Can you keep a secret? This encrypted drive can...

Leichter, Jerry leichter_jerrold at
Wed Nov 8 17:58:41 EST 2006

| > | > Just wondering about this little piece.  How did we get to 256-bit
| > | > AES as a requirement?  Just what threat out there justifies it? ...
| I can see it as useful if some bits of the key got leaked somehow.
| For example, if you're using a HWRNG to generate keys, and it's
| bits are not uniformly distributed; if half were predictable and
| half not, you're using AES-128.  If you were using 128, now you're
| using 64 bits.
Sorry, that doesn't make any sense.  If your HWRNG leaks 64 bits,
you might as well assume it leaks 256.  When it comes to leaks of
this sort, the only interesting numbers are "0" and "all".

| Seems like hashes have been failing "gracefully" lately; the reaction
| appears to be increasing key sizes (MD5->SHA-1->SHA-256)...
No, SHA-1 is holding on (by a thread) because of differences in the
details of the algorithm - details it shares with SHA-256.  I
don't think anyone will seriously argue that if SHA-1 is shown to
be as vulnerable as we now know ND5 to be, then SHA-256 can still
be taken to be safe for more than a fairly short time.

| Is there any reason to believe that AES can't weaken gradually
| in the same manner, but only in a catastrophic attack against the
| structure not related to keysize?
Anything *could* happen, but you haven't actually shown that this
particular pattern has been playing itself out in the hash function

| Incidentally, calculations based on Moore's law require one new bit
| every 2 years to maintain the same level of security against brute
| force.
Such calculations are nonsense.  Moore's Law stops working at some
point, as you start to run out of electrons to run through all your
gates.  2^128 isn't just out of our current range; it's out of range
of any technology we have any inkling of today.

BTW, if you really want to push this to the ultimate, there is a
QM result that bounds that number of bit flips that can take
place within a given volume of space-time.  Suppose you start a
brute force attack, and want a result in 100 years.  The computation
must occur within a sphere of space time with spatial radius of
100 light years, and a time extension of 100 years.  (Of course,
this is a gross overestimate, since you presumably want the answer
to come back to you, which means the radius had better be at most
half that.  But this is all very rough anyway.)  When I saw some
results in this direction - sorry, I don't have a reference - I
did a *rough* computation of how many bit flips would fit into
that volume.  It turns out that you can just barely, in principle,
do a 128-bit brute force search - counting only the bit flips to
generate all the possible keys.  By 256 bits, this is completely
out of the question.
							-- Jerry

| -- 
| "Cryptography is nothing more than a mathematical framework for
| discussing various paranoid delusions." -- Don Alvarez
| <URL:> -><-

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list