Key length

from Wikipedia, the free encyclopedia

The key length is an important property of cryptographic procedures and describes a logarithmic measure for the number of different possible keys of the procedure.


The entirety of all possible keys of a cryptographic method is called a key space. The number of keys is defined as the size of the key space, i.e. the number of all possible keys. In the case of symmetrical procedures , it has the following relationship with the key length (specified in bits ):

Key length =

where denotes the logarithm from N to base 2 ( logarithm dualis , often also abbreviated as ld).

With classic (not computer- based) methods, for example a simple monoalphabetic substitution or the Enigma key machine , the number of all possible keys is usually specified directly. With modern methods, it is more practical to convert the key length into bits using the above formula, so as not to have to work with awkwardly large numbers. In asymmetrical cryptosystems , the key length is defined as the length of a key in bits, regardless of the number of keys, since not all character strings are valid keys.

Key length and security level

The key length is an important, but not the only decisive criterion for the practical security of a cryptographic method. With a small key space, an attacker can simply try out all possible keys. The key space must therefore be large enough to make such a brute force attack futile. An extreme counterexample is the Caesar encryption . There are only 26 different keys that can be tried out by hand very quickly. (Actually there are only 25 keys, as one of the 26 maps each letter to itself and therefore causes the plain text to appear again.) Thus, Caesar encryption can easily be carried out without further knowledge or special cryptanalytic attack methods through an exhaustive (completely exhaustive) key search to get broken.

However, a large key space alone is not enough to guarantee the security of a process. It is required of a secure symmetrical procedure that there must not be an attack that is faster than trying out all keys. For example, even a method as simple as a simple monoalphabetic substitution has an impressively large key space of ( faculty ) different keys. This corresponds to a number of keys of 403,291,461,126,605,635,584,000,000. The key length is a little more than 88 bits. Despite this gigantic number of keys, which makes an exhaustive key search futile even with today's means, this procedure can be broken very easily (for example by statistical attack methods or by pattern search ).

If the requirement is met that there is no attack that is faster than trying out all the keys, then the key length of a symmetrical method also indicates the level of security , i.e. the effort that an attacker must make to use the method with this key length break . Which key length is used can therefore depend on the expected computing power of the expected attacker. Due to advances in computer technology (“hardware”), some older procedures that were previously considered secure can now be broken by exhaustive key searches. One example of this is the “ Data Encryption Standard (DES)”, which served as the standard encryption method for several decades towards the end of the twentieth century and whose 56-bit long key was chosen too short according to today's standards. Today, at least 128 bits are regarded as a secure key length for symmetrical processes. It should be noted, however, that the assessment of such a "safe" key length may change sooner or later due to fundamentally better mathematical methods or significantly faster computers that are conceivable in the future.

With asymmetrical procedures (“public key methods”), the security level is not the same as the key length, but significantly lower. On the one hand, the key length does not directly indicate the number of possible keys, since a key describes a mathematical object. In the RSA cryptosystem , for example, there are no keys for a key length of 1024 bits , since not every 1024-bit number is an RSA modulus, i.e. the product of two prime numbers. There are also known methods that are significantly faster than trying out all the keys. These procedures must be taken into account in order to estimate the equivalent level of safety . To break RSA encryption with a 1024-bit key, such an algorithm needs approx. "Elementary operations", so the equivalent security level is 73 bits.

Examples of key numbers and key lengths

  • Caesar encryption : The number of keys 25 (corresponds to a key length of approximately 5 bits)
  • DES : = 72.057.594.037.927.936 (corresponds to 56 bits)
  • Enigma I : 103.325.660.891.587.134.000.000 (corresponds approximately to 76 bits)
  • Enigma-M4 : 60.176.864.903.260.346.841.600.000 (corresponds to almost 86 bits)
  • Monoalphabetic substitution : ( faculty ) = 403,291,461,126,605,635,584,000,000 (corresponds approximately to 88 bits)
  • Triple-DES : = (corresponds to 112 bits)
  • AES : selectable
    • = 340.282.366.920.938.463.463.374.607.431.768.211.456 (corresponds to 128 bits),
    • = (corresponds to 192 bits) or
    • = 115.792.089.237.316.195.423.570.985.008.687.907.853.269.984.665.640.564.039.457.584.007.913.129.639.936 (corresponds to 256 bits)

Individual evidence

  1. ^ Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone: Handbook of Applied Cryptography . CRC Press, ISBN 0-8493-8523-7 , pp. 224 ( [PDF]).
  2. a b ECRYPT II (Ed.): ECRYPT II Yearly Report on Algorithms and Keysizes (2010-2011) . 2011, Recommended Key Sizes ( [PDF]). ECRYPT II Yearly Report on Algorithms and Keysizes (2010–2011) ( Memento of the original dated June 2, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.  @1@ 2Template: Webachiv / IABot /

Web links