Hubbry Logo
Security levelSecurity levelMain
Open search
Security level
Community hub
Security level
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Security level
Security level
Security level
View on Wikipedia
from Wikipedia

In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security" (also security strength),[1] where n-bit security means that the attacker would have to perform 2n operations to break it,[2] but other methods have been proposed that more closely model the costs for an attacker.[3] This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 (key size 128 bits) is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key.

In this context, security claim or target security level is the security level that a primitive was initially designed to achieve, although "security level" is also sometimes used in those contexts. When attacks are found that have lower cost than the security claim, the primitive is considered broken.[4][5]

In symmetric cryptography

[edit]

Symmetric algorithms usually have a strictly defined security claim. For symmetric ciphers, it is typically equal to the key size of the cipher — equivalent to the complexity of a brute-force attack.[5][6] Cryptographic hash functions with output size of n bits usually have a collision resistance security level n/2 and a preimage resistance level n. This is because the general birthday attack can always find collisions in 2n/2 steps.[7] For example, SHA-256 offers 128-bit collision resistance and 256-bit preimage resistance.

However, there are some exceptions to this. The Phelix and Helix are 256-bit ciphers offering a 128-bit security level.[5][8] The SHAKE variants of SHA-3 are also different: for a 256-bit output size, SHAKE-128 provides 128-bit security level for both collision and preimage resistance.[9]

In asymmetric cryptography

[edit]
See also: Key size § Asymmetric algorithm key lengths

The design of most asymmetric algorithms (i.e. public-key cryptography) relies on neat mathematical problems that are efficient to compute in one direction, but inefficient to reverse by the attacker. However, attacks against current public-key systems are always faster than brute-force search of the key space. Their security level isn't set at design time, but represents a computational hardness assumption, which is adjusted to match the best currently known attack.[6]

Various recommendations have been published that estimate the security level of asymmetric algorithms, which differ slightly due to different methodologies.

  • For the RSA cryptosystem at 128-bit security level, NIST and ENISA recommend using 3072-bit keys[10][11] and IETF 3253 bits.[12][13] The conversion from key length to a security level estimate is based on the complexity of the GNFS.[14]: §7.5 
  • Diffie–Hellman key exchange and DSA are similar to RSA in terms of the conversion from key length to a security level estimate.[14]: §7.5 
  • Elliptic curve cryptography requires shorter keys, so the recommendations for 128-bit are 256-383 (NIST), 256 (ENISA) and 242 bits (IETF). The conversion from key size f to security level is approximately f / 2: this is because the method to break the Elliptic Curve Discrete Logarithm Problem, the rho method, finishes in 0.886 sqrt(2f) additions.[15]

Typical levels

[edit]

The following table are examples of typical security levels for types of algorithms as found in s5.6.1.1 of the US NIST SP-800-57 Recommendation for Key Management.[16] : Table 2 

Comparable Algorithm Strengths
Security Bits Symmetric Key Finite Field/Discrete Logarithm
(DSA, DH, MQV)		 Integer Factorization
(RSA)		 Elliptic Curve
(ECDSA, EdDSA, ECDH, ECMQV)
80 2TDEA[a] L = 1024, N = 160 k = 1024 160 ≤ f ≤ 223
112 3TDEA[a] L = 2048, N =224 k = 2048 224 ≤ f ≤ 255
128 AES-128 L = 3072, N = 256 k = 3072 256 ≤ f ≤ 383
192 AES-192 L = 7680, N = 384 k = 7680 384 ≤ f ≤ 511
256 AES-256 L = 15360, N = 512 k = 15360 f ≥ 512
  1. ^ a b DEA (DES) was deprecated in 2003 in the context of NIST recommendations.

Under NIST recommendation, a key of a given security level should only be transported under protection using an algorithm of equivalent or higher security level.[14]

The security level is given for the cost of breaking one target, not the amortized cost for group of targets. It takes 2128 operations to find a AES-128 key, yet the same number of amortized operations is required for any number m of keys. On the other hand, breaking m ECC keys using the rho method require sqrt(m) times the base cost.[15][17]

Meaning of "broken"

[edit]

A cryptographic primitive is considered broken when an attack is found to have less than its advertised level of security. However, not all such attacks are practical: most currently demonstrated attacks take fewer than 240 operations, which translates to a few hours on an average PC. The costliest demonstrated attack on hash functions is the 261.2 attack on SHA-1, which took 2 months on 900 GTX 970 GPUs, and cost US$75,000 (although the researchers estimate only $11,000 was needed to find a collision).[18]

Aumasson draws the line between practical and impractical attacks at 280 operations. He proposes a new terminology:[19]

  • A broken primitive has an attack taking ≤ 280 operations. An attack can be plausibly carried out.
  • A wounded primitive has an attack taking between 280 and around 2100 operations. An attack is not possible right now, but future improvements are likely to make it possible.
  • An attacked primitive has an attack that is cheaper than the security claim, but much costlier than 2100. Such an attack is too far from being practical.
  • Finally, an analyzed primitive is one with no attacks cheaper than its security claim.

Quantum attacks

[edit]

The field of post-quantum cryptography considers the security level of cryptographic algorithms in the face of a hypothetical attacker possessing a quantum computer.

  • Most quantum attacks on symmetric ciphers provide a square-root speedup to their classical counterpart, thereby halving the security level provided. (The exception is the slide attack with Simon's algorithm, though it has not proved useful in attacking AES.) For example, AES-256 would provide 128 bits of quantum security, which is still considered plenty.[20][21]
  • Shor's algorithm promises a massive speedup in solving the factoring problem, the discrete logarithm problem, and the period-finding problem, so long as a sufficiently large quantum computer on the order of millions of cubits is available. This would spell the end of RSA, DSA, DH, MQV, ECDSA, EdDSA, ECDH, and ECMQV in their current forms.[22]

Even though quantum computers capable of these operations have yet to appear, adversaries of today may choose to "harvest now, decrypt later": to store intercepted ciphertexts so that they can be decrypted when sufficiently powerful quantum computers become available. As a result, governments and businesses have already begun work on moving to quantum-resistant algorithms. Examples of these effort include Google and Cloudflare's tests of hybrid post-quantum TLS on the Internet and[23] NSA's release of Commercial National Security Algorithm Suite 2.0 in 2022.

References

[edit]

Further reading

[edit]

See also

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Security level

View on Grokipedia
from Grokipedia
In , a security level refers to the strength of a cryptographic or protocol, typically measured in bits, indicating the computational resources an attacker would need to compromise it. An providing n-bit security requires approximately 2^n operations for the most efficient known attack to succeed. This metric helps evaluate and compare the resistance of like ciphers, hash functions, and digital signatures against cryptanalytic attacks. Security levels guide the design and selection of cryptographic systems to meet specific protection requirements, balancing security with performance and resource constraints. Common levels include 128 bits for general-purpose use and higher for long-term or high-value applications.

Fundamentals

Definition and purpose

In cryptography, a security level refers to the minimum amount of computational resources, such as the number of operations or processing time, required for an adversary to successfully break a , such as an algorithm or . This strength is typically quantified in bits, where a k-bit security level indicates that breaking the system would require approximately 2^k operations, equivalent to the effort needed to exhaustively search a k-bit key space in an ideal scenario. The primary purpose of levels is to provide a standardized metric for assessing and comparing the resilience of cryptographic systems against brute-force attacks and more sophisticated cryptanalytic methods, thereby facilitating informed decisions on selection and configuration to achieve desired protection durations. By expressing in comparable terms, this framework helps ensure that cryptographic implementations can safeguard sensitive against foreseeable computational threats over extended periods, such as decades. The concept of security level in bits emerged in the late 1990s and early 2000s amid growing concerns over the adequacy of existing key sizes and the push for robust cryptographic standards, evolving from informal, ad-hoc assessments to precise, formalized evaluations. This development was closely tied to initiatives like the (AES) selection process, initiated by NIST in 1997 and finalized in 2001, which emphasized quantifiable security to replace the vulnerable (DES). Seminal work, such as the 2000 analysis by Lenstra and Verheul, provided foundational guidelines for aligning key sizes across algorithm types to equivalent security levels, marking a shift toward systematic cryptographic design.

Measurement in bits

In , the security level is quantified in bits, where a level of kk bits indicates that the most efficient known attack requires approximately 2k2^k computational operations to succeed. This logarithmic measure captures the exponential effort needed to a , drawing from foundational concepts like exhaustive search for key recovery or the birthday paradox for collision-finding in hash functions. For instance, under exhaustive search, an adversary must evaluate roughly half the possible inputs on average to identify the correct one, establishing a baseline for this metric. For brute-force attacks, the security level kk is approximately log2(N)\log_2(N), where NN is the size of the search space, such as the number of possible keys. To derive this, consider a uniform key space of size N=2nN = 2^n; an exhaustive search succeeds after an expected N/2=2n1N/2 = 2^{n-1} trials, each involving a fixed-cost operation like or verification. The effort in operations is thus 2n12^{n-1}, and the security level satisfies 2k2n12^k \approx 2^{n-1}, yielding kn1k \approx n - 1. For large nn, the subtraction of 1 bit is negligible, so kk is conventionally taken as nn bits, reflecting the full key length's contribution to brute-force resistance. In generic cases beyond brute force, k=log2(min(T))k = \lceil \log_2(\min(T))\rceil, where TT is the minimum over all feasible attacks, often adjusted for success probability in formal ; this ensures the measure accounts for non-uniform or probabilistic adversaries. Several factors influence this measurement beyond raw key size. Algorithm-specific weaknesses can reduce effective security if a non-brute-force attack achieves lower complexity, prioritizing the minimum over all known methods. Parallelization distributes workload across hardware, potentially shortening wall-clock time but preserving total operations at 2k\sim 2^k; however, global limits on computational resources, such as energy or chip availability, constrain practicality. In quantum settings, offers a quadratic speedup for unstructured search, halving effective bit security (e.g., reducing nn-bit effort to 2n/22^{n/2}), though full implications for post-quantum migration are addressed elsewhere. The bit measure primarily denotes in operations, but requirements provide a complementary constraint. Attacks like meet-in-the-middle may demand 2k/22^{k/2} storage alongside reduced time, creating trade-offs where limits feasibility even if time is manageable; security level thus implicitly considers the dominant resource barrier, whether temporal or spatial. In symmetric cryptography, this framework directly quantifies effort for key exhaustion.

Symmetric cryptography

Relation to key size

In symmetric cryptography, the security level is directly proportional to the key size under ideal conditions, but practical considerations such as meet-in-the-middle attacks often reduce the effective strength to approximately half the key size in bits for certain constructions. According to Claude Shannon's 1949 theorem on perfect secrecy, a symmetric encryption scheme achieves perfect secrecy—and thus a security level equal to the key entropy—only if the key space is at least as large as the message space, ensuring that the ciphertext reveals no information about the plaintext beyond the key's entropy. This model assumes a one-time uniformly random key with entropy matching or exceeding the message length, establishing the foundational link where security level equals key entropy in bits. For an ideal single-encryption symmetric with an n-bit key, brute-force key recovery requires 2^n operations, yielding an n-bit security level. However, the practical security level is limited to the minimum of n bits (from brute force) and the effort against known structural weaknesses, which can drop to n/2 bits due to meet-in-the-middle attacks. In the perfect secrecy model, this aligns with Shannon's bound, where deviations from ideal key entropy reduce achievable security. A key example of this reduction occurs in double encryption, where two independent n-bit keys are used in cascade (total 2n bits). The meet-in-the-middle attack exploits this by precomputing all 2^n possible encryptions from the with the second key and storing them, then performing 2^n decryptions from the with the first key to find a matching intermediate value; the time and space complexity is thus O(2^n), providing only n-bit security instead of 2n bits. Attack complexity=2×2n=2n+1\text{Attack complexity} = 2 \times 2^n = 2^{n+1} This vulnerability demonstrates why double encryption does not double the security, effectively halving the strength relative to the total key size; triple encryption is used instead to approach higher levels, as in 3DES. For the AES-128 block cipher, brute-force security is 128 bits, but the biclique attack—a meet-in-the-middle variant—reduces full-round key recovery to approximately 126.1 bits of effort (2^{126.1} operations), with 2^{88} chosen plaintexts, showing how structural attacks can marginally lower the practical level below the nominal key size while still providing robust n-bit security overall. In contrast to asymmetric cryptography, symmetric schemes maintain a near-linear relation, though the scaling differs significantly in effort requirements.

Attack models and effort

In symmetric cryptography, attack models primarily focus on methods that exploit the structure of the algorithm or the key space to recover the secret key with less effort than exhaustive search. The brute-force attack involves systematically trying all possible keys until the correct one is found, requiring up to 2k2^k key trials for a kk-bit key, where each trial typically involves encrypting a known plaintext and comparing it to the ciphertext. Dictionary attacks, applicable when keys are derived from human-chosen passwords, reduce effort by testing a predefined list of likely candidates rather than the full key space, with complexity proportional to the dictionary size rather than 2k2^k. Side-channel attacks, while often practical, theoretically measure effort through the number of observable traces (e.g., power consumption or timing) needed to distinguish key-dependent patterns, though they are more implementation-specific than purely computational. Effort estimation in symmetric cryptography quantifies security as the logarithm base 2 of the minimum resources (time or data) required for the best-known attack, often expressed in bits. For block ciphers, brute-force remains the baseline at kk bits for a kk-bit key, but cryptanalytic methods like differential and can lower this if the cipher's design allows high-probability differentials or linear approximations. Differential cryptanalysis, introduced by Biham and Shamir, exploits probabilistic differences between plaintext pairs propagating through the cipher rounds; for the full 16-round (DES), it requires approximately 2472^{47} chosen plaintexts and equivalent time complexity to recover the key. , developed by Matsui, uses linear approximations over XOR operations across rounds; applied to full DES, it demands about 2432^{43} known plaintexts and 2432^{43} encryptions for key recovery, establishing the security level as the exponent in this complexity. These methods highlight how the security level for block ciphers is often the minimum of brute-force effort and the complexity of the strongest structural attack. A notable historical demonstration of brute-force effort occurred in 1998, when the Electronic Frontier Foundation's DES cracker—a specialized hardware machine costing about $250,000—recovered a 56-bit DES key in 56 hours by performing 2562^{56} encryptions at a rate of roughly 90 billion keys per second, far exceeding theoretical estimates on general-purpose computers at the time and underscoring the gap between idealized and real-world computational feasibility. To contextualize higher security levels, 2802^{80} operations equate to approximately 1.2×10241.2 \times 10^{24} trials; even on a modern capable of 101810^{18} operations per second as of 2025, this would take approximately 12 days. However, as of 2025, 80-bit security is generally viewed as inadequate for sensitive long-term applications, with recommendations favoring at least 128 bits.

Asymmetric cryptography

Computational hardness assumptions

In asymmetric cryptography, security relies on computational hardness assumptions, which posit that certain mathematical problems are intractable to solve efficiently on classical computers. These assumptions underpin widely used schemes by ensuring that deriving private keys from public information requires infeasible computational effort. The primary problems include , the problem in finite fields, and the problem. The integer factorization problem forms the basis for the security of the RSA cryptosystem, introduced in 1978. It involves decomposing a large composite integer N=pqN = p \cdot q, where pp and qq are large primes, into its prime factors. The RSA scheme assumes that while multiplication of large primes is straightforward, factoring the resulting product is computationally hard, with no known polynomial-time algorithm available for general instances on classical computers. Security levels are thus tied to the size of NN, as larger instances exponentially increase the effort required for factorization using the best known algorithms, such as the general number field sieve. The discrete logarithm problem (DLP) underpins the security of Diffie-Hellman key exchange and related schemes, first proposed in 1976. Formally, given a cyclic group GG of order qq, a generator gGg \in G, and an element hGh \in G, the DLP is to find an integer xx such that gx=hg^x = h, or equivalently in the multiplicative group modulo a prime pp, gxh(modp)g^x \equiv h \pmod{p}. No efficient polynomial-time algorithm exists for solving the DLP in general groups suitable for cryptography, such as prime-order subgroups of Zp\mathbb{Z}_p^*, making the problem's hardness dependent on the group size and structure. The problem (ECDLP) extends the DLP to elliptic curve groups over s, providing the foundation for (ECC) schemes. Proposed independently by Neal Koblitz and Victor Miller in , the ECDLP requires finding an integer kk such that Q=kPQ = kP, where PP and QQ are points on an elliptic curve EE defined over a finite field Fq\mathbb{F}_q. Like the standard DLP, no polynomial-time solution is known on classical computers, but the ECDLP offers stronger per bit due to the more compact group structure, with hardness scaling with the curve's order. These assumptions originated in the with the RSA paper's reliance on factoring hardness and Diffie-Hellman's use of the DLP, where was heuristically argued based on the absence of efficient algorithms. Over time, cryptographic proofs evolved to provide more rigorous guarantees, particularly in the model introduced by Bellare and Rogaway in , which idealizes hash functions as random oracles to demonstrate that schemes remain secure if the underlying problems are hard. This model has facilitated provable reductions for many asymmetric primitives, bridging practical implementations with theoretical foundations.

Equivalent security estimates

Equivalent security estimates for asymmetric cryptography map the computational effort required to solve underlying hard problems—such as for RSA or the problem (ECDLP) for ECC—to equivalent symmetric levels, typically measured in bits of against brute-force attacks. These estimates are derived from the complexity of the best-known classical algorithms, providing a benchmark for comparable protection levels. For instance, the National Institute of Standards and Technology (NIST) has established mappings based on empirical and asymptotic analyses of attack costs, ensuring that an asymmetric offers roughly equivalent to a symmetric key of the specified bit length. A primary estimation method involves assessing the running time of the general number field sieve (GNFS) for factoring the modulus in RSA, which provides the foundational security estimate. The asymptotic complexity of GNFS for factoring an integer NN is given by LN[13,(649)1/3]=exp((649)1/3(lnN)1/3(lnlnN)2/3+o((lnN)1/3)),L_N\left[\frac{1}{3}, \left(\frac{64}{9}\right)^{1/3}\right] = \exp\left( \left(\frac{64}{9}\right)^{1/3} (\ln N)^{1/3} (\ln \ln N)^{2/3} + o((\ln N)^{1/3}) \right), where LN[a,c]L_N[a, c] denotes the subexponential function. The security level in bits is then approximately the base-2 logarithm of this time complexity, yielding a generic form sc(logN)1/3(loglogN)2/3s \approx c \cdot (\log N)^{1/3} (\log \log N)^{2/3}, with c1.923c \approx 1.923 for natural logarithms adjusted to bits via log2e1.443\log_2 e \approx 1.443. This log-scale formula highlights how security grows sublinearly with modulus size, guiding the selection of larger keys for higher protection. NIST's mappings translate these complexities into practical equivalents, correlating asymmetric key sizes with symmetric security levels based on GNFS and ECDLP solvers like Pollard's rho adapted for curves. For RSA, a 2048-bit modulus provides approximately 112 bits of security, comparable to breaking a 112-bit symmetric key via exhaustive search, while a 3072-bit modulus achieves 128 bits, aligning with AES-128's strength against known attacks. These estimates account for the highest attack efforts, such as GNFS variants optimized for general composites. The following table summarizes key NIST equivalents for common security levels:
Security Level (bits)RSA Modulus Size (bits)ECC Curve Size (bits)
1122048224–255
1283072256–383
1927680384–511
25615360512+
These values ensure equivalence under classical computing assumptions, with ECC offering superior efficiency—roughly twice the per bit due to the ECDLP's greater hardness relative to .

Practical applications

Common security levels

Common levels in are typically expressed in bits of strength, representing the computational effort required to break the system, such as through brute-force attacks. Widely adopted levels include 80-bit for legacy systems, 112-bit as a transitional standard, 128-bit as the current baseline for general-purpose applications, and 192- or 256-bit for high-assurance environments. In practical deployments, 128-bit security is the standard for web encryption protocols like TLS 1.3, which mandates cipher suites providing at least this level of protection to ensure secure communications over the . For classified data, 256-bit symmetric encryption, such as AES-256, is commonly used to meet requirements for protecting sensitive government information up to the SECRET level. Adoption timelines reflect evolving threats: NIST deprecated 80-bit security in 2011, recommending a shift to at least 112 bits, while 112-bit is projected for deprecation by 2030 in favor of 128-bit or higher. Higher security levels impose trade-offs in computational cost, as longer keys require more processing. For symmetric ciphers like AES, 256-bit encryption incurs approximately 40% more CPU overhead compared to 128-bit due to additional rounds of operation (14 versus 10), though this impact is often negligible on modern hardware for most applications. Outdated levels like 64-bit, used in early protocols such as WEP, are now considered insecure because advances in computing power, including specialized for brute-force attacks, have reduced the effort needed to compromise them to mere hours or less on contemporary hardware.

Criteria for "broken" status

A security level is considered "broken" if the required attack effort drops below approximately 2^{80} operations, marking the approximate upper limit of feasible brute-force computation given current hardware and economic constraints. This threshold reflects the point at which an adversary could exhaustively search the key space or equivalent hardness within a reasonable timeframe and budget, rendering the unreliable for protecting sensitive data. Additionally, a level is deemed broken if projected advances in computing power—such as those from specialized hardware or algorithmic improvements—make attacks viable within 10 to 20 years, necessitating proactive retirement to maintain long-term . Such breakage carries significant implications for deployed systems, including the need to downgrade protocols to lower security levels, which amplifies vulnerabilities; for instance, shifting from 128-bit to 80-bit security exposes data to risks that were previously negligible. The U.S. (NSA) expressed particular concerns in 2013 regarding 80-bit security, citing cryptanalytic advances and computational trends that could undermine it sooner than anticipated, prompting recommendations to phase out such levels in favor of stronger alternatives. These implications underscore the importance of and periodic reassessment in cryptographic designs to mitigate cascading failures across interconnected systems. Cryptographers distinguish between partial and full breaks when evaluating breakage: a partial break involves theoretical reductions in attack complexity that do not yet enable practical exploitation, such as the on AES-128, which lowers the effort to about 2^{126} operations but remains far beyond current practical capabilities due to immense resource demands. In contrast, a full break achieves real-world feasibility, compromising the primitive's core security guarantees. This assessment excludes implementation flaws, like side-channel leaks, focusing solely on the algorithm's inherent resistance to . Recovery from a broken security level typically requires migrating to higher-strength primitives, often through standardized transitions that allow phased implementation without disrupting existing infrastructure. A prominent example is the 2001 shift from the , whose 56-bit effective security had become untenable against growing computational power, to the , selected by NIST to provide at least 128-bit security and facilitate a multi-year rollout across federal and commercial systems. This migration, formalized in FIPS 197, successfully restored robust protection and serves as a model for handling future deprecations.

Standards and advancements

Guidelines from standards bodies

The National Institute of Standards and Technology (NIST) outlines key management recommendations in Special Publication 800-57 Part 1 Revision 5 (2020), specifying security strengths in bits to guide and selection. It establishes 112 bits as the minimum acceptable security strength for applying cryptographic protection through December 31, 2030, while recommending 128 bits or higher for new systems to ensure viability beyond that date. For legacy applications, 112 bits remains permissible for data processing after 2030, but strengths below 112 bits are disallowed for new protections immediately and restricted to legacy use only. The European Telecommunications Standards Institute (ETSI) aligns its cryptographic guidelines with NIST recommendations in standards for and algorithm usage across European telecommunications and ICT sectors. Similarly, the (IETF) mandates at least 112 bits of security for [Transport Layer Security](/page/Transport Layer Security) (TLS) cipher suites in RFC 7525 (2015) and subsequent updates, with weaker options deprecated and enforcement tightened post-2023 to prohibit configurations below this level. Historically, U.S. standards in the 1990s centered on the 56-bit Data Encryption Standard (DES) under FIPS 46-2 (1977, reaffirmed 1988), which proved inadequate against brute-force attacks by the decade's end. This prompted a shift in the 2000s, with FIPS 197 (2001) standardizing the Advanced Encryption Standard (AES) at 128 bits as the baseline for symmetric encryption in federal systems. Compliance with these security levels is enforced through certifications like FIPS 140-3 (2019), which validates cryptographic modules for U.S. federal use and requires algorithms providing at least the minimum strengths outlined in NIST SP 800-57 and SP 800-131A Revision 2 (2019). Modules failing these criteria, such as those employing export-weakened variants like 40-bit RC4 keys mandated by 1990s U.S. export controls, were non-compliant and highly vulnerable, contributing to the relaxation of restrictions via the Wassenaar Arrangement amendments in 1999-2000.

Post-quantum considerations

The advent of quantum computing poses significant threats to traditional cryptographic security levels, primarily through algorithms like Shor's and Grover's. Shor's algorithm enables the efficient factoring of large integers, reducing the effective security of asymmetric schemes such as RSA with n-bit keys to approximately n/2 bits of classical equivalent security by solving the underlying hard problems in polynomial time on a sufficiently large quantum computer. For symmetric cryptography, Grover's algorithm provides a quadratic speedup for brute-force searches, effectively halving the security level; for instance, AES-128 is reduced to an equivalent of 64-bit security, necessitating larger key sizes like AES-256 to maintain 128-bit post-quantum security. In response to these threats, the National Institute of Standards and Technology (NIST) finalized its first standards in August 2024, including FIPS 203 (ML-KEM, based on CRYSTALS-Kyber), FIPS 204 (ML-DSA, based on CRYSTALS-Dilithium), and FIPS 205 (SLH-DSA, based on SPHINCS+). In March 2025, NIST selected Hamming Quasi-Cyclic (HQC) for standardization as an additional . These standards are designed to provide at least 128 bits of security against both classical and quantum attacks, equivalent to the classical AES-128 level, by relying on quantum-resistant hardness assumptions such as (LWE) rather than factoring or discrete logarithms. This translates to larger key sizes or entirely new algorithmic structures to achieve the desired security levels in a quantum environment. In September 2025, NIST released draft guidance on mappings for migration to existing frameworks. To bridge the transition, hybrid cryptographic schemes combine classical and post-quantum algorithms, enhancing robustness during migration; for example, integrating key encapsulation with Diffie-Hellman ensures even if one component is compromised by quantum advances. variants, such as Kyber-512, are standardized to deliver 128-bit post-quantum , with conservative estimates confirming resistance to attacks requiring more than 2^{128} operations on quantum hardware. Projections based on 2025 quantum hardware progress indicate that cryptographically relevant quantum computers capable of breaking 2048-bit RSA could emerge in the 2030s, potentially as early as 2030, underscoring the urgency for adopting post-quantum measures to protect long-term data security.

References

  1. https://csrc.nist.gov/glossary/term/security_strength
  2. https://www.cryptopp.com/wiki/Security_Level
  3. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
  4. https://eprint.iacr.org/2018/077.pdf
  5. https://link.springer.com/article/10.1007/s00145-001-0009-4
  6. https://eprint.iacr.org/2021/894.pdf
  7. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r5.pdf
  8. https://www.math.auckland.ac.nz/~sgal018/ACISP.pdf
  9. https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-%28evaluation-criteria%29
  10. https://csrc.nist.gov/files/pubs/conference/1997/10/10/proceedings-of-the-20th-nissc-1997/final/docs/128.pdf
  11. https://inria.hal.science/inria-00579014v1/document
  12. https://csrc.nist.gov/csrc/media/events/physical-security-testing-workshop/documents/papers/physecpaper19.pdf
  13. https://biham.cs.technion.ac.il/Reports/differential-cryptanalysis-of-the-data-encryption-standard-biham-shamir-authors-latex-version.pdf
  14. http://www.cs.bilkent.edu.tr/~selcuk/teaching/cs519/Matsui-LC.pdf
  15. https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/
  16. https://crypto.stackexchange.com/questions/88512/80-bit-vs-128-bit-security-in-todays-world
  17. https://people.csail.mit.edu/rivest/Rsapaper.pdf
  18. https://ee.stanford.edu/~hellman/publications/24.pdf
  19. https://www.mccurley.org/papers/dlog.pdf
  20. https://cseweb.ucsd.edu/~mihir/papers/ro.pdf
  21. https://pub.math.leidenuniv.nl/~lenstrahw/PUBLICATIONS/1993e/art.pdf
  22. https://csrc.nist.gov/pubs/sp/800/131/a/r3/ipd
  23. https://datatracker.ietf.org/doc/html/rfc8446
  24. https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2025/juni/01/ict-beveiligingsrichtlijnen-voor-transport-layer-security-2025-05/Publication_TLS-Security%2Bguidelines-2025-05_ENG.pdf
  25. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.197.pdf
  26. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-131a.pdf
  27. https://www.cyberark.com/resources/blog/nist-s-new-timeline-for-post-quantum-encryption
  28. https://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit
  29. https://www.avast.com/c-wep-vs-wpa-or-wpa2
  30. https://datatracker.ietf.org/doc/html/rfc7525
  31. https://csrc.nist.gov/pubs/fips/140-3/final
  32. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
  33. https://www.quantamagazine.org/thirty-years-later-a-speed-boost-for-quantum-factoring-20231017/
  34. https://postquantum.com/post-quantum/grovers-algorithm/
  35. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
  36. https://csrc.nist.gov/projects/post-quantum-cryptography
  37. https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization
  38. https://pq-crystals.org/kyber/
  39. https://postquantum.com/predicting-q-day/predicting-2030-my-updated-q-day-prediction/
Add your contribution
Related Hubs
User Avatar
No comments yet.