Comparison of cryptographic strength


This table appears in NIST Special Publication 800-57 from July 2012 titled 'Recommendation for Key Management – Part 1: General(Revision 3)'.  This table is about classical security.



















The classical security of curve25519 is 128 bits and matches that of a 3072 bit RSA/Diffie-Hellman public key.

Curve25519 and other classical elliptic, DH and RSA public keys can be broken using quantum computer (if they become reality in code breaking).

The classical security of a SIDH key is 192 bits. In scientific papers authors of SIDH (p751) construction state that its quantum security is roughly 128 bits, in NIST’s Post-Quantum Cryptography project they classify it as "matching the post-quantum security of AES192" - this refers to NIST's Quantum Security Strength Categories III. 

Security of 128 bits means that about 2^128 operations are needed to find the secret key.

How long  would one such quantum computing operation take - quite probably it requires more time than current classical encryption operation. 

To put that into perspective consider the bitcoin network. It currently does below 30x10^18 hash operations per second (see Current encryption operations may be faster than hash operations, let's estimate that bitcoin network can do those 100 times faster i.e. at 30x10^20 operations per second. Thus the network could now break 128 bit security in

2^128 /  30x10^20 / 31536000 = 3 596 761 023 years.

Note: the reader can check the calculations using e.g. the Windows calculator.

Consider now bitcoin's energy consumption. This is now estimated to be between 18 TWh and 59 TWh per year (see

If we take the lowest value 18 TWh/year and multiply that with the years needed we get:

3596761023 x 18 Twh=64 741 698 414 TWh which is the energy needed to break 128 bit security in current technology.  On year 2015 world's total electricity consumption was 20 201,31 TWh (according to International Energy Agency).

A theoretical minimum required value for energy consumption can be calculated. In ideal circumstances near the absolute zero temperature it takes 4,4 x 10^(-16) ergs to clear or set one bit, now 2^128 x 4,4 x 10^(-16) ergs = 149724241445212923923884 ergs = 4 TWh which equals 343 938 tons of oil. Of course in reality one has to set or clear more than 1 bit per operation.

It is left as an exercise to the reader to construct a code breaking station to the moon :-) Could it be possible to use sun's energy there? It seems that from code breaking's viewpoint at 128 bit security level the time requirement is bigger problem than energy consumption if one can do operations at very low temperature level.

Suppose now that there would exist an ideal code breaking processor that would use no time at all in code breaking! It would use only energy.  If the user only inputs enough electricity to the processor it outputs the result immediately. The processor however must be able to handle the thermal heating caused by the electricity. If one inputs 1 W of electricity then the processor must be cooled for 1 W.

Suppose further that  one needs to set (or clear) 1000 bits per operation. The energy needed to break 128 bit security is thus 1000 x 4 TWh i.e. 4000 TWh.

If one would like to use the International Space Station as code breaking station then one coud use its radiators. They can radiate about 70 KW ( see

To use ISS as a code breaking station using the ideal processor would take

4x10^15 / 70x10^3 = 57 142 857 142 hours / 8760  = 6 523 157 years.

If one wants to build a bigger radiator then a 1000m x 1000 m two sided thermal radiator in space can radiate  8,4511149192e+8 Watts (see

The time required in this case using the ideal processor is thus

4x10^15 /  8,4511149192e+8 = 4 733 103 hours / 8760 = 540 years.

Perhaps it would be easier to do the cooling on earth?  What are the calculations then?