NIST Algorithm and
Key Size Recommendations

Equivalent Algorithm Strengths

 

Bits of
Security
Symmetric
Cipher
Hash
Alg.
DSA, D-H, MQV
(discrete log systems)
RSA
ECC
80 2TDEA SHA-1
and above
L=1024
N=160
k=1024 f=160-223
112 3TDEA SHA-224
and above
L=2048
N=224
k=2048 f=224-255
128 AES-128 SHA-256
and above
L=3072
N=256
k=3072 f=256-383
192 AES-192 SHA-384
and above
L=7680
N=384
k=7680 f=384-511
256 AES-256 SHA-512 L=15360
N=512
k=15360 f=512+

The hash algorithm requirements listed above apply only to digital signatures and hash-only operations. For HMAC, key derivation, and pseudo-random number generation, the use of SHA-1 and above is allowed up to 128 bits; SHA-224 and above at 192 bits; SHA256 and above at 256 bits. (See NIST SP 800-57.)


Recommended Algorithms and Minimum Key Sizes

 

Years
Symmetric
Alg.
DSA,
D-H,
MQV
RSA
ECC
Present-2010
(min. 80 bits)
2TDEA
3TDEA
AES-128
AES-192
AES-256
Min:
L=1024
N=160
Min:
k=1024
Min:
f=160
Through 2030
(min. 112 bits)
3TDEA
AES-128
AES-192
AES-256
Min:
L=2048
N=224
Min:
k=2048
Min:
f=224
Beyond 2030
(min. 128 bits)
TDES
AES-128
AES-192
AES-256
Min:
L=3072
N=256
Min:
k=3072
Min:
f=256


The data on this page is taken from NIST SP 800-57.