[cryptography] Current state of brute-forcing random keys?

Solar Designer solar at openwall.com
Thu Jun 9 17:53:08 EDT 2011

On Thu, Jun 09, 2011 at 04:22:16PM -0500, Marsh Ray wrote:
> Which neatly fits 2^32 trials per watt-second. A real engineer would 
> probably design the chips to minimize energy-per-trial, but I think our 
> estimate is probably still within an order of magnitude or two.
> Last I checked, in the US electric power is around $0.07 per kWh in 
> areas considered "cheap". So each trial costs $4.53e???18 in electric power.
> For an 64-bit key, you expect the adversary to need 2^63 trials for 
> which he might pay a power bill of $597.

That's scary.  Even more so if you actually multiply by $0.07, which
gives $42.

This means that for relatively small key size like this, the primary
cost for using an ASIC implementation is in creating that implementation
and in making it solve the specific task, not in electricity.

It also means that a good KDF should not be limited to using iterations,
but should also consume much die area - like scrypt does (requiring RAM)
or/and through lots of parallelism (in one KDF instance).  If
implemented in software (on CPU or GPU), it should more fully use the
resources of that computer system (CPU/GPU execution units, RAM).


More information about the cryptography mailing list