RSA Key Strength Calculator

Reviewed by the CalculatorHub team, edited by James Graham. Security strength levels from NIST SP 800-57 Part 1. Last verified 15 June 2026.

RSA key size in bits does not equal the security strength in bits. Factoring large integers using the general number field sieve algorithm requires far less effort than brute-forcing a symmetric key of the same length, so an RSA key offers only a fraction of its bit count as effective security. NIST SP 800-57 Part 1 provides a mapping from RSA modulus sizes to their symmetric-equivalent security strength in bits. This calculator uses NIST's published table values to report the security strength, compliance status, and recommended equivalent symmetric cipher for a given RSA key size.

RSA key size (bits) Common sizes: 1024, 2048, 3072, 4096, 7680, 15360

Symmetric-equivalent strength (bits)

0.00

NIST SP 800-57 status

n/a

NIST SP 800-57 RSA security strength table

1,024 bits = 80-bit security (deprecated)
2,048 bits = 112-bit security (acceptable through 2030)
3,072 bits = 128-bit security (recommended post-2030)
7,680 bits = 192-bit security
15,360 bits = 256-bit security

Values between table entries are interpolated linearly in this calculator. The formula used for arbitrary key sizes approximates the general number field sieve complexity: security bits = (1.923 * (ln N)^(1/3) * (ln ln N)^(2/3)) / ln 2 where N = 2^(key bits).

Choosing the right RSA key size

1,024-bit RSA: deprecated by NIST after 2013. Do not use for new applications.
2,048-bit RSA: minimum acceptable for new systems; provides 112-bit security through at least 2030.
3,072-bit RSA: recommended for systems requiring security beyond 2030; provides 128-bit security.
4,096-bit RSA: provides approximately 140-bit security; common for CA root certificates.
Consider ECC (P-256, P-384) for equivalent security with significantly smaller key sizes and faster operations.

RSA key strength calculator: frequently asked questions

Why does a 2,048-bit RSA key not give 2,048 bits of security?

RSA security depends on the difficulty of factoring large integers, which is harder than brute-forcing a symmetric key of the same bit length. Sub-exponential factoring algorithms (such as the number field sieve) mean a 2,048-bit RSA key provides approximately 112 bits of symmetric-equivalent security, far less than 2,048.

What does NIST recommend for RSA key sizes?

NIST SP 800-57 Part 1 recommends at least 2,048-bit RSA keys for new systems through 2030, providing 112 bits of security strength. For security beyond 2030, NIST recommends at least 3,072-bit keys (128-bit security strength).

How does elliptic curve cryptography compare to RSA for the same security level?

ECC provides the same security level with much smaller keys. A 256-bit ECC key (as in ECDSA P-256) gives approximately 128 bits of security, equivalent to a 3,072-bit RSA key. This makes ECC more efficient in bandwidth and computation.

Is 1,024-bit RSA still considered secure?

No. NIST deprecated 1,024-bit RSA keys after 2013. They provide approximately 80 bits of security, which is below the minimum acceptable threshold. All modern systems should use at least 2,048-bit RSA keys.

What is the NIST SP 800-57 symmetric-equivalent formula?

NIST SP 800-57 provides a table mapping RSA key sizes to security strengths. The approximate formula for the security strength s in bits is: s = (1.923 * cbrt(ln(2^k) * (ln(ln(2^k)))^2))^(1/3) * 64/3, but in practice the NIST table values are used directly.

Official sources

NIST SP 800-57 Part 1 Rev 5 Recommendation for Key Management: csrc.nist.gov.
NIST SP 800-131A Rev 2 Transitioning the Use of Cryptographic Algorithms and Key Lengths: csrc.nist.gov.

Reviewed by the CalculatorHub team, edited by James Graham, 15 June 2026. See our methodology.