|last2=Whiting|first2=Doug|last3=Schneier|first3=Bruce|last4=Kelsey|first4=John|last5=Lucks|first5=Stefan|last6=Kohno|first6=Tadayoshi|date=24 February 2003|publisher=Springer, Berlin, Heidelberg|isbn=978-3-540-20449-7|pages=330–346|language=en|chapter=Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive|doi=10.1007/978-3-540-39887-5_24|chapter-url=https://www.schneier.com/academic/paperfiles/paper-phelix.pdf|series=Lecture Notes in Computer Science}}</ref> The SHAKE variants of SHA-3 are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.<ref>{{Cite report|title=SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions|url=http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf|date=August 2015|page=23|doi=10.6028/nist.fips.202|last1=Dworkin|first1=Morris J.|publisher=NIST}}</ref>

== In asymmetric cryptography == {{See also|Key size#Asymmetric algorithm key lengths}} The design of most asymmetric algorithms (i.e. public-key cryptography) relies on neat mathematical problems that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than brute-force search of the key space. Their security level isn't set at design time, but represents a computational hardness assumption, which is adjusted to match the best currently known attack.<ref name=":1" />

Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies. * For the RSA cryptosystem at 128-bit security level, NIST and ENISA recommend using 3072-bit keys<ref>{{Cite report|last=Barker|first=Elaine|others=NIST|title=Recommendation for Key Management, Part 1 -- General|url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf|date=2020|pages=54–55|doi=10.6028/NIST.SP.800-57pt1r5|publisher=NIST}}</ref><ref>{{Cite book|year=2013|others=ENISA|title=Algorithms, key size and parameters report – 2014|url=https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-size-and-parameters-report-2014/at_download/fullReport|page=37|publisher=Publications Office|doi=10.2824/36822|isbn=978-92-9204-102-1|archive-date=2015-10-17|access-date=2017-01-02|archive-url=https://web.archive.org/web/20151017094652/https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-size-and-parameters-report-2014/at_download/fullReport|url-status=dead}}</ref> and IETF 3253 bits.<ref>{{Cite IETF|url=https://tools.ietf.org/html/rfc3766|title=Determining Strengths For Public Keys Used For Exchanging Symmetric Keys|last1=Orman|first1=Hilarie|last2=Hoffman|first2=Paul|series=RFC|number=3766|publisher=IETF|date=April 2004|doi=10.17487/RFC3766}}</ref><ref>{{Cite web|url=https://www.keylength.com/en/compare/|title=Keylength - Compare all Methods|last=Giry|first=Damien|website=keylength.com|access-date=2017-01-02}}</ref> The conversion from key length to a security level estimate is based on the complexity of the GNFS.<ref name=generalDHRSA>{{cite web |title=Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program|url=https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf}}</ref>{{rp|at=&sect;7.5}} * Diffie–Hellman key exchange and DSA are similar to RSA in terms of the conversion from key length to a security level estimate.<ref name=generalDHRSA/>{{rp|at=&sect;7.5}} * Elliptic curve cryptography requires shorter keys, so the recommendations for 128-bit are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF). The conversion from key size ''f'' to security level is approximately ''f'' / 2: this is because the method to break the Elliptic Curve Discrete Logarithm Problem, the rho method, finishes in 0.886 sqrt(2<sup>''f''</sup>) additions.<ref name=rho>{{cite web |title=The rho method |url=https://safecurves.cr.yp.to/rho.html |access-date=21 February 2024}}</ref>

== Typical levels == The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation for Key Management.<ref>{{Cite report|last=Barker|first=Elaine|others=NIST|title=Recommendation for Key Management, Part 1: General|url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf|date=May 2020|page=158|doi=10.6028/nist.sp.800-57pt1r5|citeseerx=10.1.1.106.307|publisher=NIST}}</ref> {{rp|at=Table&nbsp;2}} {| class="wikitable" |+ Comparable Algorithm Strengths |-style="background:#DADADA" !Security Bits!!Symmetric Key!!Finite Field/Discrete Logarithm<br>(DSA, DH, MQV)!!Integer Factorization<br>(RSA)!!Elliptic Curve<br>(ECDSA, EdDSA, ECDH, ECMQV) |-align="center" |style="background:#FF6347"|80 |2TDEA{{efn|group=t2|name=DEA|DEA (DES) was deprecated in 2003 in the context of NIST recommendations.}} |''L'' = 1024, ''N'' = 160 |''k'' = 1024 |160 ≤ ''f'' ≤ 223

|-align="center" |style="background:#FFDF00"|112 |3TDEA{{efn|group=t2|name=DEA}} |''L'' = 2048, ''N'' =224 |''k'' = 2048 |224 ≤ ''f'' ≤ 255

|-align="center" |style="background:#00FF7F"|128 |AES-128 |''L'' = 3072, ''N'' = 256 |''k'' = 3072 |256 ≤ ''f'' ≤ 383

|-align="center" |style="background:#00FF7F"|192 |AES-192 |''L'' = 7680, ''N'' = 384 |''k'' = 7680 |384 ≤ ''f'' ≤ 511

|-align="center" |style="background:#00FF7F"|256 |AES-256 |''L'' = 15360, ''N'' = 512 |''k'' = 15360 |''f'' ≥ 512 |} {{notelist|group=t2}}

Under NIST recommendation, a key of a given security level should only be transported under protection using an algorithm of equivalent or higher security level.<ref name=generalDHRSA/>

The security level is given for the cost of breaking one target, not the amortized cost for group of targets. It takes 2<sup>128</sup> operations to find a AES-128 key, yet the same number of amortized operations is required for any number ''m'' of keys. On the other hand, breaking ''m'' ECC keys using the rho method require sqrt(''m'') times the base cost.<ref name=rho/><ref>{{cite web |title=After ECDH with Curve25519, is it pointless to use anything stronger than AES-128? |url=https://crypto.stackexchange.com/a/59763 |website=Cryptography Stack Exchange |language=en}}</ref>

=== Meaning of "broken" === A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 2<sup>40</sup> operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 2<sup>61.2</sup> attack on SHA-1, which took 2 months on 900 GTX 1060 GPUs, and cost US$75,000 (although the researchers estimate only $11,000 was needed to find a collision).<ref name=sha1-shambles>{{cite report |author1=Gaëtan Leurent |author2=Thomas Peyrin |date=2020-01-08 |title=SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust |url=https://eprint.iacr.org/2020/014.pdf |publisher=IACR Cryptology ePrint Archive}}</ref>

Aumasson draws the line between practical and impractical attacks at 2<sup>80</sup> operations. He proposes a new terminology:<ref>{{cite conference |last1=Aumasson |first1=Jean-Philippe |title=Too Much Crypto |url=https://eprint.iacr.org/2019/1492.pdf |date=2020 |conference=Real World Crypto Symposium}}</ref> * A ''broken'' primitive has an attack taking ≤ 2<sup>80</sup> operations. An attack can be plausibly carried out. * A ''wounded'' primitive has an attack taking between 2<sup>80</sup> and around 2<sup>100</sup> operations. An attack is not possible right now, but future improvements are likely to make it possible. * An ''attacked'' primitive has an attack that is cheaper than the security claim, but much costlier than 2<sup>100</sup>. Such an attack is too far from being practical. * Finally, an ''analyzed'' primitive is one with no attacks cheaper than its security claim.

== Quantum attacks == The field of post-quantum cryptography considers the security level of cryptographic algorithms in the face of a hypothetical attacker possessing a quantum computer. * Most quantum attacks on symmetric ciphers provide a square-root speedup to their classical counterpart, thereby halving the security level provided. (The exception is the slide attack with Simon's algorithm, though it has not proved useful in attacking AES.) For example, AES-256 would provide 128 bits of quantum security, which is still considered plenty.<ref>{{cite journal |last1=Bonnetain |first1=Xavier |last2=Naya-Plasencia |first2=María |last3=Schrottenloher |first3=André |title=Quantum Security Analysis of AES |journal=IACR Transactions on Symmetric Cryptology |date=11 June 2019 |volume=2019 |issue=2 |pages=55–93 |doi=10.13154/tosc.v2019.i2.55-93 |doi-access= free |url=https://inria.hal.science/hal-02397049/document}}</ref><ref>{{Cite web |last=O'Shea |first=Dan |date=April 26, 2022 |title=AES-256 joins the quantum resistance |url=https://www.fierceelectronics.com/electronics/aes-256-joins-quantum-resistance |access-date=September 26, 2023 |website=Fierce Electronics}}</ref> * Shor's algorithm promises a massive speedup in solving the factoring problem, the discrete logarithm problem, and the period-finding problem, so long as a sufficiently large quantum computer on the order of millions of qubits is available. This would spell the end of RSA, DSA, DH, MQV, ECDSA, EdDSA, ECDH, and ECMQV in their current forms.<ref>{{cite web |last1=WOHLWEND |first1=JEREMY |title=ELLIPTIC CURVE CRYPTOGRAPHY: PRE AND POST QUANTUM |url=https://math.mit.edu/~apost/courses/18.204-2016/18.204_Jeremy_Wohlwend_final_paper.pdf |date=2016}}</ref>

Even though quantum computers capable of these operations have yet to appear, adversaries of today may choose to "harvest now, decrypt later": to store intercepted ciphertexts so that they can be decrypted when sufficiently powerful quantum computers become available. As a result, governments and businesses have already begun work on moving to quantum-resistant algorithms. Examples of these effort include Google and Cloudflare's tests of hybrid post-quantum TLS on the Internet and<ref name="djb-hyb">{{cite web |last1=Bernstein |first1=Daniel J. |author-link=Daniel J. Bernstein |date=2024-01-02 |title=Double encryption: Analyzing the NSA/GCHQ arguments against hybrids. #nsa #quantification #risks #complexity #costs |url=https://blog.cr.yp.to/20240102-hybrid.html}}</ref> NSA's release of Commercial National Security Algorithm Suite 2.0 in 2022.

== References == {{Reflist}}

== Further reading == * {{cite conference |last1=Aumasson |first1=Jean-Philippe |title=Too Much Crypto |url=https://eprint.iacr.org/2019/1492.pdf |date=2020 |conference=Real World Crypto Symposium}}

== See also == * Computational hardness assumption * 40-bit encryption * Cipher security summary * Hash function security summary

{{Cryptography navbox}}

Category:Cryptography Category:Computational hardness assumptions