On 08/14/2013 09:38 AM, Edward Ned Harvey (blu) wrote:
From: [email protected] [mailto:discuss-
[email protected]] On Behalf Of Kent Borg
Bruteforcing
128-bits is impossible. Bruteforcing 256-bits is 128-bits times as
impossible.
Careful here. Someday, there might exist a perfect block cipher, but at
present, all known block ciphers (including AES) suffer from the even-vs-odd
permutation problem, which means, that a cipher with 128 bit key is only as
strong as an ideal cipher with 64 bits. If you want 128 bit strength (BigO
2^128 operations to brute force attack), you have to use the 256 bit key.
But you don't mean AES-128 can be broken today with 2^64 operations, do
you? That sounds wrong--or theoretical.
According to the current Wikipedia: "The first key-recovery attacks on
full AES [...] requires 2^126.1 operations to recover an AES-128 key."
(It seems like this is the kind of Wikipedia article that tends to be
accurate.) Then they move on to side-channel attacks...
Likely the NSA has a better attack. Maybe they have a *way* better
attack and they can shave off another couple dozen bits. Still, a
100-bits plus of brute force is not something they can do on the cheap.
They have to want it. It has to be a priority. And they can't get it
tomorrow. Or next week. And I bet not a long time after that.
-kb
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
