> From: Edward Ned Harvey (lopser) > Sent: Saturday, August 17, 2013 4:53 PM > > There's a specific question I wanted to look up. I seem to recall, if you > want a > block cipher to withstand 2^128 operations, you actually need 256 bits in the > key. I'm looking for clarification, if I'm remembering correctly, or not. > Sanity > check.
I found my book and looked it up. The answer is: "Most modern block ciphers have a 128-bit block size, but they operate on 32-bit words. They build the encryption function from many 32-bit operations. This has proved to be a very successful method, but it has one side effect. It is rather hard to build an odd permutation from small operations; as a result, virtually all block ciphers only generate even permutations." "This [] has no practical significance whatsoever." So, the even/odd permutation thing is a completely unrelated red herring. The important question is regarding key length: "A 128-bit key would be great, except for one problem: collision attacks. Time and time again, we find systems that can be attacked -- at least theoretically, if not practically -- by a birthday attack or a meet-in-the-middle attack. We know these attacks exist. Sometimes designers just ignore them, and sometimes they think they are safe, but somebody finds a new, clever way of using them. Most block cipher modes allow meet-in-the-middle attacks of some form. We've had enough of this race, so here is our recommendation: For a security level of n bits, every cryptographic value should be at least 2n bits long." In other words, if you want 128 bits of security, use a 256 bit key. Uncrackable by an international superpower within a lifetime. If you use a 128 bit key, you should assume it's crackable in 2^64 operations, which can be achieved by a schmo with a laptop. Maybe not in reality, maybe not in every situation, but take it as a baseline assumption. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
