Re: Weakness in AES found

Jean-Marc Desperrier wrote:
If doing 2^126 computations is even remotely realistic for you, it'
probably not that big anymore, just around 300 yottabytes.

In other word, 2^126 computation is probably further away from the computing power we currently have, than 300 yottabytes is from the amount of data we are able to store.

However, I retought since my earlier message that progress on computing power is much faster than the progress on the availability of a very large address space that we can access *fast*.

So actually if I'm sure we'll be able to store 300 yottabytes of data earlier than we'll be able to make 2^126 computations, I'm not so sure 300 yottabytes of data that is *fast* to access will really come earlier. The recent trend is for fast increase in computing power *when* a high locality of data is possible, performance crumbles if it's not the case.

So it may be that on the day storing 300 yottabytes of data is feasible, the cost of accessing one element randomly inside it will be higher than the one of encrypting a AES block, and that on the day 300 yottabytes of data that is fast to access becomes possible, computing power will already be 4 time faster, so that 2^128 will be doable.

So in the absence of infinitively fast access to an infinitively large amount of data, this attack might not truly weaken AES.

Of course more powerful attacks probably will be found. But they might be significant only if they *also* reduce the amount of data required. From my very layman's reading of the attack, this may require attacks that are of a completely different class, and whose mere existence is not obvious from this one.