NSA Suite B Cryptography

NSA Suite B Cryptography is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It is to serve as an interoperable cryptographic base for both unclassified information and most classified information.

Suite B consists of:

  • Block Encryption via the Advanced Encryption Standard (AES), with key sizes of 128 or 256 bits. Suite B specifies that AES should be used in the Galois/Counter Mode (GCM) mode.
  • Digital Signatures via the Elliptic-Curve Digital Signature Algorithm (ECDSA).
  • Key Agreement via Elliptic-Curve Diffie-Hellman (ECDH) algorithm.
  • Message Digests via the Secure Hash Algorithm (specifically SHA-256 and SHA-384).

Crypto

Security Strength Symmetric Key Algorithms FFC (DSA, D-H, MQV) IFC (RSA) ECC (ECDSA, ECDH, ECMQV)
80 2TDEA ^1 1024 1024 160-223
112 3TDEA 2048 2048 224-255
128 AES-128 3072 3072 256-383
192 AES-192 7680 7680 384-511
256 AES-256 15360 15360 512+

^1 The guarantee of at least 80-bits of security for 2TDEA is based on the assumption that an attacker has at most 240 matched plaintext and ciphertext blocks.

  • FFC = Finite Field Cryptography
  • IFC = Integer Factorization Cryptography
  • ECC = Elliptic Curve Cryptography

Hash

Security Strength Digital Signatures and Hash-Only Applications HMAC, Key Derivation Functions & Random Number Generation ^1
80 SHA-1 ^2 -
112 SHA-224 -
128 SHA-256 SHA-1
192 SHA-384 SHA-224
256 SHA-512 SHA-256
> 256 - SHA-384, SHA-512

^1 The security strength assumes that the random number generator has been provided with adequate entropy to support the desired security strength.
^2 A recent attack on SHA-1 claims that SHA-1 provides less than 80 bits of security for digit alsignatures; the claimed security strength for digital signatures is 63 - 69 bits.

Crypto Usecase

Unclassified Use Suite B
Min. 80-bit Strength Through 2010 Min. 112-bit Strength After 2010 SECRET TOP SECRET
AES
128
192
256
TDES
2key TDES
3key TDES

Hash Usecase

Unclassified Use Suite B
Min. 80-bit Strength Through 2010 Min. 112-bit Strength After 2010 SECRET TOP SECRET
DSA & RSA
1024
2048
3072
ECDSA
160
224
256 ✓ ^*
384 ✓ ^* ✓ ^*
512

^* Prime Modulus curves only

Key Agreement

Unclassified Use Suite B
Min. 80-bit Strength Through 2010 Min. 112-bit Strength After 2010 SECRET TOP SECRET
Diffie-Hellman, MQV or RSA
1024
2048
EC Diffie-Hellman or EC MQV
160
224
256 ✓ ^*
384 ✓ ^* ✓ ^*
512

^* Prime Modulus curves only

Why AES Why AES-256 and ECC-384 in Suite B?

Theoretically:

  • AES-256 is equivalent to ECC-512
  • AES-192 is equivalent to ECC-384

CNSSP # 15: AES-192 for TOP SECRET

  • AES-192 not included in Suite B

AES-256 with ECC-384 seems a mismatch

  • Little performance penalty for AES-256 over AES-192
  • Many implementers choosing to use AES-256
  • Significant performance cost for ECC-512 compared to ECC-384
  • ECC-384 is strong enough for TOP SECRET
  • Make life simple: use ECC-384, which is fast and strong enough, with AES with AES-256 which is strong and fast enough.

Quantum

How many qubits are required for breaking RSA 2048 and RSA 4096 in real-time with a quantum computer?

Like the answer you linked to shows, about $$$log_2(N^2)=2log_2(N)$$$ or just $$$2n$$$ where $$$n$$$ is the number of bits of the modulus $$$N$$$, i.e. the key size of RSA. So 4096 for 2048-bit RSA, double that for 4096-bit.

This paper (PDF) has an algorithm using $$$2n+3$$$ qubits, where $$$n=log_2(N)$$$, where $$$log_2(N)$$$ is the way to calculate the number of bits in $$$N$$$.



How many qubits are required to break Curve25519?

Breaking elliptic curves requires (pdf, see 6.2) roughly $$$6n$$$ qubits where $$$n$$$ is the order or key size of the curve, which for Curve25519 would be $$$6\times{}255=1530$$$. Less than secure RSA sizes require, but much more than has been accomplished.




Quantum Strength

Algorithm Key Length Classical Bit Strength Quantum bit Stregth Best Quantum Attack
RSA 2048 2048 bits 112 bits 0 bits Shor's
RSA 3072 3072 bits 128 bits 0 bits Shor's
ECC 256 256 bits 128 bits 0 bits Shor's
ECC 521 521 bits 256 bits 0 bits Shor's
AES 128 128 bits 128 bits 64 bits Grover's
AES 256 256 bits 256 bits 128 bits Grover's
SHA 256 256 bits 256 bits 128 bits Grover's


Quantum-Safe options

Approach Quantum-Safe Option Digital Signature Public-Key Encryption Key Agreement
Mathematics Hashes
Lattices
Error Correcting Codes
Isogeny
Multivariate
Physics Quantum Key Distribution (QKD)

Reference

  1. https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography - NSA Suite B Cryptography
  2. http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2006-03/E_Barker-March2006-ISPAB.pdf
  3. https://koolspan.com/suit-b-encryption/ - NSA Suite B Algorithms
  4. https://crypto.stackexchange.com/questions/35137/how-many-qubits-are-required-to-break-rsa-2048-or-4096-with-a-universal-quantum
  5. https://www.keylength.com/ - Keylength - Cryptographic Key Length Recommendation
  6. https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf
  7. https://x9.org/wp-content/uploads/2017/11/X9_Webinar_-IntroToQSC_2017_11_16_FINAL_AT.pdf - Securing The Future With Quantum-Safe Cryptography
  8. http://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf - Quantum Safe Cryptography and Security