**File formats:****Status:**- BEST CURRENT PRACTICE
**Authors:**- H. Orman

P. Hoffman **Stream:**- IETF
**Source:**- NON WORKING GROUP

**Cite this BCP**:
TXT

**Discuss this RFC**: Send questions or comments to iesg@ietf.org

**Other actions**:
Submit Errata |
Find IPR Disclosures from the IETF |
View History of RFC

## Abstract

Implementors of systems that use public key cryptography to exchange symmetric keys need to make the public keys resistant to some predetermined level of attack. That level of attack resistance is the strength of the system, and the symmetric keys that are exchanged must be at least as strong as the system strength requirements. The three quantities, system strength, symmetric key strength, and public key strength, must be consistently matched for any network protocol usage. While it is fairly easy to express the system strength requirements in terms of a symmetric key length and to choose a cipher that has a key length equal to or exceeding that requirement, it is harder to choose a public key that has a cryptographic strength meeting a symmetric key strength requirement. This document explains how to determine the length of an asymmetric key as a function of a symmetric key strength requirement. Some rules of thumb for estimating equivalent resistance to large-scale attacks on various algorithms are given. The document also addresses how changing the sizes of the underlying large integers (moduli, group sizes, exponents, and so on) changes the time to use the algorithms for key exchange. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.

For the definition of **Status**,
see RFC 2026.

For the definition of **Stream**, see RFC 8729.