3. Cleversafe should really tone down the Fear Uncertainty and
Doubt about today's encryption being mincemeat for tomorrow's
cryptanalysts. It might turn out to be true, but if so it will be
due to cryptanalytic innovations more than due to Moore's Law. And
it might not turn out like that -- perhaps AES-256 will remain safe
for centuries. Also, Cleversafe's product is not more secure than
any other product against this threat.
Since people do keep bringing up Moore's Law in an attempt to justify
larger keys our systems "stronger than cryptography," it's worth
keeping in mind that we are approaching fairly deep physical limits.
I wrote about this on this list quite a while back. If current
physical theories are even approximately correct, there are limits to
how many "bit flips" (which would encompass all possible binary
operations) can occur in a fixed volume of space-time. You can turn
this into a limit based solely on time through the finite speed of
light: A computation that starts at some point and runs for n years
can't involve a volume of space more than n light years in radius.
(This is grossly optimistic - if you want the results to come back to
the point where you entered the problem, the limit is n/2 light years,
which has 1/8 the spacial volume). I made a very approximate guess at
how many bit-flips you could get in a time-space volume of a 100 light-
year sphere; the answer came out somewhere between 2^128 and 2^256,
though much closer to the former. So physical limits prevent you from
doing a brute force scan - in fact, you can't even enumerate all
possible keys - in 100 years for key lengths somewhere not much more
than 128 bits.
It's rather remarkable that such fundamental limits on computation
exist at all, but physics over the last 100 years - and especially
over the last couple of decades - has increasingly shown us that the
world is neither continuous nor infinite; it has solid finite limits
on almost everything. Even more remarkable is that we've pretty much
reached some of those limits. For any recently designed cryptosystem,
brute force is simply out of the question, and will remains so forever
(unless we are very much mistaken about physics). Moore's Law as a
justification for using "something more" makes no sense.
As you point out, the story for advances in cryptographic theory is
much more complex and impossible to predict. That cryptographic
advances would render the "safer" AES-256 at risk while AES-128
remains secure (for now) is something no one could have predicted,
though in retrospect some of the concerns about the key scheduling may
have been right. All the protocols and standards out there calling
for AES-256 - it's obviously "better" than AES-128 because after all
256 is *twice as large* as 128! - were just a bunch of nonsense. And,
perhaps, dangerous nonsense.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com