18.104.22.168 What key size should be used?
The key size that should be used in a particular application of cryptography depends on two things. First of all, the value of the key is an important consideration. Secondly, the actual key size depends on what cryptographic algorithm is being used.
Due to the rapid development of new technology and cryptanalytic methods, the correct key size for a particular application is continuously changing. For this reason, RSA Laboratories refers to its web site http://www.emc.com/emc-plus/rsa-labs/ for updated recommendations. The table below contains key size limits and recommendations from different sources for block ciphers, the RSA system, the elliptic curve system, and DSA.
- Export grade or nominal grade gives little real protection; the key sizes are the limits specified in the Wassenaar Arrangement (see Question 6.5.3).
- "Traditional recommendations" are recommendations such as those given in earlier versions of this FAQ. Such recommendations are normally based on the traditional approach of counting MIPS-years for the best available key breaking algorithms. There are several reasons to call this approach in question. For example, an algorithm with massive memory requirements is probably not equivalent to an algorithm with low memory requirements.
- The last rows in the table give lower bounds for commercial applications as suggested by Lenstra and Verheul [LV00]. The first of these rows shows recommended key sizes of today, while the second row gives estimated lower bounds for 2010. The bounds are based on the assumption that DES was sufficiently secure until 1982 along with several hypotheses, which are all extrapolations in the spirit of Moore's Law (the computational power of a chip doubles every 18 months). One questionable assumption they make is that computers and memory will be able for free. It seems that this assumption is not realistic for key breaking algorithms with large memory requirements. One such algorithm is the General Number Field Sieve used in RSA key breaking efforts.
Table 2. Minimal key lengths in bits for different grades.
Notes. The RSA key size refers to the size of the modulus. The Elliptic Curve key size refers to the minimum order of the base point on the elliptic curve; this order should be slightly smaller than the field size. The DSA key sizes refer to the size of the modulus and the minimum size of a large subgroup, respectively (the size of the subgroup is often considerably larger in applications). In the last row there are two values for elliptic curve cryptosystems; the choice of key size should depend on whether any significant cryptanalytic progress in this field is expected or not.