Eric Rescorla (ekr@rtfm.com)
Wed, 28 Oct 1998 06:17:47 -0800
> Eric Rescorla <ekr@rtfm.com> wrote:
>
> | Huh? Extending the calculation makes it perfectly clear that
> | 128 bit keys are long enough for just about any foreseeable future.
> | 128 bit keys are 72 bits stronger than a DES key. 72 bits is
> | approx 10^21. Now, imagine an attacker with the entire GNP
> | of the US (ca. $5x10^12) available to him. That means he can
> | build a machine that's say 10^7 times more powerful than
> | Deep Crack. Consequently, he'd be able to crack a 128 bit in
> | approximately 10^14 days, or 10^11 years. I'm not worried.
>
> One factor you haven't brought into your calculations is _probability_.
> There's a small probability that a 2^56 search could find a 128 bit
> key by chance, namely one in 2^72.
You're joking, right? This number is zero for all practical purposes.
You'd be more likely to be hit by a meteorite. Literally.
> You appear to have taken the position that if an adversary can't
> afford to search the entire keyspace, you are safe from them.
I think it's a pretty safe bet that an adversary won't get
my key when the probability is 2^72 agains.
> | Look, I'm all for using fairly large keys, but the sort of
> | simpleminded alarmism you're engaging in gets in the way of
> | understanding how strong our cryptosystems actually are.
> | Please do the math before you go ranting about how weak
> | or strong things are.
> And furthermore it's pointless doing the maths if you don't state the
> assumptions in your threat model!
Frankly, it never occurred to me that one would be worried about
events with 1/10^12 probabilities.
> Personally since we all use crypto, we should choose a threat model
> that few would ever question as being too soft.
But this game has no end. Why choose 1 in 10^12 as your stopping point?
What about an intelligence agency willing to spend it's entire
budget to read YOUR email with a 1 in 10^15 probability? That gives
us another 15 bits of keylength. Or aliens?
Look, having your crypto unbroken isn't an end in itself. It's
to keep your traffic protected. Once you get to people willing
to have an expectation value of $10^18 in order to read YOUR
traffic, they've got far easier approaches available to them.
(And of course there are zillions of bad things that could happen
to you with much higher probability that don't require them tos
spend a dime.)
> Another quote of relevance from the aforementioned paper:
>
> | One consequence of this uniformity of costs is that there is
> | rarely any need to tailor the strength of cryptography to the
> | sensitivity of the information being protected. Even if most of the
> | information in a system has neither privacy implications nor monetary
> | value, there is no practical or economic reason to design computer
> | hardware or software to provide differing levels of encryption for
> | different messages. It is simplest, most prudent, and thus
> | fundamentally most economical, to employ a uniformly high level of
> | encryption: the strongest encryption required for any information that
> | might be stored or transmitted by a secure system.
Funny that you've omitted the section where they actually name a number:
"Bearing in mind tahat the additional computational costs of stronger
encryption are modest, we strongly recommend a minimum key-length
of 90 bits for symmetric encryption."
-Ekr
[Eric Rescorla ekr@rtfm.com]
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:22