A security strength of s bits is said to be supported by a particular choice of algorithm, primitive, auxiliary function, or parameters for use in the implementation of a cryptographic mechanism if that choice will not prevent the resulting implementation from attaining a security strength of at least s bits.In this Recommendation, it is assumed that implementation choices are intended to support a security strength of 112 bits or more (see [SP 800-57] and [SP 800-131A]).

Source: NIST SP 800-56C Rev. 2 | Category: