[cryptography] philosophical question about strengths and attacks at impossible levels

Paul Crowley paul at ciphergoth.org
Thu Oct 14 03:13:43 EDT 2010

On 14/10/10 05:56, Zooko O'Whielacronx wrote:
> What if a hash has 512-bit collision-resistance? What would that mean?
> That an attacker might spend about 2^512 resources to find a collision
> in it? That is a meaningless possibility to discuss since 2^512
> resources will never exist in the life of this universe, so it can't
> mean that, or if it does mean that then there is no use in talking
> about "512-bit collision-resistance". Maybe it means something else?

> In any case, I'm pretty sure that as a *user* of hash functions what I
> care about is "more likely to fail" (and efficiency), not about "bits
> of security" for any bit-level greater than about 128 (including
> consideration of quantum attacks, multi-target attacks, etc.)

I agree re 512 bits but 128 bits seems low if you have secrets to keep 
from the far future. According to this page a 256-bit cipher is the work 
of minutes to brute-force for a computer the mass of the Earth working 
close to physical limits of computation:


 From my calculations, if the entire Virgo Supercluster were turned into 
computronium for a trillion years it could make at most ~2^383 
computational steps.


log((10^15) ⋅ 1.98892 ⋅ (10^30) ⋅ (2.56 ⋅ (10^50)) ⋅ 86400 ⋅ 365 ⋅ 
(10^12), 2) ≈ 382.70493

This is before considering multi-target attacks or quantum attacks.

More information about the cryptography mailing list