Sunday, March 23, 2008

Hacking encryption keys: quantum and otherwise

A non-specialist has written a review of quantum computer factoring that matches what I've been reading from my physics blogs. Quantum computing, alas, isn't as impressive as it used to be. Even if we can make it work, quantum computing is not necessarily a qualitative improvement over conventional computation -- though it will explore some (truly) mind-boggling quantum physics.

I wanted to call out one small part of the post though:

... I went over to a site that will tell you how long a key you need to use, uses estimates made by serious cryptographers for the life of keys. They make some reasonable assumptions and perhaps one slightly-unreasonable assumption: that Moore's Law will continue indefinitely. If we check there for how long a 4096-bit key will be good for, the conservative estimate is (drum roll, please) — the year 2060...

Most of us make do with AES 128 bit (Tiger disk image encryption) and AES 256 bit (Leopard disk image encryption) keys. I checked out the NIST 2007 recommendations on and found:

  • AES 128: > 2030
  • AES 256: >> 2030

Another table (ENCRYPT) described 256 symmetric key (ie. AES) as "good protection against quantum cryptography". So most of us don't need to worry about 4096 bit keys unless we're protecting information that will be very valuable in 2040.

I'll be 80 then -- if I'm alive. I'm not too worried.

Of course Schneier et all are usually reminding us that the key length is generally the least of our worries. Weak passwords, dictionary attacks, attacks on keys in memory, etc are all bigger threats. The biggest threat of all, though, is security that either destroys our data (that's really secure!) or that is too onerous to easily implement.

PS. I was in the "quantum will get us" crowd, so I'm a bit humbled by the new wave of "quantum reality".

No comments: