On 16/05/14 14:37, Michael Anders wrote: > In fact arriving at a realistic estimate for the energy needed to brute > force AES is really hard work. (Besides: Who can say for sure that we > cannot get some bits from cryptoanalytic progress(two bits already > crumbled).
You cannot get bits of cryptanalytic progress for brute-force. Brute-force is by definition completely independent of such things. And nobody here claimed a realistic estimate. All that was claimed was a lower bound. > 1.) We don't have anything other than AES (At least many people think > so.) What does the specific cipher used have to do with anything? Since I don't see where in the thread you replied, I'm not sure if we're still debating quantum cryptography or that we're discussing brute-forcing. Quantum cryptography was only discussed relating either to asymmetric crypto, which AES isn't, or in relation to Grover's algorithm, which is used to brute-force an algo. When brute-forcing, the choice of algorithm is irrelevant by definition. AES is simply used as an example, but the stuff discussed so far would go for any symmetric algorithm with a 128-bit key. Only the number of bitflips per trial would vary, which was never really established anyway, but tentatively put at "quite a lot". HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users