GPG's vulnerability to brute force [WAS: Re: GPG's vulnerability to quantum cryptography]

Robert J. Hansen rjh at
Wed May 14 22:15:40 CEST 2014

> First, the Margolus-Levitin limit: "6.10^33 ops.J^{-1}.s^{-1} maximum"
> So, dividing the 2^128 by 6.10^33 gives me a bit less than 57000 J.s  
> (assuming testing an AES key is a single operation). So, that's less  
> than 1min for 1kJ. Pretty affordable, I believe.

No.  But since I'm going to be giving a lot of explanation here about  
how you're misusing the Landauer Bound, I'm going to leave how you're  
misusing the Margolus-Levitin Limit as a homework exercise.  :)

> Again, assuming testing an AES key is a single bit flip

It's not.  You have to rekey the cipher.  This multiplies the energy  
by about a large factor.  To make the math easier, let's call it a  

> According to Wikipedia still, the lowest temperature recorded on Earth is
> 10^{-10} K.

If you want to run the temperature lower than the ambient temperature  
of the cosmos (3.2K), you have to add energy to run the heat pump --  
and the amount of energy required to run that heat pump will bring  
your energy usage *above* that which you would've had if you'd just  
run it in deep space at 3.2K.

So multiply your previous estimate by a factor of ten billion, in  
order to reflect running it at ambient temperature.

10^10 * 10^6 = 10^16.  So far your estimate is off by a factor of a  
thousand trillion.

> So, despite bruteforcing being obviously impossible in this day and age, and
> most likely impossible in the near future, it seems to me that the following
> statement is exaggerated: "The results are profoundly silly: it’s  
> enough to boil the oceans and leave the planet as a charred, smoking  
> ruin."

Assuming you could do AES in a single bitflip, it would require  
liberating as heat as a strategic nuclear warhead.  Every additional  
bitflip adds another strategic nuclear warhead.  By the time you're  
flipping 1000 bits for each rekeying, you're basically inflicting  
World War Three on the earth just to brute-force a cipher.

I stand by my predictions of ecological catastrophe if anyone ever  
brute-forces a 128-bit cipher.

More information about the Gnupg-users mailing list