top | item 43084658

(no title)

mcint | 1 year ago

p 11 (/30), makes a terrible case in handwaving.

It ignores the requirement that secret data needs to stay secret for 30 years, or 100 years, or long into the future, and attacks only get better.

https://www.schneier.com/blog/archives/2009/07/another_new_a...

> They also describe an attack against 11-round AES-256 that requires 2^70 time—almost practical.

>> AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively).

>> In the case of AES-128, there is no known attack which is faster than the 2^128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2^176 and 2^119 time, respectively.

discuss

vitus|1 year ago

    > They also describe an attack against 11-round AES-256 that requires
    > 2^70 time—almost practical.

But... nobody uses 11-round AES-256. And, crucially, these are related-key attacks, not practical for, say, breaking TLS.

    In 2009, a new related-key attack was discovered that exploits the
    simplicity of AES's key schedule and has a complexity of 2^119. In
    December 2009 it was improved to 2^99.5... However, related-key attacks
    are not of concern in any properly designed cryptographic protocol, as
    a properly designed protocol (i.e., implementational software) will
    take care not to allow related keys, essentially by constraining an
    attacker's means of selecting keys for relatedness.

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#K...

(Note that the attack with time complexity 2^99.5 also requires 77 bits of memory, or ~16 ZiB, which is, um, billions of terabytes of RAM? edit: actually, this is 2^77 blocks worth of memory, so add a couple more orders of magnitude.)

To date, the best unconditional attack on any full variant of AES provides a factor of ~4 speedup, although it requires 9 PB of data just for AES-128.

bawolff|1 year ago

> It ignores the requirement that secret data needs to stay secret for 30 years, or 100 years, or long into the future, and attacks only get better.

What data has to stay secret for 100 years?

To extrapolate backwards, was there anything in 1925 that would be still sensitive today? Its hard to imagine.

Jedd|1 year ago

"I don't know of any long-lasting secrets" ≠ "There is / will be no need for long-lasting secrets"

The fact you don't know about these might in fact simply indicate the efficacy of the secret keepers.

rocqua|1 year ago

Diplomatic communications about how you plan / succeed at undermining allies. Or communications about atrocities you knew were happening, but decided to ignore.

There is plenty of reason to want to keep diplomatic and military communications secret for a long time.

hatsunearu|1 year ago

idk why you're fixated on 100 years, but stuff like nuclear weapons tech is 1940s-1960s technology and that's still classified.

ziofill|1 year ago

My genetic data will be relevant even after I'm dead because my children and grandchildren share it with me. And it's a modern kind of data that didn't exist in 1925.

dcow|1 year ago

Anything tied to a blockchain.