[cryptography] Current state of brute-forcing random keys?

Steven Bellovin smb at cs.columbia.edu
Thu Jun 9 14:41:18 EDT 2011

On Jun 9, 2011, at 1:14 49PM, Paul Hoffman wrote:

> Greetings again. I am helping someone design a system that will involve giving someone a randomly-generated key that they have to type in order to unlock data that is private but not terribly valuable. Thus, we want to keep the key as short as practical to reduce typing and mis-typing, but long enough to prevent trivial brute-force attacks. The encryption will be AES-128 in CBC mode.
> What is the current state of brute-force attacks on AES-128 blobs? Are there recent results where we can estimate the cost of brute-forcing 64-bit and 80-bit keys?

I suspect that a simple Moore's Law extrapolation from older numbers will suffice -- no matter how an estimate is derived, there are still sufficiently many unknowns (like overhead for power supplies, chassis, cooling, board density, etc.) that you're not going to do better than an order of magnitude anyway (~3 bits of key length), unless you actually go through the very detailed engineering to design one.

You might do better to use a 128-bit key, but encoded in the S/Key words or something with error correction built in.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list