Re: [TLS] Comparative cipher suite strengths

[Nicolas Williams <Nicolas.Williams@sun.com>]

On Thu, Apr 23, 2009 at 01:13:13PM -0400, Daniel Brown wrote:
> Furthermore, adapting Eric's calculations below, to brute force
> 112-bit keys, assuming 80-bit keys are brute forcible today (let's

112-bit keys...  Ah, you must be thinking 3DES.  It's worth noting that
one of the major cryptographic improvements in AES over 3DES is the
block size.  The block size has a major impact on things like re-keying
considerations.  So even assuming equal strength of 3DES and AES and
that 112-bit keys are impossible to brute force now and forever, it'd
still be worthwhile to switch from 3DES to to AES-128.

> just say with massive distributed computing for the sake of example),
> feature sizes would need to shrink to 50 * 10^{-9} * 2^{-32} =~ 1.16 *
> 10^{-17}, still smaller than a Hydrogen atom, but perhaps NIST was
> accounting for the possibility of some future technical developments
> leading to continued or even accelerated increase in processing power,
> or perhaps NIST was also accounting for some degradation in the
> security of the TDEA aglorithm below that of a generic block cipher,
> or perhaps NIST is just encouraging migration to AES. 

If that were quantum computing then all sorts of assumptions go out the
window.  The more likely explanation is that *some* imaginable
cryptanalytic advances could reduce the effective strength of AES in
such a way that longer keys remain more secure than shorter keys.
Imagine an attack that reduces the effective strength of AES so that
breaking it is equivalent to brute-forcing a 2^{key size - 48} key
space.

As EKR points out, there could be cryptanalytic advances that reduce the
strength of AES regardless of the key size used.  But going by past
advances I think it's likely that any cryptanalysis of AES will leave
AES-256 stronger than AES-192, and in turn AES-192 stronger than
AES-128.  Or at least it's likely that NIST and others thing that :)

> That all said, personally, I'm still much more reluctant to predict a
> decrease in the growth of processing power that has been going fairly

Sadly it must come.  We can't reduce feature size too much more than a
few atoms, really (ignoring entangled electrons), and we can't have more
features than we can pack into a reasonable volume.  2^128 ~= 10^38,
which would be only about 10^11 times smaller than Earth.  So you'd need
1/10,000th the amount of matter on Earth in order to make a machine that
has 2^128 features the size of atoms.  Scale that down to something
reasonable (and scale up feature size a bit) and you have a rather small
computer relative to 128-bit key sizes (but still big enough that
distances between components get large enough to be huge headaches).

Short of quantum computing and sci-fi tech such as using black holes as
computers, I really doubt we'll ever brute force 128-bit keys.  It's
cryptanalysis or bust :)

Nico
--