| > | > Just wondering about this little piece. How did we get to 256-bit | > | > AES as a requirement? Just what threat out there justifies it? ... | | I can see it as useful if some bits of the key got leaked somehow. | For example, if you're using a HWRNG to generate keys, and it's | bits are not uniformly distributed; if half were predictable and | half not, you're using AES-128. If you were using 128, now you're | using 64 bits. Sorry, that doesn't make any sense. If your HWRNG leaks 64 bits, you might as well assume it leaks 256. When it comes to leaks of this sort, the only interesting numbers are "0" and "all".
| Seems like hashes have been failing "gracefully" lately; the reaction | appears to be increasing key sizes (MD5->SHA-1->SHA-256)... No, SHA-1 is holding on (by a thread) because of differences in the details of the algorithm - details it shares with SHA-256. I don't think anyone will seriously argue that if SHA-1 is shown to be as vulnerable as we now know ND5 to be, then SHA-256 can still be taken to be safe for more than a fairly short time. | Is there any reason to believe that AES can't weaken gradually | in the same manner, but only in a catastrophic attack against the | structure not related to keysize? Anything *could* happen, but you haven't actually shown that this particular pattern has been playing itself out in the hash function space. | Incidentally, calculations based on Moore's law require one new bit | every 2 years to maintain the same level of security against brute | force. Such calculations are nonsense. Moore's Law stops working at some point, as you start to run out of electrons to run through all your gates. 2^128 isn't just out of our current range; it's out of range of any technology we have any inkling of today. BTW, if you really want to push this to the ultimate, there is a QM result that bounds that number of bit flips that can take place within a given volume of space-time. Suppose you start a brute force attack, and want a result in 100 years. The computation must occur within a sphere of space time with spatial radius of 100 light years, and a time extension of 100 years. (Of course, this is a gross overestimate, since you presumably want the answer to come back to you, which means the radius had better be at most half that. But this is all very rough anyway.) When I saw some results in this direction - sorry, I don't have a reference - I did a *rough* computation of how many bit flips would fit into that volume. It turns out that you can just barely, in principle, do a 128-bit brute force search - counting only the bit flips to generate all the possible keys. By 256 bits, this is completely out of the question. -- Jerry | -- | "Cryptography is nothing more than a mathematical framework for | discussing various paranoid delusions." -- Don Alvarez | <URL:http://www.subspacefield.org/~travis/> -><- | | --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]