On 2010-10-16 6:33 AM, Jon Callas wrote: > If you assume that there are Moore's-Law-Equivalent > increases in compute power indefinitely, then 128-bit > security is good until about 2050-2060, and 256-bit > security is good until 2150 or so. On the one hand, we know > that semiconductor improvements will peter out sometime. > Best guess now is that there's not much to be gained after > 2040 or so. So there's more to think that present things > are good enough.
How come 2040? Line width has been halving every four years, transistor density doubling every two years. Current line width is about 32 nanometers. Minimum line width is the size of a molecule, several atoms - probably a nanometer. If the limit is a nanometer, Moore's law expires in 2030 From 2006 to the limit, computation is heat limited. Nanometer scale transistors could switch at optical frequencies, but a large collection of nanometer scale transistors switching at optical frequencies would heat up so fast they would instantly explode. Every time the density of transistors doubles, the number of bits required for security increases by about one bit - so we will only need ten more bits in symmetric keys, twenty more bits in hashes and EC keys. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
