[Cryptography] Low grade randomness for padding.

[Adam P. Goucher]

> I made a back-of-the-envelope computation on this list a number of years
> back that showed a physical limit on exhaustive search, based on a bound
> one can get on the number of bit flips that physics allows in a given
> volume of space-time.  As it turned out, in principle, you could just
> barely do 128 bit exhaustive search in 100 years (hence in a sphere
> 100-light years in radius - which is actually a big overestimate as your
> answer could appear somewhere out on the surface of the 200-ly-across
> sphere, and getting it back to where you started the computation would
> take another 100 years).

Are you sure about this?

The current rate of bitcoin mining is slightly above 10^20 double-SHA256
hashes per second, and it only uses 8.9 gigawatts. The total solar energy
incident on the surface of the earth is 89 petawatts (i.e. 10^7 times more),
so that could yield 10^27 hashes per second even without any semiconductor
improvements.

The following page suggests that hardware is another factor of 1000 away
from the Landauer limit:

https://www.lesswrong.com/posts/N7KYWJPmyzB6bJSYT/the-next-ai-winter-will-be-due-to-energy-costs-1

so it looks like, if we were to completely cover the planet in solar panels
and use that energy for bitcoin mining at the Landauer limit, we'd be able
to manage 10^30 hashes per second.

The (much higher) physical limit on computation is this one by Bremermann,
which suggests that we're safe against 512-bit brute-force but not against
256-bit brute-force:

https://en.wikipedia.org/wiki/Bremermann%27s_limit


Best wishes,


Adam P. Goucher