2

I was reading a paper of some years ago about a cryptography and a phrase got my attention.

We want to ensure a security level of at least $2^{80}$

I know that $2^{80}$ was used as rule of thumb rule, that's probably why they wrote that sentence.

But reading this I think that $2^{100}$ may also be too low. Considering for example the resource that a state like US can have what is a reasonable security level?

EDIT: I'm considering only the security level for a bruteforce attack, other algorithm can have a solution that require less computational force.

malloc
  • 189
  • 1
  • 6
  • https://www.keylength.com documents what various people consider to be an appropriate security level. – SEJPM Apr 24 '20 at 14:25
  • @SEJPM so reading from the NIST, 2**120 can be used as thumb rule for a bruteforce attack right? – malloc Apr 24 '20 at 14:50
  • NIST basically says 112 bits through 2023, then transition to 128-bit, with 112 no longer being allowed by 2030 – Richie Frame Sep 21 '20 at 17:38

2 Answers2

0

First of all: The security and the length of the key depends on the system you use. So e.g. RSA needs longer keys than AES-256 does, to ensure the same security.

Second: The level of security depends on the application and how secure it has to be. A important point here is: How long should it be secure. There are still security systems in use, that can be broken in days. That's however no problem when the information only has to be secure for some minutes/hours.

This question / answer about algorithms used for SSH keys on the Information Security site might also help you.

Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
Titanlord
  • 1,890
  • 8
  • 25
  • My question wasn't clear enough. I was interested in a security level considering only brute force attack. – malloc Apr 24 '20 at 14:44
  • "How long should it be secure" - the other thing to consider is "who does it need to be secure against?" - your kid sister, or world governments? On the other hand, unless we're extremely resource constrained, crypto that is secure against world governments is not that much more expensive than "kid sister" crypto, and so we generally opt for the former (although, if world governments are the expected adversaries, you need to worry about a lot more than just the cryptographic protocols...) – poncho Apr 24 '20 at 15:03
  • 1
    It stills depends on the application, but 128 Bit up to 256 Bit is the modern common sense of being safe against brute force attacks (btw. not all crypto-systems can be broken by brute force, e.g. one time pad ) – Titanlord Apr 24 '20 at 15:04
-1

Assuming that only a brute-force attack can be preformed and you are asking about current timescales, the answer is that for symmetric ciphers like AES with select key spaces, it is almost certainly the 128-256 bit scale (for now.)

The main thing is principles like Landauer's Principle which would make the pure energy made to brute-force these keys so enormous. If this were to somehow be bypassed in the next hundred years or further, we could just make an enourmous key like 512-bits or 1024-bits before those become weak. DES with 56-bits is still capped with a brute-force time of 24 hours which was set by David Hulton and Moxie Marlinspike. We are very, very far.

With cryptosystems like RSA and Elliptic Curves, this becomes a bit more tricky to define. The best we have for RSA is the general number sieve, which runs in sub-exponential time. A weaker RSA-892 bits is the current record for the highest RSA broken. NIST has put various estimates on when RSA-2048 and higher will be broken, with the current estimate being 2030. Brute-force would be stupid expensive to even run.

The general case for RSA and other cryptosystems that rely on prime numbers is that we will have to increase it until increasing it is no longer necessary.

For Elliptic curves, brute-force is the same situation with AES and most other ciphers that aren't reliant on primes and modular arithmetic.

Shaire
  • 44
  • 2