[cryptography] philosophical question about strengths and attacks at impossible levels

James A. Donald jamesd at echeque.com
Fri Oct 15 22:15:06 EDT 2010

On 2010-10-16 6:33 AM, Jon Callas wrote:
 > If you assume that there are Moore's-Law-Equivalent
 > increases in compute power indefinitely, then 128-bit
 > security is good until about 2050-2060, and 256-bit
 > security is good until 2150 or so. On the one hand, we know
 > that semiconductor improvements will peter out sometime.
 > Best guess now is that there's not much to be gained after
 > 2040 or so. So there's more to think that present things
 > are good enough.

How come 2040?  Line width has been halving every four years,
transistor density doubling every two years.

Current line width is about 32 nanometers.

Minimum line width is the size of a molecule, several atoms -
probably a nanometer.

If the limit is a nanometer, Moore's law expires in 2030

 From 2006 to the limit, computation is heat limited.
Nanometer scale transistors could switch at optical
frequencies, but a large collection of nanometer scale
transistors switching at optical frequencies would heat up so
fast they would instantly explode.

Every time the density of transistors doubles, the number of
bits required for security increases by about one bit - so we
will only need ten more bits in symmetric keys, twenty more
bits in hashes and EC keys.

More information about the cryptography mailing list