Re: Bonehead basic crypto question
From: Benjamin Choi (contact_at_technosoft21.com)
Date: 18 Oct 2003 02:45:57 -0700
firstname.lastname@example.org (Matthue Gera) wrote in message news:<F73kb.182172$JA5.email@example.com>...
> Good question Ben,
> you know doubt know that computing power is multiplying
> itself on the desktop at a very fast rate. So are supercomputers that
> can be used for brute force attempts.
> You are right that 128bit is strong, however with the advances we have seen
> in computing power recently we need to step up and take advantage in more
> powerful technology when it arrives. 128bit encryption is old, its that
> simple. It is much easier and quicker to crack today, therefore we need to
> increase the odds even more, way above whats considered 'acceptable',
> then we can be sure what we have now will not be so easily compromised in
> the near future.
Doesn't the entire universe have only about 2^264 particles, excluding
dark matter? Even if 128-bit is breakable with quantum computers,
256-bit is long enough to remain secure indefinitely even if quantum
computers are invented.
2^64 (cracked using latest technology) = 18446744073709551616 only
2^256 = 1.1579208923731619542357098500869e+77
No. of particles in universe = 2.9642774844752946028434172162224e+79
Even if 256-bit is broken by brute force using quantum computers
several eons from now, 448-bit symmetric key strength should remain
impossible to search forever.
2^448 = 7.26838724295606890549323807888e+134
And since longer keys are typically harder to remember, as short a key
as is secure should be used. Not short enough to be attacked in the
next few eons, but not long enough to forget.
Usually attackers won't attempt to crack encryption using brute force,
unless the key is irresistably short (e.g. 40-bit). They will attempt
to find shortcuts which require a feasible amount of computing
resources and time. People might like to say "even if an algorithm is
secure against analysis, if the key is short enough it can be broken
by brute force. This is usually the weak link." However it seems that
the key size is usually the strong link. Most algorithms today have an
adequate key size (128 or 256-bit would do, although I prefer 256-bit
being extremely paranoid). And the "even if an algorithm is secure
against analysis" is a huge if. 99.9% of all algorithms are not secure
against common and upcoming attacks such as differential, linear,
related-key, boomerang and others to be discovered. Rather than have
huge key sizes, one should choose an adequately large key (256-bit to
be conservative) and focus on eliminating shortcut attacks.
Many people here would rather use a tested algorithm like 128-bit
Twofish (perhaps with number of rounds cranked up a bit, from 16 to 32
rounds if paranoid, to make it totally difficult to attack) than a
1,000,000 bit VME encryption if their lives depended on it.
If there's a tradeoff for speed vs security and your life depends on
it, why use a slow algorithm rather than Twofish with the number of
rounds cranked up?
e.g. David Scott's Scott19U is "much more secure than AES, even though
it is 1000 times slower". Why not use AES with 10x1000=10000 rounds?
Then it would run at the same speed as Scott19U, but be very secure.
-- Benjamin Choi