Suggested Key Sizes

NIST has made the following suggestions on what keylengths to use and expected timeframe that is will be useful.

Recommended algorithms and minimum key sizes

Algorithm security lifetimes

Symmetric key algorithms
(Encryption & MAC)

FFC
(e.g., DSA, D-H)

IFC
(e.g., RSA)

ECC
(e.g., ECDSA)

Through 2010
(min. of 80 bits of strength)

2TDEA*
3TDEA
AES-128
AES-192
AES-256

Min.:
L = 1024;
N =160

Min.:
k=1024

Min.:
f=160

Through 2030
(min. of 112 bits of strength)

3TDEA
AES-128
AES-192
AES-256

Min.:
L = 2048
N = 224

Min.:
k=2048

Min.:
f=224

Beyond 2030
(min. of 128 bits of strength)

AES-128
AES-192
AES-256

Min.:
L = 3072
N = 256

Min.:
k=3072

Min.:
f=256

* The guarantee of at least 80-bits of security for 2TDEA is based on the assumption that an attacker has at most 240 matched plaintext and ciphertext blocks.

SuggestKeySizes (last edited 2011-04-06 01:03:32 by UlrichSchroeter)