Security level

This article is about strength in cryptography. For business security policy, see security level management.

In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security" (also security strength),[1] where n-bit security means that the attacker would have to perform 2n operations to break it,[2] but other methods have been proposed that more closely model the costs for an attacker.[3] This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 (key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key.

In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.[4][5]

  1. ^ NIST Special Publication 800-57 Part 1, Revision 5. Recommendation for Key Management: Part 1 – General, p. 17.
  2. ^ Lenstra, Arjen K. "Key Lengths: Contribution to The Handbook of Information Security" (PDF).
  3. ^ Bernstein, Daniel J.; Lange, Tanja (4 June 2012). "Non-uniform cracks in the concrete: the power of free precomputation" (PDF). Advances in Cryptology - ASIACRYPT 2013. Lecture Notes in Computer Science. pp. 321–340. doi:10.1007/978-3-642-42045-0_17. ISBN 978-3-642-42044-3.
  4. ^ Aumasson, Jean-Philippe (2011). Cryptanalysis vs. Reality (PDF). Black Hat Abu Dhabi.
  5. ^ Bernstein, Daniel J. (25 April 2005). Understanding brute force (PDF). ECRYPT STVL Workshop on Symmetric Key Encryption.