Cruising the stacks and finding stuff

Perry E. Metzger perry at
Wed Apr 23 08:20:27 EDT 2008

Allen <netsecurity at> writes:
> I find it odd that the responses all seem to focus on pure brute force
> when I did mention three other factors that might be in play: a defect
> in the algorithm much like the attack on MD5 which reduces it to an
> effective length of about 80 bits, if I recall correctly, and/or a
> different analytical tool/approach much like differential analysis has
> had an affect on cryptanalysis as a whole, and a purpose built
> machine.

I think everyone replying mentioned that possibility.

However, if your message really was centered on AES possibly being
defective, which was not obvious from the text, your calculation was
even more inaccurate. If AES is defective, all bets whatsoever are off
-- it is possible one might be able to break an arbitrary defective
algorithm even faster than, say, A5/1. Making up numbers about how
fast a crack "might" be is even less justified than speculation on how
fast computers will be in 100 years. The crack "might" take order
microseconds. The crack "might" never come at all.

The way to (effectively) worry about AES being defective is to look
for defects. We are all adults and know there may be defects and that
we merely don't know of any defects so far.

> I see the argument as much like the way the Titanic was built.

Again, I think most people around here really do understand the issues
fairly well. We all know that AES "might" be defective, and many
people spend time worrying about issues like algorithm
agility. (Several of our list members had lots of work to do when MD5
started looking weak and have long memories.)

> Given all of this, I'm not sure of the value of arguing 128 bit is
> good enough when 256 is not all that much harder to implement and with
> in a couple of years will be just as fast in processing while even
> now, for the size of files being protected, such as credit card data
> and such, is small enough that the wait time probably wouldn't be
> noticed in network latency.

There are a variety of issues. Smart cards have limited capacity. Many
key agreement protocols yield only limited amounts of key
material. I'll leave it to others to describe why a rational engineer
might use fewer key bits, but suffice it to say, there are quite
rational reasons. I'll agree that if you have no tradeoffs, you might
as well use longer keys, but if you really have no tradeoffs, you
would prefer to use a one time pad, too. All real engineering is about


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list