> Let's consider an adversary that can store as many OpenPGP-encrypted > messages as it has access to. Maybe it sniffs SMTP traffic as well? > If the attacker is interested in breaking the crypto of any *one* of > these messages, it can reduce the amount of work it has to do > significantly.
I think this is a pretty unrealistic thought experiment. It requires two conditions to be met: 1. A very large number of intercepted OpenPGP messages 2. An extremely well-funded adversary who only needs to break one message, chosen at random, out of the very large ingestion set, in order for the entire endeavor to be considered a ringing success that justifies the billions of dollars spent collecting #1 We don't have #1, but in the (oft-forlorn) hope we'll see more OpenPGP adoption I'll give it to you. But #2 isn't the description of any real-world organization I've ever heard of. Honestly, it sounds more like a James Bond-style evil organization like SPECTRE or QUANTUM than like anything that exists in the world. (Quoting you quoting djb) > There are standard attacks that break _all_ of 2^50 AES-128 keys > using a _total_ of 2^128 easy computations. In other words, the likelihood of choosing one of the weak set by random is 10**-53. That's a one-in- 100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 chance. I'll take those odds. Happily. Twice on a Sunday. (Still quoting you quoting djb) > Even worse, there are standard attacks that find _at least one_ of > the keys using just 2^78 easy computations, a feasible computation > today. So there's a 10**-88 chance that one of my keys can be broken in 10**53 computations? Sign me up. I have a lot of respect for djb, but on this one he's just way off in left field. > Of course, there aren't 2^50 AES-128-encrypted known-plaintext > OpenPGP messages today that such an attack would work on. but why > would we want to leave users open to this? (Meant as humor, not snark:) I am much more concerned with the possibility of landing a hot date with Claudia Schiffer[*], which is rudely interrupted by the eruption of the Yellowstone Caldera that wipes out all life in North America, than I am with any AES-128 weakness. Landing a hot date with Claudia Schiffer and the end of the world happening before I pick her up for our night out is considerably more likely to happen. It would also probably make me considerably unhappier than a random AES key, somewhere, being broken. Given I've spent about half an hour of my time calmly considering the possibilities of your hypothetical, perhaps I might trouble you to spend a minute or two coming up with a plan for how I might enjoy an evening with Claudia even as the world ends? I will understand if your reaction is hysterical laughter. :) [*] You youngsters who have no idea who Claudia Schiffer is... when I was your age, she was The Awesomeness. Had a soft spot for her in my heart for about the last twenty-five years.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users