On Oct 7, 2013, at 1:43 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:

Given the recent debate about security levels for different key sizes, the following paper by Lenstra, Kleinjung, and Thome may be of interest:

"Universal security from bits and mips to pools, lakes and beyond" http://eprint.iacr.org/2013/635.pdf

On Mon, Oct 7, 2013 at 10:46 AM, Jerry Leichter <leichter@lrw.com> wrote:

Then: "...fundamental limits will let you make about 3*10^94 ~ 2^315 [bit] flips and store about 2^315 bits

Then perhaps by the time that engine gets near 256 bits done crunching you, any given secret holder will be either dead, too old / pardonable, or society will have moved on, thereby placing the secret into one of historical value only. It would probably also cost about 2^315 bits to build and operate. Not many 100yr secrets out there besides grand conspiracies and whodunit's, and those don't really need crypto. Might as well bump everything to 512 just to be safe from physics ;)