Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jun 2 19:29:42 CEST 2015
On Tue 2015-06-02 12:41:40 -0400, Robert J. Hansen wrote:
> Right now pretty much everyone is content with RSA-3072, which has an
> estimated work factor comparable to AES-128. So if 128-bit crypto is
> enough, I don't understand the motivation behind jumping to AES-256.
> There needs to be something motivating this besides "bigger is better".
I agree with you that these comparisons are a decent rough estimate when
considering attacking a single ciphertext. But i don't think the
argument holds looking at the bigger picture.
Let's consider an adversary that can store as many OpenPGP-encrypted
messages as it has access to. Maybe it sniffs SMTP traffic as well? If
the attacker is interested in breaking the crypto of any *one* of these
messages, it can reduce the amount of work it has to do significantly.
As djb put it:
>> There are standard attacks that break _all_ of 2^50 AES-128 keys using a
>> _total_ of 2^128 easy computations. Even worse, there are standard
>> attacks that find _at least one_ of the keys using just 2^78 easy
>> computations, a feasible computation today.
Note that he's describing a known-plaintext attack; this might be
relevant, for example, if there is a standard prefix of the data being
encrypted (perhaps a common MIME header? or if you're doing regular
backups of a standard filesystem, the beginning of the tar format?).
Of course, there aren't 2^50 AES-128-encrypted known-plaintext OpenPGP
messages today that such an attack would work on. but why would we want
to leave users open to this?
> Let me turn the question around, dkg. (Completely serious here, not
> snark.) What problem do we have with AES-128 that switching to AES-256
> will solve?
Is the above argument enough for you? Remember that these AES128
ciphertexts are likely to exist well into the future, and attacks only
get better with time.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 948 bytes
Desc: not available
More information about the Gnupg-users