[Cryptography] Stupid question re # of cloud GPU's

Jon Callas jon at callas.org
Wed Mar 19 15:53:47 EDT 2025 


> On Mar 19, 2025, at 11:02, Henry Baker <hbaker1 at pipeline.com> wrote:
> 
>  Everyone is maxing out their credit cards buying GPU's for AI training/whatever.
> 
> Suppose they then get bored with AI ?

It's not a stupid question because they will. Even in the case of people who aren't bored with it, there are people who are very interested in it, so they'll replace year N's GPUs with year N+k's GPUs, where k is the replacement cycle in years.

> 
> Do all these GPU's then become available -- presumably at much cheaper prices --
> for breaking crypto?

Yes, they become available for whatever someone wants them for.

> 
> Ignoring PQ Crypto, should we be worried about all of this new <classical> GPU
> power being used to attack <classical> crypto?

Well, the stupid answer to the question is just no. The parameters take parallel processing into account and usually there's an assumption that price is no hindrance to the attacker.

A more nuanced answer is, "well, what do you mean by breaking crypto?"

If what you mean is key exhaustion on any modern cipher, that's already baked in, 2^128 is a rather large number and 2^256 is even larger. More than twice as big! (I can't tell you the number of times that I've heard people say that AES-256 is twice as strong as AES-128.)

There are other places where, sure, it will help. In the last dozen or so years, breaking an RSA-512 key has moved from possible with dedication to just a thing someone does over a weekend on their laptop. (Assuming a suitable definition of "laptop" and "weekend" of course.) At the same time, we all moved off of those before it was a threat. And again, we have moved to bigger keys. 

I just checked the cert for the web site of a large retailer, and it was RSA-2048, which is pretty intractable with modern devices. RSA-1024 is in a liminal place -- we all know we shouldn't use it. The guesstimates say it's ~80 bits of security and NIST recommended that we get off of that by 2010, and just about everyone has done that by now. At the same time, there are no reliable breaks of any 1024-bit key, which is good! We did the right thing by staying more than a decade (or less, for some stragglers) ahead of actual threats.

Another way to think of this is to measure things not by an abstract time parameter that is has buried in it uncertainty about parallelism, but by a parameter of computes-per-watt, which turns into a measurement of money, too. Those also cover things like GPUs, which are easy to slide into a measurement of computes-per-watt. 

From an operational side, we're staying ahead of the curve in the general case. Yes, there will be some specific case where -- oh, someone used a key that was okay then but this is now not then. Like the TI Calculator signing key mentioned above.

	Jon

More information about the cryptography mailing list