Re: 1000 Trillion instructions per second SuperComputer at Oak Ridge NL - time to crack AES-128?

From: Martin Dickopp (expires-2003-12-31_at_zero-based.org)
Date: 11/19/03 

Date: 19 Nov 2003 13:36:45 +0100

George Ou <533george_ou234@netzero234.com> writes:

> On 18 Nov 2003 10:02:19 +0100, Martin Dickopp
> <expires-2003-12-31@zero-based.org> wrote:
>
> >George Ou <533george_ou234@netzero234.com> writes:
> >
> >> There's a new half billion dollar computer at Oak Ridge National
> >> Laboratory that does 1000 trillion instructions per second.
> >>
> >> Out of curiosity, does anyone know how long it would take to crack an
> >> AES-128 key using this computer with the most efficient techniques
> >> available?
> >
> >Assuming this computer could test one key per instruction, an exhaustive
> >search of half of the key space would take 2^127 / 10^15 = 170*10^21
> >seconds = 5.39*10^15 years = roughly 450000 times the age of the universe.
> >Of course, in reality testing one key takes more than one instruction,
> >so it would actually take much longer than that.
>
> Ah, of course. I should have just tried and calculated the best case
> assuming that one key could be tested per instruction (which is very
> generous).
>
> All this makes one wonder what the value of AES-256 is other than
> marketing. There are far more security problems to be concerned with
> than trying to beef up to 256 bit.

A few points:

- Specialized, parallel hardware might be able to test more keys per
  second than a general-purpose super-computer.

- An attacker might be lucky and find the correct key after searching much
  less than half of the key space.

...and most important:

- There might be not yet discovered attacks which are more efficient than
  exhaustive key search.

Since encrypting and decrypting with AES-256 is not much harder than with
AES-128, I see little reason /not/ to use AES-256, unless the environment
is severly constrained (e.g. a smart card which might not have enough
memory for a 256 bit key).

Martin

Quantcast