Algorithms, Key Sizes and Parameters Report

This document collates a series of recommendations for algorithm, keysize and protocol recommendations. In some sense the current document supersedes the ECRYPT and ECRYPT2 “Yearly Report on Algorithms and Key Lengths” published between 2004 and 2012. However, it should be considered as completely distinct. The current document tries to provide a focused set of recommendations in an easy to use form, the prior ECRYPT documents provided more general background information and discussions on general concepts re key size choice, and tried to predict the future ability of cryptanalytic attacks via hardware and software.

In this document we focus on just two decisions which we feel are more crucial to users of cryptography. Firstly, whether a given primitive, scheme, protocol or keysize can be considered for use to day if it is already deployed. We refer to such use as legacy use within our document. If a scheme is not considered suitable for legacy use, or is only considered for such use with certain caveats, then this should be taken as a strong recommendation that the primitive, scheme or protocol be possibly replaced as a matter of urgency (or even that an attack exists). Some of the caveats which may mean a system which it not considered suitable for legacy use may still be secure could be use of limited key lifetimes within a system, mitigating controls, or (in the case of hash functions) relieing on non-collision resistance properties.

(…)

The document does not consider any mechanisms which are currently only of academic interest. In particular all the mechanisms we discuss have been standardized to some extent, and have either been deployed or are due to be deployed in real world systems. This is not a critique of academic research, but purely a means of focusing the document on mechanisms which will be of interest to decision makers in industry and government.