# NSA Suite B Cryptography

NSA Suite B Cryptography is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It is to serve as an interoperable cryptographic base for both unclassified information and most classified information.

Suite B consists of:

- Block Encryption via the Advanced Encryption Standard (AES), with key sizes of 128 or 256 bits. Suite B specifies that AES should be used in the Galois/Counter Mode (GCM) mode.
- Digital Signatures via the Elliptic-Curve Digital Signature Algorithm (ECDSA).
- Key Agreement via Elliptic-Curve Diffie-Hellman (ECDH) algorithm.
- Message Digests via the Secure Hash Algorithm (specifically SHA-256 and SHA-384).

# Crypto

Security Strength | Symmetric Key Algorithms | FFC (DSA, D-H, MQV) | IFC (RSA) | ECC (ECDSA, ECDH, ECMQV) |
---|---|---|---|---|

80 | 2TDEA ^1 | 1024 | 1024 | 160-223 |

112 | 3TDEA | 2048 | 2048 | 224-255 |

128 | AES-128 | 3072 | 3072 | 256-383 |

192 | AES-192 | 7680 | 7680 | 384-511 |

256 | AES-256 | 15360 | 15360 | 512+ |

^1 The guarantee of at least 80-bits of security for 2TDEA is based on the assumption that an attacker has at most 240 matched plaintext and ciphertext blocks.

- FFC = Finite Field Cryptography
- IFC = Integer Factorization Cryptography
- ECC = Elliptic Curve Cryptography

# Hash

Security Strength | Digital Signatures and Hash-Only Applications | HMAC, Key Derivation Functions & Random Number Generation ^1 |
---|---|---|

80 | SHA-1 ^2 | - |

112 | SHA-224 | - |

128 | SHA-256 | SHA-1 |

192 | SHA-384 | SHA-224 |

256 | SHA-512 | SHA-256 |

> 256 | - | SHA-384, SHA-512 |

^1 The security strength assumes that the random number generator has been provided with adequate entropy to support the desired security strength.

^2 A recent attack on SHA-1 claims that SHA-1 provides less than 80 bits of security for digit alsignatures; the claimed security strength for digital signatures is 63 - 69 bits.

# Crypto Usecase

Unclassified Use | Suite B | |||
---|---|---|---|---|

Min. 80-bit Strength Through 2010 | Min. 112-bit Strength After 2010 | SECRET | TOP SECRET | |

AES | ||||

128 | ✓ | ✓ | ✓ | |

192 | ✓ | ✓ | ||

256 | ✓ | ✓ | ✓ | ✓ |

TDES | ||||

2key TDES | ✓ | |||

3key TDES | ✓ | ✓ |

# Hash Usecase

Unclassified Use | Suite B | |||
---|---|---|---|---|

Min. 80-bit Strength Through 2010 | Min. 112-bit Strength After 2010 | SECRET | TOP SECRET | |

DSA & RSA | ||||

1024 | ✓ | |||

2048 | ✓ | ✓ | ||

3072 | ✓ | ✓ | ||

ECDSA | ||||

160 | ✓ | |||

224 | ✓ | ✓ | ||

256 | ✓ | ✓ | ✓ ^* | |

384 | ✓ | ✓ | ✓ ^* | ✓ ^* |

512 | ✓ | ✓ |

^* Prime Modulus curves only

# Key Agreement

Unclassified Use | Suite B | |||
---|---|---|---|---|

Min. 80-bit Strength Through 2010 | Min. 112-bit Strength After 2010 | SECRET | TOP SECRET | |

Diffie-Hellman, MQV or RSA | ||||

1024 | ✓ | |||

2048 | ✓ | ✓ | ||

EC Diffie-Hellman or EC MQV | ||||

160 | ✓ | |||

224 | ✓ | ✓ | ||

256 | ✓ | ✓ | ✓ ^* | |

384 | ✓ | ✓ | ✓ ^* | ✓ ^* |

512 | ✓ | ✓ |

^* Prime Modulus curves only

# Why AES Why AES-256 and ECC-384 in Suite B?

Theoretically:

- AES-256 is equivalent to ECC-512
- AES-192 is equivalent to ECC-384

CNSSP # 15: AES-192 for TOP SECRET

- AES-192 not included in Suite B

AES-256 with ECC-384 seems a mismatch

- Little performance penalty for AES-256 over AES-192
- Many implementers choosing to use AES-256
- Significant performance cost for ECC-512 compared to ECC-384
- ECC-384 is strong enough for TOP SECRET
- Make life simple: use ECC-384, which is fast and strong enough, with AES with AES-256 which is strong and fast enough.

# Quantum

#### How many qubits are required for breaking RSA 2048 and RSA 4096 in real-time with a quantum computer?

Like the answer you linked to shows, about or just where is the number of bits of the modulus , i.e. the key size of RSA. So 4096 for 2048-bit RSA, double that for 4096-bit.

This paper (PDF) has an algorithm using qubits, where , where is the way to calculate the number of bits in .

#### How many qubits are required to break Curve25519?

Breaking elliptic curves requires (pdf, see 6.2) roughly qubits where is the order or key size of the curve, which for Curve25519 would be . Less than secure RSA sizes require, but much more than has been accomplished.

#### Quantum Strength

Algorithm | Key Length | Classical Bit Strength | Quantum bit Stregth | Best Quantum Attack |
---|---|---|---|---|

RSA 2048 | 2048 bits | 112 bits | 0 bits | Shor's |

RSA 3072 | 3072 bits | 128 bits | 0 bits | Shor's |

ECC 256 | 256 bits | 128 bits | 0 bits | Shor's |

ECC 521 | 521 bits | 256 bits | 0 bits | Shor's |

AES 128 | 128 bits | 128 bits | 64 bits | Grover's |

AES 256 | 256 bits | 256 bits | 128 bits | Grover's |

SHA 256 | 256 bits | 256 bits | 128 bits | Grover's |

#### Quantum-Safe options

Approach | Quantum-Safe Option | Digital Signature | Public-Key Encryption | Key Agreement |
---|---|---|---|---|

Mathematics | Hashes | ✓ | ||

Lattices | ✓ | ✓ | ✓ | |

Error Correcting Codes | ✓ | ✓ | ||

Isogeny | ✓ | ✓ | ✓ | |

Multivariate | ✓ | ✓ | ||

Physics | Quantum Key Distribution (QKD) | ✓ |

# Reference

- h
t -t p s : / / e n . w i k i p e d i a . o r g / w i k i / N S A S u i t e B _ C r y p t o g r a p h y *NSA Suite B Cryptography* - h
t t p : / / c s r c . n i s t . g o v / g r o u p s / S M A / i s p a b / d o c u m e n t s / m i n u t e s / 2 0 0 6 - 0 3 / E _ B a r k e r - M a r c h 2 0 0 6 - I S P A B . p d f - h
t -t p s : / / k o o l s p a n . c o m / s u i t - b - e n c r y p t i o n / *NSA Suite B Algorithms* - h
t t p s : / / c r y p t o . s t a c k e x c h a n g e . c o m / q u e s t i o n s / 3 5 1 3 7 / h o w - m a n y - q u b i t s - a r e - r e q u i r e d - t o - b r e a k - r s a - 2 0 4 8 - o r - 4 0 9 6 - w i t h - a - u n i v e r s a l - q u a n t u m - h
t -t p s : / / w w w . k e y l e n g t h . c o m / *Keylength - Cryptographic Key Length Recommendation* - h
t t p s : / / c r y p t o m e . o r g / 2 0 1 6 / 0 1 / C N S A - S u i t e - a n d - Q u a n t u m - C o m p u t i n g - F A Q . p d f - h
t -t p s : / / x 9 . o r g / w p - c o n t e n t / u p l o a d s / 2 0 1 7 / 1 1 / X 9 W e b i n a r - I n t r o T o Q S C 2 0 1 7 1 1 1 6 F I N A L _ A T . p d f *Securing The Future With Quantum-Safe Cryptography* - h
t -t p : / / w w w . e t s i . o r g / i m a g e s / f i l e s / E T S I W h i t e P a p e r s / Q u a n t u m S a f e W h i t e p a p e r . p d f *Quantum Safe Cryptography and Security*