Jump to content

Security level

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by TAnthony (talk | contribs) at 20:20, 25 July 2018 (Fix CS1 cite error (extra text in "page" or "edition" parameter), and genfixes, removed stub tag using AWB). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed in "bits", where n-bit security means that the attacker would have to perform 2n operations to break it,[1] but other methods have been proposed that more closely model the costs for an attacker.[2] This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 (key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to 3072-bit RSA.

In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.[3][4]

In symmetric cryptography

Symmetric algorithms usually have a strictly defined security claim. For symmetric ciphers, it is typically equal to the key size of the cipher — equivalent to the complexity of a brute-force attack.[4][5] Cryptographic hash functions with output size of n bits usually have a collision resistance security level n/2 and preimage resistance level n. This is because the general birthday attack can always find collisions in 2n/2 steps.[6] For example, SHA-256 offers 128-bit collision resistance and 256-bit preimage resistance.

However, there are some exceptions to this. The Phelix and Helix are 256-bit ciphers offering a 128-bit security level.[4][7] The SHAKE variants of SHA-3 are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.[8]

In asymmetric cryptography

The design of most asymmetric algorithms (i.e. public-key cryptography) relies on neat mathematical problems that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than brute-force search of the key space. Their security level isn't set at design time, but represents a computational hardness assumption, which is adjusted to match the best currently known attack.[5]

Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies. For the RSA cryptosystem at 128-bit security level, NIST and ENISA recommend using 3072-bit keys[9][10] and IETF 3253 bits.[11][12] Elliptic curve cryptography requires shorter keys, so the recommendations are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF).

References

  1. ^ Template:Cite article
  2. ^ Bernstein, Daniel J.; Lange, Tanja (4 June 2012). "Non-uniform cracks in the concrete: the power of free precomputation". Advances in Cryptology - ASIACRYPT 2013 (PDF). Lecture Notes in Computer Science. pp. 321–340. doi:10.1007/978-3-642-42045-0_17. ISBN 9783642420443.
  3. ^ Aumasson, Jean-Philippe (2011). Cryptanalysis vs. Reality (PDF). Black Hat Abu Dhabi.
  4. ^ a b c Bernstein, Daniel J. (25 April 2005). "Understanding brute force" (PDF). Self-published.
  5. ^ a b Lenstra, Arjen K. (9 December 2001). "Unbelievable Security: Matching AES Security Using Public Key Systems" (PDF). Advances in Cryptology — ASIACRYPT 2001. Springer, Berlin, Heidelberg. pp. 67–86. doi:10.1007/3-540-45682-1_5. ISBN 3540456821.
  6. ^ "Chapter 9 - Hash Functions and Data Integrity" (PDF). Handbook of Applied Cryptography. p. 336. {{cite book}}: Unknown parameter |authors= ignored (help)
  7. ^ Ferguson, Niels; Whiting, Doug; Schneier, Bruce; Kelsey, John; Lucks, Stefan; Kohno, Tadayoshi (24 February 2003). "Helix: Fast Encryption and Authentication in a Single Cryptographic Primitive" (PDF). Fast Software Encryption. Springer, Berlin, Heidelberg. pp. 330–346. doi:10.1007/978-3-540-39887-5_24.
  8. ^ "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions" (PDF). August 2015: 23. doi:10.6028/nist.fips.202. {{cite journal}}: Cite journal requires |journal= (help)
  9. ^ Barker, Elaine (January 2016). "Recommendation for Key Management, Part 1: General" (PDF). NIST: 53. doi:10.6028/nist.sp.800-57pt1r4. {{cite journal}}: Cite journal requires |journal= (help)
  10. ^ "Algorithms, key size and parameters report – 2014". ENISA: 37. doi:10.2824/36822. {{cite journal}}: Cite journal requires |journal= (help)CS1 maint: others (link)
  11. ^ Hilarie, Orman; Paul, Hoffman (April 2004). "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys". RFC 3766 (IETF).
  12. ^ Giry, Damien. "Keylength - Compare all Methods". keylength.com. Retrieved 2017-01-02.

See also