RSA Laboratories What key size should be used?

The key size that should be used in a particular application of cryptography depends on two things. First of all, the value of the key is an important consideration. Secondly, the actual key size depends on what cryptographic algorithm is being used.

Due to the rapid development of new technology and cryptanalytic methods, the correct key size for a particular application is continuously changing. For this reason, RSA Laboratories refers to its web site for updated recommendations. The table below contains key size limits and recommendations from different sources for block ciphers, the RSA system, the elliptic curve system, and DSA.

Some comments:

  • Export grade or nominal grade gives little real protection; the key sizes are the limits specified in the Wassenaar Arrangement (see Question 6.5.3).
  • "Traditional recommendations" are recommendations such as those given in earlier versions of this FAQ. Such recommendations are normally based on the traditional approach of counting MIPS-years for the best available key breaking algorithms. There are several reasons to call this approach in question. For example, an algorithm with massive memory requirements is probably not equivalent to an algorithm with low memory requirements.
  • The last rows in the table give lower bounds for commercial applications as suggested by Lenstra and Verheul [LV00]. The first of these rows shows recommended key sizes of today, while the second row gives estimated lower bounds for 2010. The bounds are based on the assumption that DES was sufficiently secure until 1982 along with several hypotheses, which are all extrapolations in the spirit of Moore's Law (the computational power of a chip doubles every 18 months). One questionable assumption they make is that computers and memory will be able for free. It seems that this assumption is not realistic for key breaking algorithms with large memory requirements. One such algorithm is the General Number Field Sieve used in RSA key breaking efforts.

  Block Cipher
Elliptic Curve
Export Grade 56 512 112 512/112
80 1024 160 1024/160
112 2048 224 2048/224
Lenstra/Verheul 2000
70 952 132 952/125
Lenstra/Verheul 2010
78 1369 146/160 1369/138

Table 2. Minimal key lengths in bits for different grades.

Notes. The RSA key size refers to the size of the modulus. The Elliptic Curve key size refers to the minimum order of the base point on the elliptic curve; this order should be slightly smaller than the field size. The DSA key sizes refer to the size of the modulus and the minimum size of a large subgroup, respectively (the size of the subgroup is often considerably larger in applications). In the last row there are two values for elliptic curve cryptosystems; the choice of key size should depend on whether any significant cryptanalytic progress in this field is expected or not.

Top of the page