Skip to content

Cryptographic keylengths

Cryptographic keys can be thought of as sequences of bits, and their length plays a significant role in determining their security, which varies by algorithm. The terms key length and key size are often used interchangeably to refer to the number of bits in a key. Security strength is typically measured in bits; for example, AES-128, which uses 128-bit keys, provides 128 bits of security. However, key length doesn’t always directly correlate with security strength. For instance, RSA-1024, with 1024-bit keys, provides only 80 bits of security, which is now considered inadequate according to NIST guidelines. In addition to key length, several other factors must be considered when dealing with cryptographic keys. Refer to Key management for details.

Caution

The following information and examples are provided for general reference. Given the rapid evolution of standards and cryptographic guidance, it is crucial to consult the latest versions of the referenced publications before making decisions or implementation changes. Always verify that you are using the most up-to-date information available and check that you have the latest revision numbers for each document.

Detailed description

Cryptographic keys can be viewed as sequences of bits, with longer keys generally providing more security. However, the actual security strength depends on the underlying cryptographic algorithm. For instance:

  • AES supports key lengths of 128, 192, and 256 bits
  • RSA supports key lengths of 2048, 3072, 4096 and 7680 bits, among others

In terms of security strength, both AES-128 and RSA-3072 offer approximately the same level of security, equivalent to 128 bits.

Measuring security strength

The security strength, or security level, of a cryptographic algorithm corresponds to the approximate number of operations an attacker would need to perform to compromise its security. The security strength is often measured in bits. For the given example of 128 bits of security, this means that breaking AES-128 or RSA-3072 would require approximately 2128 operations. To put that number into context, it’s roughly 3.4*1038, which is a larger number than all the planets and stars in the universe. This is the modern baseline or minimum for security standards, and extends even higher to 2192 and 2256 for even stronger security. To put these numbers in perspective; if every planet in the universe was the same as Earth, 2192 is still significantly larger than all the grains of sand on every planet combined; 2256 is so vastly large, it is close to the total number of atoms in the universe.

NIST security strength guidelines

A security strength of 80 bits is no longer considered adequate, as noted in NIST SP 800-57 Part 1 Revision 5 (Recommendation for Key Management: Part 1 - General, published May 2020, Section 5.6.1). For example, RSA-1024 provides only 80 bits of security, which does not meet current security requirements. Table 1, reproduced from NIST SP 800-57 Part 1 Revision 5, outlines the transition to a minimum security strength of 128 bits by 2030.

Caution

The content in Table 1 is accurate at the time of writing (Q1 2025).

Table 1. Reproduction of Table 4, Section 5.6.3, of NIST SP 800-57 Part 1 Revision 5.

Security Strength Applying and/or Processing Through 2030 2031 and Beyond
Less than 112 bits Applying protection Disallowed Disallowed
Less than 112 bits Processing Legacy use Legacy use
112 bits Applying protection Acceptable Disallowed
112 bits Processing Acceptable Legacy use
128 bits Both applying and processing Acceptable Acceptable
192 bits Both applying and processing Acceptable Acceptable
256 bits Both applying and processing Acceptable Acceptable

Note that algorithms that provide a security strength of less than 112 bits should no longer be used to protect new data (Applying protection), although they may still be used for legacy purposes, such as recovering previously encrypted data (Processing). A security strength of 112 bits (for example, RSA-2048) is currently the minimum allowed, but from 2030 onwards, it will be permitted only for legacy processing purposes, i.e. decryption and verification.

A notable example of an exception to the 112-bit rule is 3TDEA Encryption, which provides 112 bits of security strength but was deprecated in 2023 in NIST SP 800-131A Revision 2 (Table 1, page 7).

Post-quantum cryptography security categories

In the context of Post-Quantum Cryptography Standardization, NIST has introduced a separate categorization system, consisting of five security categories, numbered from 1 to 5, to classify quantum-resistant cryptographic algorithms. This scale ranges from Category 1 (the minimal and lowest considered security strength) to Category 5 (the highest security strength).

Category definitions

These categories are defined relative to established cryptographic standards:

  • Category 1: Provides at least 128 bits of security, equivalent to AES-128.
  • Category 2: Offers security comparable to finding a collision in SHA-256 or SHA3-256.
  • Category 3: Provides at least 192 bits of security, equivalent to AES-192.
  • Category 4: Offers security comparable to finding a collision in SHA-384 or SHA3-384.
  • Category 5: Provides at least 256 bits of security, equivalent to AES-256.

Usage in post-quantum cryptography schemes

These categories are already used in recently standardized quantum-resistant schemes, such as:

  • FIPS 203: ML-KEM (Module-Lattice-based Key Encapsulation Mechanism), formerly known as Kyber.
  • FIPS 204: ML-DSA (Module-Lattice-based Digital Signature Algorithm), formerly known as Dilithium.
  • FIPS 205: SLH-DSA (Stateless Hash-based Digital Signature Algorithm), formerly known as SPHINCS+.

For example, FIPS 203 specifies three versions of ML-KEM, each providing a different security level:

  • ML-KEM-512: Category 1
  • ML-KEM-768: Category 3
  • ML-KEM-1024: Category 5

Note that the number following the algorithm designation does not directly correspond to the key length. In these schemes, key lengths are measured in bytes, not bits, due to their large size. For instance:

  • The encapsulation key (public key) of ML-KEM-768 is 1184 bytes.
  • The decapsulation key (secret key) of ML-KEM-768 is 2400 bytes.

Detailed information on key lengths for ML-KEM can be found in FIPS 203 in Table 3 on page 39.

Security recommendations

The transition to post-quantum cryptographic standards is driving rapid changes in security recommendations, which may be updated with short notice.

To illustrate this point, we highlight two NIST publications under revision at the time of writing:

  • NIST SP 800-131A Transitioning the Use of Cryptographic Algorithms and Key Lengths, (Revision 2, published March 2019). The initial public draft of Revision 3 is available at the time of writing. Revision 3 includes:
    • Mentions of quantum-resistant algorithms specified in FIPS 203, 204, and 205
    • Updated guidelines.
  • NIST IR 8547 Transition to Post-Quantum Cryptography Standards (initial public draft) states that after 2035, cryptographic standards involving quantum-vulnerable algorithms will be disallowed, including:

Caution

The content in Table 2 is accurate at the time of writing (Q1 2025).

Table 2. Digital Signatures: FIPS 186-57, FIPS 204, and FIPS 205.

Digital Signature Algorithms Example Instantiations Security Strength Status in NIST SP 800 131A Revision 2 Status in NIST SP 800 131A Revision 3 (IPD)
ECDSA1 Generation ECDSA P-192
ECDSA P-224
ECDSA P-256		 < 112 bits
≈112 bits
>= 128 bits		 Disallowed
Acceptable
Acceptable		 Disallowed
Acceptable until 203010
Acceptable
ECDSA Verification < 112 bits
>= 112 bits		 Legacy use
Acceptable		 Legacy use
Acceptable*
EdDSA2 Ed25519 >= 128 bits Acceptable Acceptable*
RSA3 generation (PKCS #1 v1.5 & PSS) RSA-1024
RSA-2048
RSA-3072		 < 112 bits
≈112 bits
>= 128 bits		 Disallowed
Acceptable
Acceptable		 Disallowed
Acceptable until 203010
Acceptable
RSA verification (PKCS #1 v1.5 & PSS) < 112 bits
>= 112 bits		 Legacy use
Acceptable		 Legacy use
Acceptable*
ML-DSA4 ML-DSA-445
ML-DSA-65
ML-DSA-87		 Category 2
Category 3
Category 5		 N/A Acceptable
SLH-DSA6 SLH-DSA-128s11
SLH-DSA-192s11
SLH-DSA-256s11		 Category 1
Category 3
Category 5		 N/A Acceptable

Table 2 presents the guidelines from NIST according to NIST SP 800 131A Revision 2 and NIST SP 800 131A Revision 3 (IPD) for digital signature algorithms specified in FIPS 186-5, FIPS 204, and FIPS 205. The rightmost column indicates that the transition to quantum-resistant digital signature algorithms will impact algorithms corresponding to fields marked with ‘*’.

Caution

The content in Table 3 is accurate at the time of writing (Q1 2025).

Table 3. Key Establishment Schemes: NIST SP 800-56B Rev. 2 and NIST SP 800-56A Rev. 3.

Key Agreement Algorithms Example Instantiations Security Strength Status in NIST SP 800 131A Revision 2 Status in NIST SP 800 131A Revision 3 (IPD)
RSA8 RSA-1024
RSA-2048
RSA-3072		 < 112 bits
112 bits
>= 128 bits		 Disallowed
Acceptable
Acceptable		 Legacy use
Acceptable until 203010
Acceptable
ECC9 ECC P-192
ECC P-224
ECC P-256		 < 112 bits
112 bits
>= 128 bits		 Disallowed
Acceptable
Acceptable		 Disallowed
Acceptable until 203010
Acceptable
Diffie-Hellman9 MODP-1024
MODP-2048
MODP-3072		 < 112 bits
112 bits
>= 128 bits		 Disallowed
Acceptable
Acceptable		 Disallowed
Acceptable until 203010
Acceptable

The guidelines for key-establishing algorithms are shown in Table 3 and are similar to those for digital signature algorithms, with 128 bits of security being preferable until the post-quantum transition.

NIST has not set a hard deadline for post-quantum cryptographic migration but is developing a transition schedule. Further guidance will be provided in future revisions of NIST SP 800-131A Revision 3. In contrast, the NSA’s CNSA 2.0 guidance outlines specific deadlines, requiring all National Security Systems (NSS) to be quantum-resistant by 2035. The NSA’s timeline mandates that new acquisitions must be CNSA 2.0 compliant by January 1, 2027, and all non-compliant equipment and services must be phased out by December 31, 2030.

Sources

  1. Source: NIST SP 800-186, Table 1 and Table 2, pages 6 and 7. 

  2. Source: FIPS 186-5, Section 7.1, page 26. 

  3. Source: NIST SP 800-57 Part 1 Revision 5, Table 2, pages 54 and 55 (FIPS 186-5 refers in section 5.1 that the previous document should be considered). 

  4. Source: FIPS 204, Section 4, page 15. 

  5. FIPS 204, Section 3.6.1, page 12, discusses the requirements for ML-DSA-44 to be classified as Category 2. 

  6. Source: FIPS 205, Section 11, page 43. 

  7. DSA was removed in FIPS 186-5. It is no longer allowed for digital signature generation. It may be used to verify signatures generated before the implementation date of FIPS 186-5. DSA specifications are available in FIPS 186-4

  8. Source: NIST Special Publication 800-56B Revision 2, Table 2 and 4, page 38 and 117. 

  9. Source: NIST Special Publication 800-56A Revision 3, Table 24 and 25, page 132 and 133. 

  10. Use of these cryptography schemes is acceptable until 2030 and is depreciated after 2030*, however quantum computers will impact these algorithms. 

  11. Technically these parameter names are SLH-DSA-SHAKE-128s, SLH-DSA-SHAKE-192s, and SLH-DSA-SHAKE-256s, but they were shortened to save space in the table.