Minimal Key Lengths for Symmetric Ciphers
to Provide Adequate Commercial Security
A Report by an Ad Hoc Group of
Cryptographers and Computer Scientists
Matt Blaze 1
Whitfield Diffie 2
Ronald L. Rivest 3
Bruce Schneier 4
Tsutomu Shimomura 5
Eric Thompson 6
Michael Wiener 7
Encryption plays an essential role in protecting the privacy of electronic information against threats from a variety of potential attackers. In so doing, modern cryptography employs a combination of conventional or symmetric cryptographic systems for encrypting data and public key or asymmetric systems for managing the keys used by the symmetric systems. Assessing the strength required of the symmetric cryptographic systems is therefore an essential step in employing cryptography for computer and communication security.
Technology readily available today (late 1995) makes brute-force attacks against cryptographic systems considered adequate for the past several years both fast and cheap. General purpose computers can be used, but a much more efficient approach is to employ commercially available Field Programmable Gate Array (FPGA) technology. For attackers prepared to make a higher initial investment, custom-made, special-purpose chips make such calculations much faster and significantly lower the amortized cost per solution.
As a result, cryptosystems with 40-bit keys offer virtually no protection at this point against brute-force attacks. Even the U.S. Data Encryption Standard with 56-bit keys is increasingly inadequate. As cryptosystems often succumb to `smarter' attacks than brute-force key search, it is also important to remember that the keylengths discussed here are the minimum needed for security against the computational threats considered.
Fortunately, the cost of very strong encryption is not significantly greater than that of weak encryption. Therefore, to provide adequate protection against the most serious threats | wellfunded commercial enterprises or government intelligence agencies | keys used to protect data today should be at least 75 bits long. To protect information adequately for the next 20 years in the face of expected advances in computing power, keys in newly-deployed systems should be at least 90 bits long.
1AT&T Research, firstname.lastname@example.org
2Sun Microsystems, email@example.com
3MIT Laboratory for Computer Science, firstname.lastname@example.org
4Counterpane Systems, email@example.com
5San Diego Supercomputer Center, firstname.lastname@example.org
6Access Data, Inc., email@example.com
7Bell Northern Research, firstname.lastname@example.org