NIST-aligned reference for recommended cryptographic key sizes by algorithm and security level. Covers RSA, EC, AES, ChaCha20 and hash functions with bits-of-security equivalents.
Security relies on the difficulty of factoring large numbers (RSA, DH) or discrete logarithm (DSA). Key sizes must be much larger than symmetric equivalents.
| Algorithm | Key Size | Bits of Security | NIST Status | Safe Until | PFS | Notes |
|---|---|---|---|---|---|---|
| RSA | 1024 bits | 80 (Legacy) | Deprecated | Already broken (NIST 2010) | No | Do not use. Factoring 1024-bit RSA is feasible with nation-state resources. |
| RSA | 2048 bits | 112 (Minimum) | Acceptable | 2030 | No | Minimum for TLS certificates. NIST allows through 2030. Plan migration to 3072+. |
| RSA | 3072 bits | 128 (Standard) | Recommended | 2031+ | No | Equivalent security to AES-128. Recommended for new deployments beyond 2030. |
| RSA | 4096 bits | 140 (Standard) | Recommended | 2040+ | No | Higher security margin, but significantly slower. Common for CA root keys. |
| DSA / DH | 1024-bit modulus | 80 (Legacy) | Deprecated | Already deprecated | No | NIST deprecated 1024-bit DSA after 2013. |
| DSA / DH | 2048-bit modulus | 112 (Minimum) | Acceptable | 2030 | No | Minimum acceptable. DH requires careful parameter selection (avoid common moduli). |
| DSA / DH | 3072-bit modulus | 128 (Standard) | Recommended | 2031+ | No | Recommended for new deployments. Use FFDHE groups from RFC 7919. |
EC cryptography achieves the same security with much smaller keys than RSA/DH. A 256-bit EC key is roughly equivalent to a 3072-bit RSA key.
| Algorithm | Key Size | Bits of Security | NIST Status | Safe Until | PFS | Notes |
|---|---|---|---|---|---|---|
| ECDSA / ECDH | P-192 (192-bit) | 96 (Legacy) | Deprecated | Deprecated 2015 | Yes | No longer recommended by NIST. Migrate to P-256 or higher. |
| ECDSA / ECDH | P-256 (256-bit) | 128 (Standard) | Recommended | 2030+ | Yes | Most widely deployed EC curve. Equivalent to 3072-bit RSA. Used in TLS 1.3. |
| ECDSA / ECDH | P-384 (384-bit) | 192 (High) | Recommended | 2031+ | Yes | Required for Suite B Top Secret. Good choice for long-lived certificates. |
| ECDSA / ECDH | P-521 (521-bit) | 260 (Very High) | Recommended | Long-term | Yes | Highest NIST EC curve. Overkill for most uses but future-proof. |
| X25519 / Ed25519 | 255-bit (Curve25519) | 128 (Standard) | Recommended | 2030+ | Yes | Modern, fast, and resistant to implementation errors. Preferred in TLS 1.3 and SSH. |
| X448 / Ed448 | 448-bit (Curve448) | 224 (High) | Recommended | 2031+ | Yes | Higher security variant of Curve25519. Less hardware support but well-studied. |
Symmetric ciphers use the same key for encryption and decryption. Quantum computers halve effective security (Grover's algorithm), so 256-bit AES is recommended.
| Algorithm | Key Size | Bits of Security | NIST Status | Safe Until | PFS | Notes |
|---|---|---|---|---|---|---|
| 3DES (Triple DES) | 112-bit effective | 112 (Minimum) | Deprecated | Disallowed after 2023 (NIST SP 800-131A) | No | NIST disallowed 3DES as of 2023. Vulnerable to SWEET32. Replace with AES. |
| AES-128 | 128 bits | 128 (Standard) | Recommended | 2030+ | No | Fast, well-studied. 128 bits is overkill for classical computers but quantum reduces to 64-bit effective. |
| AES-192 | 192 bits | 192 (High) | Recommended | 2031+ | No | Rarely used in practice. AES-256 is preferred when higher security is needed. |
| AES-256 | 256 bits | 256 (Very High) | Recommended | Long-term (post-quantum) | No | Recommended for post-quantum resistance (Grover reduces to 128-bit equivalent). Standard for new systems. |
| ChaCha20-Poly1305 | 256 bits | 256 (Very High) | Recommended | Long-term | No | Modern AEAD cipher. Preferred over AES-GCM when hardware AES acceleration is unavailable (mobile, IoT). Used in TLS 1.3. |
Hashes must be at least twice the desired bits of security (collision resistance = outputSize/2). Use HMAC with any SHA-2/SHA-3 for message authentication.
| Algorithm | Key Size | Bits of Security | NIST Status | Safe Until | PFS | Notes |
|---|---|---|---|---|---|---|
| MD5 | 128-bit output | N/A (Broken) | Deprecated | Broken | No | Completely broken for collision resistance. Never use for security. Only legacy compatibility. |
| SHA-1 | 160-bit output | 60 (Insufficient) | Deprecated | Deprecated 2016 | No | Practical collision attacks demonstrated (SHAttered, 2017). Disallowed by most CAs. |
| SHA-256 | 256-bit output | 128 (Standard) | Recommended | 2030+ | No | Current standard. Use HMAC-SHA256 for MACs. Vulnerable to length-extension when used as MAC(key||msg). |
| SHA-384 / SHA-512 | 384/512-bit output | 192 (High) | Recommended | 2031+ | No | Higher security margin. SHA-512 can be faster than SHA-256 on 64-bit systems. |
| SHA-3 (Keccak) | 256/384/512-bit output | 128 (Standard) | Recommended | 2031+ | No | Different construction from SHA-2. Not vulnerable to length extension attacks. NIST standard since 2015. |
marduc812
2026