# Security level

In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security" (also security strength),[1] where n-bit security means that the attacker would have to perform 2n operations to break it,[2] but other methods have been proposed that more closely model the costs for an attacker.[3] This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 (key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key.

In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.[4][5]

## In symmetric cryptography

Symmetric algorithms usually have a strictly defined security claim. For symmetric ciphers, it is typically equal to the key size of the cipher — equivalent to the complexity of a brute-force attack.[5][6] Cryptographic hash functions with output size of n bits usually have a collision resistance security level n/2 and a preimage resistance level n. This is because the general birthday attack can always find collisions in 2n/2 steps.[7] For example, SHA-256 offers 128-bit collision resistance and 256-bit preimage resistance.

However, there are some exceptions to this. The Phelix and Helix are 256-bit ciphers offering a 128-bit security level.[5][8] The SHAKE variants of SHA-3 are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.[9]

## In asymmetric cryptography

The design of most asymmetric algorithms (i.e. public-key cryptography) relies on neat mathematical problems that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than brute-force search of the key space. Their security level isn't set at design time, but represents a computational hardness assumption, which is adjusted to match the best currently known attack.[6]

Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies.

• For the RSA cryptosystem at 128-bit security level, NIST and ENISA recommend using 3072-bit keys[10][11] and IETF 3253 bits.[12][13] The conversion from key length to a security level estimate is based on the complexity of the GNFS.[14]: §7.5
• Diffie–Hellman key exchange and DSA are similar to RSA in temrs of the conversion from key length to a security level estimate.[14]: §7.5
• Elliptic curve cryptography requires shorter keys, so the recommendations for 128-bit are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF). The conversion from key size f to security level is approximately f / 2: this is because the method to break the Elliptic Curve Discrete Logarithm Problem, the rho method, finishes in 0.886 sqrt(2f) additions.[15]

## Typical levels

The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation for Key Management.[16]: Table 2

Comparable Algorithm Strengths
Security Bits Symmetric Key Finite Field/Discrete Logarithm
(DSA, DH, MQV)
Integer Factorization
(RSA)
Elliptic Curve
(ECDSA, EdDSA, ECDH, ECMQV)
80 2TDEA[a] L = 1024, N = 160 k = 1024 160 ≤ f ≤ 223
112 3TDEA[a] L = 2048, N =224 k = 2048 224 ≤ f ≤ 255
128 AES-128 L = 3072, N = 256 k = 3072 256 ≤ f ≤ 383
192 AES-192 L = 7680, N = 384 k = 7680 384 ≤ f ≤ 511
256 AES-256 L = 15360, N = 511 k = 15360 f ≥ 512
1. ^ a b DEA (DES) was deprecated in 2003 in the context of NIST recommendations.

Under NIST recommendation, a key of a given security level should only be transported under protection using an algorithm of equivalent or higher security level.[14]

The security level is given for the cost of breaking one target, not the amortized cost for group of targets. It takes 2128 operations to find a AES-128 key, yet the same number of amortized operations is required for any number m of keys. On the other hand, breaking m ECC keys using the rho method require sqrt(m) times the base cost.[15][17]

### Meaning of "broken"

A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 240 operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 261.2 attack on SHA-1, which took 2 months on 900 GTX 970 GPUs, and cost US\$75,000 (although the researchers estimate only \$11,000 was needed to find a collision).[18]

Aumasson draws the line between practical and impractical attacks at 280 operations. He proposes a new terminology:[19]

• A broken primitive has an attack taking ≤ 280 operations. An attack can be plausibly carried out.
• A wounded primitive has an attack taking between 280 and around 2100 operations. An attack is not possible right now, but future improvements are likely to make it possible.
• An attacked primitive has an attack that is cheaper than the security claim, but much costlier than 2100. Such an attack is too far from being practical.
• Finally, an analyzed primitive is one with no attacks cheaper than its security claim.

## References

1. ^
2. ^ Lenstra, Arjen K. "Key Lengths: Contribution to The Handbook of Information Security" (PDF).
3. ^ Bernstein, Daniel J.; Lange, Tanja (4 June 2012). "Non-uniform cracks in the concrete: the power of free precomputation" (PDF). Advances in Cryptology - ASIACRYPT 2013. Lecture Notes in Computer Science. pp. 321–340. doi:10.1007/978-3-642-42045-0_17. ISBN 978-3-642-42044-3.
4. ^ Aumasson, Jean-Philippe (2011). Cryptanalysis vs. Reality (PDF). Black Hat Abu Dhabi.
5. ^ a b c Bernstein, Daniel J. (25 April 2005). Understanding brute force (PDF). ECRYPT STVL Workshop on Symmetric Key Encryption.
6. ^ a b Lenstra, Arjen K. (9 December 2001). "Unbelievable Security: Matching AES Security Using Public Key Systems" (PDF). Advances in Cryptology — ASIACRYPT 2001. Lecture Notes in Computer Science. Vol. 2248. Springer, Berlin, Heidelberg. pp. 67–86. doi:10.1007/3-540-45682-1_5. ISBN 978-3-540-45682-7.
7. ^
8. ^ Ferguson, Niels; Whiting, Doug; Schneier, Bruce; Kelsey, John; Lucks, Stefan; Kohno, Tadayoshi (24 February 2003). "Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive" (PDF). Fast Software Encryption. Lecture Notes in Computer Science. Vol. 2887. Springer, Berlin, Heidelberg. pp. 330–346. doi:10.1007/978-3-540-39887-5_24. ISBN 978-3-540-20449-7.
9. ^ Dworkin, Morris J. (August 2015). "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions" (PDF): 23. doi:10.6028/nist.fips.202. `{{cite journal}}`: Cite journal requires `|journal=` (help)
10. ^ Barker, Elaine (January 2016). "Recommendation for Key Management, Part 1: General" (PDF). NIST: 53. CiteSeerX 10.1.1.106.307. doi:10.6028/nist.sp.800-57pt1r4. `{{cite journal}}`: Cite journal requires `|journal=` (help)
11. ^ Algorithms, key size and parameters report – 2014. ENISA. Publications Office. 2013. p. 37. doi:10.2824/36822. ISBN 978-92-9204-102-1.`{{cite book}}`: CS1 maint: others (link)
12. ^ Hilarie, Orman; Paul, Hoffman (April 2004). "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys". RFC 3766 (IETF). doi:10.17487/RFC3766. `{{cite journal}}`: Cite journal requires `|journal=` (help)
13. ^ Giry, Damien. "Keylength - Compare all Methods". keylength.com. Retrieved 2017-01-02.
14. ^ a b c
15. ^ a b "The rho method". Retrieved 21 February 2024.
16. ^ Barker, Elaine (May 2020). "Recommendation for Key Management, Part 1: General" (PDF). NIST: 158. CiteSeerX 10.1.1.106.307. doi:10.6028/nist.sp.800-57pt1r5. `{{cite journal}}`: Cite journal requires `|journal=` (help)
17. ^ "After ECDH with Curve25519, is it pointless to use anything stronger than AES-128?". Cryptography Stack Exchange.
18. ^ Gaëtan Leurent; Thomas Peyrin (2020-01-08). "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" (PDF). `{{cite journal}}`: Cite journal requires `|journal=` (help)
19. ^ Aumasson, Jean-Philippe (2020). Too Much Crypto (PDF). Real World Crypto Symposium.