Re: Can you keep a secret? This encrypted drive can...
Just wondering about this little piece. How did we get to 256-bit AES as a requirement? Just what threat out there justifies it? There's no conceivable brute-force attack against 128-bit AES as far out as we can see, so we're presumably begin paranoid about an analytic attack. But is there even the hint of an analytic attack against AES that would (a) provide a practical way in to AES-128; (b) would not provide a practical way into AES-256? What little I've seen in the way of proposed attacks on AES all go after the algebraic structure (with no real success), and that structure is the same in both AES-128 and AES-256. There is no requirement for it. However, as others have noticed, to the casual observer, 256 is twice as good as 128. You don't want to end up with a product review saying, "Product X is solid with 128-bit encryption, but for the ultra-paranoid, product Y is using 256!" Moreover, AES-256 is 20-ish percent slower than AES-128. That difference can be completely irrelevant in the context of the entire system. That means that there is coolness pressure pushing to 256, and relatively little performance backpressure. The result is that you use AES-256 except where the performance is so tetchy that you really need to back off to 128. I've been spouting off about how 128 is enough, but not fighting the trend even an iota. It's not worth the bother. Besides, I find the irony that AES is pushing us from debates about how 56 oughta be good enough to why 256 is just inevitable in less than a decade to be amusing. Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Can you keep a secret? This encrypted drive can...
| > | > Just wondering about this little piece. How did we get to 256-bit | > | > AES as a requirement? Just what threat out there justifies it? ... | | I can see it as useful if some bits of the key got leaked somehow. | For example, if you're using a HWRNG to generate keys, and it's | bits are not uniformly distributed; if half were predictable and | half not, you're using AES-128. If you were using 128, now you're | using 64 bits. Sorry, that doesn't make any sense. If your HWRNG leaks 64 bits, you might as well assume it leaks 256. When it comes to leaks of this sort, the only interesting numbers are "0" and "all". | Seems like hashes have been failing "gracefully" lately; the reaction | appears to be increasing key sizes (MD5->SHA-1->SHA-256)... No, SHA-1 is holding on (by a thread) because of differences in the details of the algorithm - details it shares with SHA-256. I don't think anyone will seriously argue that if SHA-1 is shown to be as vulnerable as we now know ND5 to be, then SHA-256 can still be taken to be safe for more than a fairly short time. | Is there any reason to believe that AES can't weaken gradually | in the same manner, but only in a catastrophic attack against the | structure not related to keysize? Anything *could* happen, but you haven't actually shown that this particular pattern has been playing itself out in the hash function space. | Incidentally, calculations based on Moore's law require one new bit | every 2 years to maintain the same level of security against brute | force. Such calculations are nonsense. Moore's Law stops working at some point, as you start to run out of electrons to run through all your gates. 2^128 isn't just out of our current range; it's out of range of any technology we have any inkling of today. BTW, if you really want to push this to the ultimate, there is a QM result that bounds that number of bit flips that can take place within a given volume of space-time. Suppose you start a brute force attack, and want a result in 100 years. The computation must occur within a sphere of space time with spatial radius of 100 light years, and a time extension of 100 years. (Of course, this is a gross overestimate, since you presumably want the answer to come back to you, which means the radius had better be at most half that. But this is all very rough anyway.) When I saw some results in this direction - sorry, I don't have a reference - I did a *rough* computation of how many bit flips would fit into that volume. It turns out that you can just barely, in principle, do a 128-bit brute force search - counting only the bit flips to generate all the possible keys. By 256 bits, this is completely out of the question. -- Jerry | -- | "Cryptography is nothing more than a mathematical framework for | discussing various paranoid delusions." -- Don Alvarez | http://www.subspacefield.org/~travis/> -><- | | - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Can you keep a secret? This encrypted drive can...
| On Wed, Nov 08, 2006 at 05:58:41PM -0500, Leichter, Jerry wrote: | > Sorry, that doesn't make any sense. If your HWRNG leaks 64 bits, | > you might as well assume it leaks 256. When it comes to leaks of | > this sort, the only interesting numbers are "0" and "all". | | Nonsense. I can cite numerous examples of such happening in real life. | [Miscellaneous examples elided] OK, so what argument will you make that, given one of these "leaky", partially predictable, generators, 128 bits are "too few" but by some magic 256 are "enough"? If they really are "enough", why not generate 256 bits and mash them together into 128? | > Such calculations are nonsense. Moore's Law stops working at some | > point, as you start to run out of electrons to run through all your | > gates. 2^128 isn't just out of our current range; it's out of range | > of any technology we have any inkling of today. | | The death of Moore's law, like the end of the world, has been | predicted many times, with the same result. Funny thing about exponential curves in the real world: They stop being exponential eventually. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
