3. Cleversafe should really tone down the Fear Uncertainty and Doubt about today's encryption being mincemeat for tomorrow's cryptanalysts. It might turn out to be true, but if so it will be due to cryptanalytic innovations more than due to Moore's Law. And it might not turn out like that -- perhaps AES-256 will remain safe for centuries. Also, Cleversafe's product is not more secure than any other product against this threat. Since people do keep bringing up Moore's Law in an attempt to justify larger keys our systems "stronger than cryptography," it's worth keeping in mind that we are approaching fairly deep physical limits. I wrote about this on this list quite a while back. If current physical theories are even approximately correct, there are limits to how many "bit flips" (which would encompass all possible binary operations) can occur in a fixed volume of space-time. You can turn this into a limit based solely on time through the finite speed of light: A computation that starts at some point and runs for n years can't involve a volume of space more than n light years in radius. (This is grossly optimistic - if you want the results to come back to the point where you entered the problem, the limit is n/2 light years, which has 1/8 the spacial volume). I made a very approximate guess at how many bit-flips you could get in a time-space volume of a 100 light- year sphere; the answer came out somewhere between 2^128 and 2^256, though much closer to the former. So physical limits prevent you from doing a brute force scan - in fact, you can't even enumerate all possible keys - in 100 years for key lengths somewhere not much more than 128 bits.

It's rather remarkable that such fundamental limits on computation exist at all, but physics over the last 100 years - and especially over the last couple of decades - has increasingly shown us that the world is neither continuous nor infinite; it has solid finite limits on almost everything. Even more remarkable is that we've pretty much reached some of those limits. For any recently designed cryptosystem, brute force is simply out of the question, and will remains so forever (unless we are very much mistaken about physics). Moore's Law as a justification for using "something more" makes no sense. As you point out, the story for advances in cryptographic theory is much more complex and impossible to predict. That cryptographic advances would render the "safer" AES-256 at risk while AES-128 remains secure (for now) is something no one could have predicted, though in retrospect some of the concerns about the key scheduling may have been right. All the protocols and standards out there calling for AES-256 - it's obviously "better" than AES-128 because after all 256 is *twice as large* as 128! - were just a bunch of nonsense. And, perhaps, dangerous nonsense. -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE