Author
Matt Blaze,Whitfield Diffie,Ronald L. Rivest,Bruce Schneier,Tsutomu Shimomura,Eric Thompson,Michael Wiener
Abstract
Encryption plays an essential role in protecting the privacy of electronic information
against threats from a variety of potential attackers. In so doing, modern cryptography
employs a combination of conventional or symmetric cryptographic systems for encrypting
data and public key or asymmetric systems for managing the keys used by the symmetric
systems. Assessing the strength required of the symmetric cryptographic systems is therefore
an essential step in employing cryptography for computer and communication security.
Technology readily available today (late 1995) makes brute-force attacks against crypto-
graphic systems considered adequate for the past several years both fast and cheap. General
purpose computers can be used, but a much more efficient approach is to employ commercially
available Field Programmable Gate Array (FPGA) technology. For attackers prepared to
make a higher initial investment, custom-made, special-purpose chips make such calculations
much faster and significantly lower the amortized cost per solution.
As a result, cryptosystems with 40-bit keys offer virtually no protection at this point
against brute-force attacks. Even the U.S. Data Encryption Standard with 56-bit keys is
increasingly inadequate. As cryptosystems often succumb to 'smarter' attacks than brute
force key search, it is also important to remember that the keylengths discussed here are
the minimum needed for security against the computational threats considered.
Fortunately, the cost of very strong encryption is not significantly greater than that
of weak encryption. Therefore, to provide adequate protection against the most serious
threats - well-funded commercial enterprises or government intelligence agencies - keys
used to protect data today should be at least 75 bits long. To protect information
adequately for the next 20 years in the face of expected advances in computing power,
keys in the newly-deployed systems should be at least 90 bits long.