The security level of a cryptographic algorithm indicates how resistant it is to computational attacks. This article outlines how security levels are defined, how different evaluation approaches are used, and how security levels influence the selection of cryptographic algorithms.
The security level is a fundamental concept in cryptography. It describes how much computational effort an attacker must expend to successfully break a cryptographic algorithm. This article explains what security levels mean, how they are measured, and why they are critical when selecting cryptographic algorithms.
The security level of a cryptographic process indicates the minimal computing effort (expressed as a number of operations) an attacker would need to compromise the algorithm. An algorithm is said to provide a security level of n bits if any attack against it requires at least 2ⁿ computational steps to break its security objective.
The higher the security level, the more computationally expensive an attack becomes, and the more resistant the algorithm is to both current and future computing capabilities.
Example: If a cryptographic algorithm offers an 80-bit security level, an attacker would need at least 2⁸⁰ operations to break it. This level of effort is beyond the reach of today’s conventional computers. However, with advances in hardware and the availability of powerful computing resources, such attacks may eventually become feasible within a practical timeframe. As a result, an 80-bit security level is no longer considered sufficient for long-term security.
The security level of a cryptographic algorithm is largely determined by its key length. In general, the longer the secret key, the higher the security level.
In practice, the security of a system is defined by its weakest component. For example, within a cryptographic protocol or cipher suite, the overall security level corresponds to the lowest security level of any algorithm in use.
Security requirements vary depending on the application and the threat model. The following overview illustrates commonly referenced security levels and their typical interpretation.
< 80 bits:
Outdated procedures that are considered unsafe against today's modern methods techniques.
They can be broken quickly using contemporary hardware and should not be used.
80 bit:
Minimum standard for limited transitional scenarios for non-critical systems. Attacks are feasible with moderate resources. Examples include Triple DES (2TDEA) and RSA-1024.
Use is generally discouraged, and such algorithms are not future-proof.
112 bit:
Currently considered the minimum acceptable security level for secure systems. Classical attacks require substantial resources and are only marginally feasible in practice.
This level is still widely deployed for medium-term security requirements.
128 bit:
The standard security level for modern cryptographic algorithms, it provides strong protection.
The use of these methods is safe for most applications in today's IT environments.
192 bits:
A high security level suitable for protecting long-lived or high-value data, such as intellectual property or sensitive business information.
It is particularly relevant when data must remain secure far into the future.
256 bits:
Provides extremely high security and is typically reserved for the most sensitive information, such as national security data or highly confidential long-term corporate secrets.
There are three primary approaches used to determine the security level of a cryptographic algorithm.
Security level by Design
During the design phase of an algorithm, an intended security level is defined based on theoretical assumptions. In practice, this value often represents an upper bound, as real-world attacks may reduce the effective security level over time. An algorithm cannot provide more security than its design target.
Heuristic security level
This approach is based on practical experience, known attack techniques, and the assumption that an algorithm remains secure until a successful attack is discovered. The security level corresponds to the most efficient known attack at a given point in time.
Heuristic assessments are widely used in practice because they reflect real-world threats and implementation considerations. However, they carry the risk that unknown or future attacks may emerge and significantly reduce the perceived security level.
Provable security level
In this approach, the security of an algorithm is established through mathematical proofs. Based on these proofs, the minimum effort required for an optimal attack can be derived. This provides a high degree of confidence, as the security guarantees hold as long as the underlying assumptions remain valid. The actual security of the algorithm is therefore greater than or equal to the proven security level.
Unless explicitly stated otherwise, references to a security level typically imply the heuristic security level.
As more effective attacks on a cryptographic algorithm are discovered and published, its heuristic security level decreases. In parallel, continuous improvements in hardware and computing power mean that security recommendations must be reviewed regularly. Standardisation bodies such as NIST periodically reassess whether minimum recommended security levels should be increased.
Security levels expressed in bits provide a clear and practical way to evaluate the strength and resilience of cryptographic algorithms. They help determine which algorithms are appropriate for specific use cases.
While algorithms offering less than 80 bits of security are considered obsolete today, modern algorithms with security levels of 128 bits or more provide strong protection against classical attacks. Choosing an appropriate security level should always take into account both the expected lifetime of the protected data and the relevant threat model.
In light of emerging technologies such as quantum computing, it is increasingly advisable to consider higher security levels or post-quantum-resistant alternatives when designing cryptographic systems.
Colloquially, an algorithm is often described as “broken” once it is no longer considered secure and a practical attack exists.
More formally, a cryptographic algorithm is considered broken if an attack is found that requires fewer computational resources than the assumed security level of the targeted security property. This does not necessarily mean that the algorithm is immediately unsafe in practice, as a reduced security level may still be high enough to prevent feasible attacks.
However, when an attack significantly lowers the security level of an algorithm, it often indicates underlying structural weaknesses. In such cases, further improvements in attack techniques may follow, potentially leading to practical exploits. As a precaution, algorithms affected in this way should be replaced proactively with more secure alternatives.
FortIT enables secure digital business, supporting companies with innovative digitalization projects and strategic initiatives. With deep expertise in modern technologies, FortIT delivers fast, visible results and lasting impact.
