The key size that should be used in a particular application of cryptography
depends on two things. First of all, the value of the key is an important
consideration. Secondly, the actual key size depends on what cryptographic
algorithm is being used.
Due to the rapid development of new technology and cryptanalytic methods,
the correct key size for a particular application is continuously changing.
For this reason, RSA Laboratories refers to its web site http://www.rsa.com/rsalabs/ for updated recommendations. The table below contains key size
limits and recommendations from different sources for block ciphers, the
RSA system, the elliptic curve system, and DSA.
Some comments:
- Export grade or nominal grade gives little real protection; the key
sizes are the limits specified in the Wassenaar Arrangement (see Question 6.5.3).
- "Traditional recommendations" are recommendations such as
those given in earlier versions of this FAQ. Such recommendations are
normally based on the traditional approach of counting MIPS-years for
the best available key breaking algorithms. There are several reasons
to call this approach in question. For example, an algorithm with massive
memory requirements is probably not equivalent to an algorithm with
low memory requirements.
- The last rows in the table give lower bounds for commercial applications
as suggested by Lenstra and Verheul [LV00].
The first of these rows shows recommended key sizes of today, while
the second row gives estimated lower bounds for 2010. The bounds are
based on the assumption that DES was sufficiently secure until 1982
along with several hypotheses, which are all extrapolations in the spirit
of Moore's Law (the computational power of a chip doubles every 18 months).
One questionable assumption they make is that computers and memory will
be able for free. It seems that this assumption is not realistic for
key breaking algorithms with large memory requirements. One such algorithm
is the General Number Field Sieve used in RSA key breaking efforts.
| |
Block Cipher
|
RSA
|
Elliptic Curve
|
DSA |
| Export Grade |
56 |
512 |
112 |
512/112 |
Traditional
recommendations
|
80 |
1024 |
160 |
1024/160 |
| 112 |
2048 |
224 |
2048/224 |
Lenstra/Verheul 2000
|
70 |
952 |
132 |
952/125 |
Lenstra/Verheul 2010
|
78 |
1369 |
146/160 |
1369/138 |
Table 2. Minimal
key lengths in bits for different grades.
Notes. The
RSA key size refers to the size of the modulus. The Elliptic Curve key
size refers to the minimum order of the base point on the elliptic curve;
this order should be slightly smaller than the field size. The DSA key
sizes refer to the size of the modulus and the minimum size of a large
subgroup, respectively (the size of the subgroup is often considerably
larger in applications). In the last row there are two values for elliptic
curve cryptosystems; the choice of key size should depend on whether any
significant cryptanalytic progress in this field is expected or not.
