Editing Key size (section)

==Symmetric algorithm key lengths==
IBM's [[Lucifer (cipher)|Lucifer cipher]] was selected in 1974 as the base for what would become the [[Data Encryption Standard]]. Lucifer's key length was reduced from 128 bits to [[56-bit encryption|56 bits]], which the [[National Security Agency|NSA]] and NIST argued was sufficient for non-governmental protection at the time. The NSA has major computing resources and a large budget; some cryptographers including [[Whitfield Diffie]] and [[Martin Hellman]] complained that this made the cipher so weak that NSA computers would be able to break a DES key in a day through brute force [[parallel computing]]. The NSA disputed this, claiming that brute-forcing DES would take them "something like 91 years".<ref>{{cite web |url=http://www.toad.com/des-stanford-meeting.html |title=DES Stanford-NBS-NSA meeting recording & transcript |website=Toad.com |access-date=2016-09-24 |archive-url=https://web.archive.org/web/20120503083539/http://www.toad.com/des-stanford-meeting.html |archive-date=2012-05-03 |url-status=dead }}</ref>

However, by the late 90s, it became clear that DES could be cracked in a few days' time-frame with custom-built hardware such as could be purchased by a large corporation or government.<ref name="fortify">{{cite web |url=http://www.fortify.net/related/cryptographers.html |title=Minimal key lengths for symmetric ciphers to provide adequate commercial security |first1=Matt |last1=Blaze |author-link1=Matt Blaze |first2=Whitefield |last2=Diffie |author-link2=Whitfield Diffie |first3=Ronald L. |last3=Rivest |author-link3=Ron Rivest |first4=Bruce |last4=Schneier |author-link4=Bruce Schneier |first5=Tsutomu |last5=Shimomura |author-link5=Tsutomu Shimomura |first6=Eric |last6=Thompson |first7=Michael |last7=Wiener |date=January 1996 |publisher=[[Fortify (Netscape)|Fortify]] |access-date=14 October 2011 |df=ymd-all}}</ref><ref>[http://object.cato.org/sites/cato.org/files/pubs/pdf/bp51.pdf Strong Cryptography The Global Tide of Change], Cato Institute Briefing Paper no. 51, Arnold G. Reinhold, 1999</ref> The book ''Cracking DES'' (O'Reilly and Associates) tells of the successful ability in 1998 to break 56-bit DES by a brute-force attack mounted by a cyber civil rights group with limited resources; see [[EFF DES cracker]]. Even before that demonstration, 56 bits was considered insufficient length for [[symmetric-key algorithm|symmetric algorithm]] keys for general use. Because of this, DES was replaced in most security applications by [[Triple DES]], which has 112 bits of security when using 168-bit keys (triple key).<ref name=NISTSP800-131Ar2/>

The [[Advanced Encryption Standard]] published in 2001 uses key sizes of 128, 192 or 256 bits. Many observers consider 128 bits sufficient for the foreseeable future for symmetric algorithms of [[Advanced Encryption Standard|AES]]'s quality until [[quantum computer]]s become available.{{citation needed|date=September 2013}} However, as of 2015, the U.S. [[National Security Agency]] has issued guidance that it plans to switch to quantum computing resistant algorithms and now requires 256-bit AES keys for data [[classified information in the United States|classified up to Top Secret]].<ref name=NSASuiteBphaseout/>

In 2003, the U.S. National Institute for Standards and Technology, [[National Institute of Standards and Technology|NIST]] proposed phasing out 80-bit keys by 2015. At 2005, 80-bit keys were allowed only until 2010.<ref>
{{cite journal |url=https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-57p1.pdf |archive-url=https://web.archive.org/web/20161213220801/http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-57p1.pdf |archive-date=2016-12-13 |url-status=live |title=Recommendation for Key Management – Part 1: General |date=2005-08-01 |access-date=2019-01-08 |journal=NIST Special Publication |publisher=[[National Institute of Standards and Technology]] |doi=10.6028/NIST.SP.800-57p1 |first1=Elaine |last1=Barker |first2=William |last2=Barker |first3=William |last3=Burr |first4=William |last4=Polk |first5=Miles |last5=Smid |at=Table 4, p. 66 }}
</ref>

Since 2015, NIST guidance says that "the use of keys that provide less than 112 bits of [[security strength]] for key agreement is now disallowed." NIST approved symmetric encryption algorithms include three-key [[Triple DES]], and [[Advanced Encryption Standard|AES]]. Approvals for two-key Triple DES and [[Skipjack (cipher)|Skipjack]] were withdrawn in 2015; the [[NSA]]'s Skipjack algorithm used in its [[Fortezza]] program employs 80-bit keys.<ref name=NISTSP800-131Ar2>{{cite web|url=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf |title=Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, NIST SP-800-131A Rev 2 |date=March 2019 |first1=Elaine |last1=Barker |first2=Allen |last2=Roginsky|website=Nvlpubs.nist.gov|access-date=2023-02-11 |df=ymd-all}}</ref>