Key length for integer- and finite-field cryptography

David Leon Gil coruus at
Thu Aug 7 21:56:37 CEST 2014

>  ENISA's key equivalencies are different from NIST's

Enisa surveys bit-length recommendations comprehensively; the NIST
recommendation is always the *shortest* bit-length.

112-bit security: 2048 bits to 3154 bits
128-bit security  3072 bits to 5888 bits
256-bit security: 15360 bits to 46752(!) bits

They recommend, for new cryptosystems, RSA keys of length at least
3072 bits if "near term" security is desired and 15360 bits if "long
term" security is required.

Enisa report, table 3.1 (p. 22), table 3.6 (p. 35):

The Enisa report is much better reading than the NIST recommendation,
by the way. :)

More information about the Gnupg-devel mailing list