Skip to content

Computational resources in cryptanalysis

Cryptographic security is fundamentally tied to the computational effort required to break cryptographic protections, including encryption and digital signatures. As computing power increases and new attack techniques emerge, cryptographic algorithms and key sizes that were once considered secure may become vulnerable. To ensure long-term security, cryptographic best practices must evolve alongside advancements in hardware, distributed computing, and mathematical optimizations.

This article explores the computational resources necessary for breaking cryptographic keys and bypassing cryptographic protections, emphasizing brute-force feasibility, real-world cryptanalysis records, and the role of specialized hardware such as GPUs, ASICs, and quantum computers. We’ll analyze how current cryptographic key sizes withstand modern attacks, identify algorithms that have already been broken, and assess potential future vulnerabilities.

It’s important to note that this article focuses only on direct computational attacks, omitting attacks that rely on side channels or implementation flaws. It aims to provide a realistic assessment of the impact of advances in computational power on cryptographic security , using real-world cryptanalysis records and practical attack feasibility as a foundation.

Security levels and bit strength

Cryptographic strength is often measured in bits of security, indicating that an attacker would require on the order of 2n operations (where n is the bit security level) to compromise the cryptographic key. Key size does not always directly correspond to security strength, as different cryptographic systems require different key lengths to provide equivalent security.

For a detailed explanation of key sizes and security levels, including post-quantum considerations and NIST recommendations, refer to Knowledge base: Cryptographic keylengths.

Common Security Levels Security levels commonly used to measure cryptographic strength can be categorized as follows:

  • 80-bit security – Deprecated; equivalent to breaking 1024-bit RSA.
  • 112-bit security – Acceptable for limited use, provided by 2048-bit RSA or ECC P-224.
  • 128-bit security – Modern baseline security, provided by AES-128 or ECC P-256.
  • 192-bit security – Medium security level, provided by AES-192 or ECC P-384.
  • 256-bit security – High security level for long-term protection, used in AES-256 and ECC P-521.

It’s important to reiterate that this is a snapshot in time. The bit security required to guarantee a reasonable level of security, as well as the bit security provided by a specific algorithm change over time. Consequently, the motivation of using higher security levels is at least partially to have a well-sized buffer to absorb such future changes.

Additionally, there is no universal rule for how key size translates to security strength—it depends on the mathematical structure of the algorithm. For example, ECC requires significantly smaller keys than RSA to provide the same level of security.

Brute-force cost estimates

Brute-force attacks rely on trying to guess a solution and repeat until one works. A common example of this is to systematically guess cryptographic keys until the correct one is found. The difficulty of such attacks is measured in bit security, which in this case represents the number of computational operations expected to find a correct solution, for example to exhaustively search a keyspace. A key of n bits requires up to 2n operations to be broken using brute-force, assuming no cryptanalytic shortcuts exist.

Computational effort required for different bit security levels

To estimate the practical cost of attacks, we model computations using CPU core-hours. We use a rate of $0.005 per hour for a two-core unit (based on EC2 t4g.nano instances, prices as of Q1 2025). We then reference a real-world example: the SHA-1 attack. While technically this wasn’t a brute-force attack because it exploited cryptanalytic shortcuts, it still required trying many candidate solutions, similar to a brute-force attack.

CWI Amsterdam and Google announced the SHA-1 ‘SHAttered’ attack on 23 February 2017, generating two different PDF files with the same SHA-1 hash in roughly 263.1 operations. This was significantly fewer than the 280 originally anticipated, due to the cryptanalytic shortcuts mentioned above, but 263.1 still represents a significant work effort. According to their estimates, the attack required approximately:

  • 6,500 CPU years, translating to $142,350 based on today’s commercial cloud pricing at the $0.005 per core-hour referenced above (cloud costs in 2017 may have been higher).
  • 100 GPU years, for simplicity we do not take this cost into account.

To put this 263.1 operations into context:

  • 264 operations would cost roughly double that amount, bringing it to $285,000.
  • 280 operations, the effort originally anticipated for finding collisions in SHA-1, would require roughly $35 billion USD in computational resources.
  • 2128 operations, which represents the baseline standard for modern cryptographic security, would be completely infeasible using AWS resources. This represents the estimated brute-force resistance of SHA-256 and AES-128, both of which are considered secure against all practical attacks.

These figures illustrate the computational costs of attacks assuming rented cloud resources. Although specialized hardware, such as GPUs or ASICs, could reduce these costs significantly, scaling attacks to cryptographically relevant security levels remains prohibitively expensive, even for highly funded nation-state actors. For context, at the time of writing, the entire Bitcoin network performs approximately 290 SHA-256 hashes per second, though the total operational cost isn’t publicly known.

Several cryptographic failures have demonstrated how small key sizes and outdated cryptographic algorithms lead to real-world vulnerabilities that can be exploited with sufficient computational resources. Below are notable CVEs and CWEs caused by cryptographic algorithms where the workload of an attacker to break them had been found to be below a level considered secure.

  • CVE-2015-0204 (FREAK Attack, RSA) – RSA implementations downgraded to 512-bit “export-grade” encryption, making them breakable in real-time.
  • CVE-2015-4000 (Logjam Attack, Diffie-Hellman) – Weak 512-bit Diffie-Hellman groups allowed attackers to decrypt traffic using precomputed discrete logarithm attacks.
  • CVE-2016-2183 (SWEET32 Attack, 3DES) – Exploited 3DES’s small 64-bit block size, enabling practical collision attacks with enough ciphertext.
  • CVE-2005-2730 (DES Weakness, DES) – 56-bit DES keys found to be brute-forceable in under 24 hours using commercial hardware.
  • CVE-2005-4900 (SHA-1 Weakness, Hashing) – SHA-1 proven weak against collision attacks, leading to its deprecation in security protocols.
  • CVE-2004-2761 (MD5 Collision Vulnerability, Hashing) – MD5 demonstrated to produce collisions in minutes, rendering it unsuitable for cryptographic integrity.
  • CWE-326 (Inadequate Encryption Strength) – Use of cryptographic keys that are too small for modern security standards.
  • CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) – Usage of outdated, weak cryptographic schemes like 512-bit RSA, DES, or MD5.

Post-Quantum security levels and key size considerations

With the advent of quantum computing, traditional cryptographic security assumptions need to be re-evaluated. Quantum attacks, such as Shor’s algorithm, threaten widely used public-key cryptosystems, including RSA, ECC, and Diffie-Hellman, by reducing their effective security to a fraction of their classical strength. Grover’s algorithm, on the other hand, formally weakens symmetric cryptography somewhat by offering a quadratic speedup in brute-force key search.

NIST PQC security strength categories

Post-quantum cryptographic (PQC) standards introduced by NIST define security levels based on their equivalence to AES security strength.

  • Category 1 – Provides at least 128-bit security, equivalent to AES-128.
    • This is the minimum acceptable level for modern security, ensuring resistance against classical brute-force attacks while being computationally efficient.
    • Example: ML-KEM-512 (Kyber-512) in post-quantum key encapsulation.
  • Category 3 – Provides at least 192-bit security, equivalent to AES-192.
    • Suitable for applications that require stronger long-term security.
    • Example: ML-KEM-768 (Kyber-768) and ML-DSA-65 (Dilithium-65).
  • Category 5 – Provides at least 256-bit security, equivalent to AES-256.
    • Intended for high-assurance environments (government, military, financial infrastructure) where security must hold up against future cryptanalytic advances.
    • Example: ML-KEM-1024 (Kyber-1024) and ML-DSA-87 (Dilithium-87).

While Grover’s algorithm weakens symmetric cryptography by reducing effective key security by half the bits (for example, AES-256 would offer 128-bit quantum security), increasing key sizes generally mitigates this effect. As a result, AES-256 remains viable for long-term security against quantum threats. Additionally, a caveat of Grover’s algorithm is that it cannot be efficiently parallelised which alleviates concerns of its impact, in contrast to Shor’s algorithm.

Sources