Symmetric Key Size
「 Overview 」
Recommended 「 Unordered | Distinct Use-Cases 」
256-bit
There’s essentially no reason not to use 256-bit keys for symmetric encryption.
This is the only available key size for most (X)ChaCha20 and (X)Salsa20 implementations,
it’s the key size that’s used for top secret material by intelligence agencies and governments,
and it’s now recommended for long-term storage due to concerns surrounding quantum
computers being able to bruteforce 128-bit keys.
512-bit
If you’re using a MAC like HMAC-SHA512 or keyed
BLAKE2b-512, then you should use a 512-bit key.
This helps with domain separation when deriving keys, and it’s recommended to always
use a key size as large as the output length for HMAC (256-bit key for HMAC-SHA256).
This ensures that the key size doesn’t decrease the security provided by the MAC.
Avoid 「 In Order 」
Smaller than 128-bit keys
This won’t stand the test of time and in some cases can already be bruteforced.
Symmetric Encryption + Large Keys
Such As Threefish
Anything over 256-bit is currently regarded as unnecessary.
Furthermore, encryption algorithms supporting such key sizes are very unpopular in practice.
Note that the situation is different for MACs, as explained in point 2 of the Use section above.
128-bit
This is the minimum, but please just use 256-bit keys because
they provide a higher security margin for an insignificant cost.
The argument that AES-128 is more secure than AES-256 due
to certain attacks being more effective on AES-256 is incorrect
because such attacks are not practical in the real world.
You should ideally use ChaCha20 instead of AES anyway since
it has a higher security margin and runs in constant time, avoiding
timing attacks, as explained in the Symmetric Encryption Use section.