# Bit security level

With a four-digit combination padlock, there are 10,000 possibilities of number sequences, from 0000 to 9999. That is, to crack this padlock by trying out every possibility–brute-force attack–the cracker needs 10,000 trials at most. If one trial takes one second, the padlock will certainly be broken after 2 hours 46 minutes 40 seconds.

A five-digit padlock may enhance security. There are 100,000 possibilities and it will take 27 hours 46 minutes 40 seconds. If the password is an “unsigned 32-bit integer”, there are 4,294,967,296 possible passwords from 0 to 4,294,967,295. This is how one can approximate the security strength: measure the size of the problem domain (= the number of maximum trials).

In information security, when the size of the problem domain is 4,294,967,296, it is common to say the security level is 232, or it has 32 bits of security. This is the idea of bit security level.

When an algorithm offers 128 bits of security, it will take maximum 2128 trials to break the system with brute-force attack.

The term “security level” and “security strength” are often used interchangeably.

## 128 bits of security ≠ 2128 machine instructions

The number of machine instructions it takes for one trial depends on the processor’s architecture, and so does the time. Cryptographers assume that such time is minimal, because it is often feasible to synthesize a dedicated hardware circuitry for a cryptographic algorithm. In fact, modern x86/64 processors often have the AES-NI extension, a typical example of such hardware support. This is why cryptographers try to elevate the bit security level, instead increasing the cost of one trial. (A notable counterexample to this is the Password Hashing Competition.)

## 2048-bit RSA ≠ 2048 bits of security

Bit-based description is common in cryptography, such as “RSA 2048-bit cert”, “Diffie-Hellman 4096-bit key exchange”, or “SHA-256.” These do not refer to the bits of security each cryptographic primitive has. They are the key/block size, not the number of trials it takes to cover the problem domain.

Such difference comes from the fact that, as cryptographic primitives rely on difficult mathematical problems, their security is inevitably weakened when attacking those math problems makes progress. Progress in discrete logarithm means less security of Merkle-Diffie-Hellman system. Progress in prime factorization means less security of RSA. Sometimes the attack is algorithm-specific, aiding the attacker to rule out a significant portion of the key space from a hash function or a block cipher. This means it normally does not take an exhaustive search of the whole target to determine the secret.

### Different sizes for 128 bits of security

According to the NIST:

• MDH key exchange requires a 3072-bit parameter (the prime).
• RSA public key needs to be larger than 3072 bits.
• Elliptic curve key exchange requires a 256-bit parameter.
• Among the hash functions in the SHA-2 family, at least SHA-256 is needed.

## How many bits of security do we need?

DES is an example showing how 56-bit security is not sufficient.

• 256 is approximately 7.2e16 (7.2 × 1016).
• Since modern hardware comes with about 2 GHz of clock speed (2 × 109 operations per second) we assume a dedicated hardware carries out 109 trials per second.
• A brute-force attack takes 7.2e16/1e9 = 7.2e7 seconds.
• Hardware is cheap. If we have 1,000 units of crypto hardware that’s 7.2e4 seconds.
• There are 86,400 (or more) seconds in a day. 7.2e4 seconds is less than that.

Therefore DES is very crackable, and that’s how the EFF actually came up with a machine called EFF DES Cracker that cracks DES in within three days in 1998.

There is a consensus among security researchers that

• 128 bits of security is sufficient until the next revolutionary breakthrough in either mathematics or technology.
• 112 bits of security is sufficient until 2030.

For example, both NIST and Qualys agree that more than 2048 bits for RSA is waste of processing power.