1

I was reading a paper of some years ago about a cryptography and a phrase got my attention.

We want to ensure a security level of at least $2^{80}$

I know that $2^{80}$ was used as rule of thumb rule, that's probably why they wrote that sentence.

But reading this I think that $2^{100}$ may also be too low. Considering for example the resource that a state like US can have what is a reasonable security level?

EDIT: I'm considering only the security level for a bruteforce attack, other algorithm can have a solution that require less computational force.

malloc
  • 197
  • 1
  • 6

3 Answers3

2

You can read the recommendations from NIST(2020), ECRYPT-CSA(2018), and BSI(2024). They are all decently up to date and give fairly comprehensive recommendations. The report from ECRYPT in particular is probably the most comprehensible of the three and provides a good guidance for anyone doing security work.

BSI recommends a minimum security level of 120 bits for any new security systems. NIST suggests a security level of 112 bits is adequate until 2030 and at least 128 bits is recommended after that. ECRYPT suggests that a security level of 128 should be adequate for at least the next 10 years (the report was written in 2018), and a security level of 256 bits should be enough for the next 30-50 years.

So for the near future 112 bits of security should be adequate but try to reach for at least 128 bits if possible.

n-l-i
  • 1,084
  • 5
  • 15
-1

There are three costs: 1. What is the cost of encryption plus decryption by the intended recipient? 2. What is the cost of decryption by an attacker? 3. What is the value to the attacker / damage to you of decrypting a message?

You should use at least the highest security with trivial cost automatically. If 112 bit has trivial cost, why would you even look at 80 bit? Apple decided that 256 bit for all files on an iPhone with different keys for every file has trivial cost. So there is no option to reduce the strength.

It would then be worth checking if with that security, a hacker can profitably hack my bank account to get $10,000. Probably the US government could crack it at a cost of a billion dollars, but that’s a risk I take. And for something more damaging, you would want a similar ratio of cracking cost to potential damage.

And of course don’t use the strongest encryption just for the most valuable/ sensitive data because that would have an attacker a hint what is worth attacking.

In practice, unless you are using really bad crypto, nobody will break. What attackers will do is finding ways to get your secrets without breaking the cryptography.

gnasher729
  • 1,350
  • 7
  • 9
-1

First of all: The security and the length of the key depends on the system you use. So e.g. RSA needs longer keys than AES-256 does, to ensure the same security.

Second: The level of security depends on the application and how secure it has to be. A important point here is: How long should it be secure. There are still security systems in use, that can be broken in days. That's however no problem when the information only has to be secure for some minutes/hours.

This question / answer about algorithms used for SSH keys on the Information Security site might also help you.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Titanlord
  • 2,812
  • 13
  • 37