- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 20 Aug 2014 12:10:36 -0700
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 20 August 2014 11:36, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > Last I looked AES had 128 bit and larger keys, so that would be 2^127 ? No, 2^64. https://en.wikipedia.org/wiki/Birthday_attack And to be fair, I did some more scratching and came up with USD 2.8M, and I'll probably get a different number next time as well. > Your 1e-10 number I cannot find any basis for. Take the 170K number and reduce the search space by 2^48; then reduce again by the performance gain (4). It gets small fast. > To stop PM, we don't need unbreakable crypto, we just need crypto > which is sufficiently expensive to break. That's all we ever have. We just draw the line in different places. My point is that the line is close enough to what is state of the art to not bother with anything less. There are other factors at play other than simply the cost of a brute-force attack.
Received on Wednesday, 20 August 2014 19:11:03 UTC