Re: Triple AES (3AES)
jsavard_at_ecn.ab.ca
Date: 05/24/03
- Next message: Brian Gladman: "Re: Cohen's paper on byte order"
- Previous message: Mok-Kong Shen: "Re: Cohen's paper on byte order"
- In reply to: Victor: "Re: Triple AES (3AES)"
- Next in thread: Scott Contini: "Re: Triple AES (3AES)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 May 2003 18:37:44 GMT
Victor (victor2000@Hotbox.ru) wrote:
: How do you know the possibilities in the computing power of the NSA and
: related ?
We do know the laws of physics.
A 128-bit key is very big. There are 2^48 times as many 128-bit keys as
there are 80-bit keys, and there are 2^24 times as many 80-bit keys as
there are 56-bit keys.
It has been shown that, with a fair amount of expensive special-purpose
hardware, the 56-bit keys of DES can be brute-forced. Extrapolating from
that, the NSA might well be able, by making a great effort, to brute-force
an 80-bit key, if its technology is several steps ahead of everyone
else's.
When I made that estimate, I was criticized as being excessively paranoid.
But to brute-force a 128-bit key would take 250 trillion NSAs, even if my
estimate was right. That isn't likely to be the case.
Still, the NSA might have quantum computers, and they might even have
overcome some of the limits we think exist on the power of quantum
computers.
But the real issue is something else.
An enciphering program has to do other things than simply rely on a secure
cipher. For example:
- it needs to ensure the keys it uses are genuinely random;
- it needs to avoid leaving data on the computers it is used on that would
allow its encryption to be reversed.
These things are difficult to do. Is it likely that someone who ignores
the experts when they say that 128-bits are adequate has taken the time to
learn how to do these things properly?
That is the issue that is being raised here.
In some cases, of course, it may not hurt to use more powerful encryption.
But just as one would stay away like the plague from an encryption program
that offers "an improved one-time pad without those pesky, annoying
one-time pads", if the person offering the encryption program with a
256-bit key doesn't just say it is available as an option, but instead
claims definitely that 128 bits must be insecure, then I would again be
worried. If 128 bits is definitely insecure, why can't he convince anyone
who knows what he is doing of that?
John Savard
- Next message: Brian Gladman: "Re: Cohen's paper on byte order"
- Previous message: Mok-Kong Shen: "Re: Cohen's paper on byte order"
- In reply to: Victor: "Re: Triple AES (3AES)"
- Next in thread: Scott Contini: "Re: Triple AES (3AES)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
