Is 128-bit security still considered strong in 2020, within the context of both ECC Asym & Sym ciphers

Question

Given that much of our ECC crypto primitives provide “only” 128-bit security when defined over a 256-bit curve due to pollard-rho, is it then still safe in 2020 to consider 128-bit security safe for the medium term (5-8 years).

I’m looking for an answer from an energy/thermodynamic POV given advances in current lithography and GPUs, rather than with regard to a specific cipher, however for discussion I consider AES-GCM or Salsa20 as example symmetric ciphers I use with 128-bit keys.

Bruce Schneier speaks of AES-128 in Cryptographic Engineering as if it’s already broken!

Can I call this a dupe of this Has AES-128 been fully broken?? AES-128 is theoretically broken and any block cipher has weakness on the multi-target attack What is a multi-target attack? — kelalaka, Jan 13 '20 at 21:13
I think 128-bit ecc will be considered strong for the next 8 to 10 years, or until quantum computing poses a practical threat within a keys lifespan — Richie Frame, Jan 14 '20 at 00:39
This Q/A is more generic than asking if AES-128 is broken, so I'll leave it here even though the supposed dupe of the mentioned question about AES-128. If anybody sees any harm in that please flag the question and provide the reason. — Maarten Bodewes, Jan 14 '20 at 09:51
I disagree with that last statement, the ECC should be included in the more generic title, if it was just about AES then it would be a dupe. Personally, I don't think the current title is that bad, to be honest. — Maarten Bodewes, Jan 14 '20 at 12:31
64-bit keys are barely broken, you'd need a supercomputer to brute-force a key of that size in a reasonable time. $2^{128}$ is $2^{64}$ (~18 million million million) times that. — BlueRaja - Danny Pflughoeft, Jan 14 '20 at 12:49

score 40 · Accepted Answer · answered Jan 14 '20 at 03:17

40

I strongly disagree with saying that AES-128 is broken, in any way, shape or form, and likewise ECC with 256-bit keys. Note that even in this answer by @kelaka regarding AES-128, you would need over 34 million years of the entire bitcoin mining power to carry out a computation of $2^{128}$. This is far from broken. If quantum computers ever happen at scale, it is very very unclear how long it would have to actually run to achieve $2^{64}$ quantum computations for AES-128 (but ECC-256 would be in bigger trouble). Bottom line, these are far from broken. (I don't know what Schneier quote you are referring to, but anyway I completely disagree.)

answered Jan 14 '20 at 03:17

Yehuda Lindell

27,820
1
66
83

1

Don't we say that an algorithm is theoretically broken if an attack requires less time then the brute-force? There is no classical computing power that can reach $2^{126.1}$. Of course, this doesn't mean it is broken in practice. Or we should use a minor term as a weakness has found? – kelalaka Jan 14 '20 at 06:13
14

We do, but here one also needs to apply some reason. I don't think that $2^{126.1}$ classifies as a weakness that is a concern. On the contrary, the fact that after 20 years, the best attack is $2^{126.1}$ increases my confidence significantly in AES. – Yehuda Lindell Jan 14 '20 at 07:04
It's a bit like the DES attack in $2^{55}$ time due to the complementary property. It's a weakness, but not one that is of real concern. – Yehuda Lindell Jan 14 '20 at 07:33
I would say the DES complement property is a simple property compared to the Biclique attack. Not sure, but, maybe designers also was aware of it ( enlighten me if there is reverse evidence). Small correction, now it is almost 22 years since the NIST called for algorithm; September 12, 1997,@fgrieu, In my opinion, any attack diverge from the brute-force, must use much more resources if there is no backdoor, etc... – kelalaka Jan 14 '20 at 08:07
6

"broken" means different things to academic cryptographers and cybersecurity people. An academic will call it broken if you could compute it within the next billion years or so. – Tom Jan 15 '20 at 11:57
I agree with Tom, to me, an algorithm is "broken" if the attack takes less time than the usefulness of the data it's protecting. My root CA has a 30 year lifetime; if breaking the key takes more than 30 years then in practical terms, I'm fine with that. If a developer wanted to use RSA512 for certs that expire after 1 second, I'd at least hear them out. However, I imagine that academics have a much higher bar for what counts as "broken". – Mike Ounsworth Jan 15 '20 at 21:59
I respectfully disagree. No one think that if you can break AES128 in 2^95 time that this is broken in the sense that your data isn’t safe today. What we do say is that if this attack is possible, then there is a very good chance that much better attacks will also exist. This is from many years of experience and examples, and has nothing to do with academics. – Yehuda Lindell Jan 16 '20 at 08:23
Looking at the math in that link (2^35 years), I think "34 million" should be "34 billion". – Jack O'Connor Jan 15 '21 at 01:54
To make it worse (for the quantum computers), you can't parallelize quantum operations to get to $2^{64}$ more quickly quite like you can with classical operations. At best, $k$ quantum computers attacking a 128-bit cipher in parallel will take $2^{64}/\sqrt k$ quantum operations, not $2^{64}/k$. The only reason why $2^{64}$ is too little classical security is because we can crack it in parallel with a huge number of computers. – forest Feb 13 '21 at 23:18

Lery · Answer 2 · 2020-01-14T13:57:28.673

As you specifically asked for comparisons of the 128-bit security with concrete things, here is some food for thoughts (to complement the other answers):

$2^{61} ≈$ SHA-1 chosen-prefix collision (i.e. definitively practical) from the recent SHA-mbles attack.
$2^{63} ≈$ the initial SHA-1 collision from SHAttered attack (which ran over multiple months). (i.e. practical for Google, 3-letters agencies, and other large scale actors.)
$2^{66} ≈$ current Bitcoin hashrate per seconds! (i.e. shows the limits of current computing power)

Notice how the $2^{80}$ level is already attained by the raw computing power leveraged by the Bitcoin network: every ~4.5 hours the bitcoin network has performed $2^{80}$ SHA computation.

This also means that the 64-bit and 80-bit levels are broken, and we should definitively move away from 64-bit block ciphers. To quote the above-mentioned "SHA-mble" research:

As a side result, this shows that it now costs less than 100k USD to break cryptography with a security level of 64 bits (i.e. to compute $2^{64}$ operations of symmetric cryptography).

Now, you might have heard of Bruce Schneier, and his book "Applied Cryptography", in which he says:

One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

Given that $k = 1.38×10^{-16}$ erg/°Kelvin, and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running at 3.2°K would consume $4.4×10^{-16}$ ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

Now, the annual energy output of our sun is about $1.21×10^{41}$ ergs. This is enough to power about $2.7×10^{56}$ single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to $2^{192}$. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.

But that's just one star, and a measly one at that. A typical supernova releases something like $10^{51}$ ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

Sadly, this is advocating for the security of the 256-bit level, and when converted for the 128-bit level, it just tells us that we would need to use all of the sun's energy for roughly 0.1 nanoseconds in order to flip through all the possibles states of a 128-bit counter.

Thermodynamics doesn't really help us with impressive comparison with the 128-bit level, because it is still relatively small.

@fgrieu You're right, I made too many mistakes there. I'll say I was hungry and rushing to my lunch as an excuse. :( Hopefully I've addressed them now. — Lery, Jan 14 '20 at 13:36
@Lery: yes the answer is now fine. Note: bitcoin hash rate is customarily given for the SHA-256d hash, and we can double (add one bit) for SHA-256. That speed is made possible by using ASICs and wasting energy. According to my back-of-the-envelope calculations, we are only 20 bits or so before the best way to make money with bitcoin is designing and operating an ASIC to break the private keys of the whales. If that leads to a ban or otherwise end of all cryptocurrencies based on mining, that's good! — fgrieu, Jan 14 '20 at 15:19
@fgrieu, "only 20 bits" may not sound like much, but it's 30 years of progress under Moore's law. — Mark, Jan 14 '20 at 23:42
@Mark likely more considering Moore's Law is slowing down as we approach physical limits for transistor sizes. Then again, anything could happen in 30 years: from major physics breakthrough to WW3. — Dan M., Jan 15 '20 at 13:08
Wow, that's the first time I've ever seen information theory entropy and thermodynamic entropy related in some way. Back when I was in Chemical Eng school (taking lots of thermodynamics), I was friendly with lots of Electrical Eng folks who would talk about "bits of entropy". I'd point out that energy, entropy and absolute temperature were all related (see: https://wright.nasa.gov/airplane/thermo2.html). We had fun working out the units of a bit (in terms of mass, distance, time and temperature). I didn't realize that there was an actual relationship - I just figured that it was an analogy. — Flydog57, Jan 31 '20 at 22:50
less than 1/10^9 of the total radiated solar energy reaches earth, and temperature of computers are roughly 100 times higher than ambient temperature of earth. Also, the AES algorithm expect you to do 10 steps in 128 bit variant, which we assume require to flip at least 10 bits. The best you could do from here would be brute forcing AES128 in an expected time of about 3 hours if you had the most efficient computer. — pqnet, Feb 03 '20 at 17:44
This was a fantastic read. Not sure if it is all true, as I'm not a physicist, but if it is, then I'd say AES 128 is pretty safe for the foreseeable future. I can't predict what Quantum computers may do to it, but traditional brute force... I bet ain't gonna be possible within our lifetimes. Smarter people than me suggest that we would have to disassemble Mercury (the planet) to build a Dyson Swarm, a much less ideal, and thus much less efficient, version of the Dyson Sphere. And even if we had that, we would never use all of it to run a computer aimed at breaking a single key. — vullnetyy, Nov 27 '23 at 23:07

score 10 · Answer 3 · answered Jan 14 '20 at 08:30

The current recommendations of the BSI recommend 120 bit of security beyond 2022. And AES 128 is still in their recommendations.

If the current estimate of AES128 is about 126.1 bits of security, that's still above the threshold. And AES has been subject to a lot of cryptanalysis for many years, so that estimate seems quite strong.

For crypto with keys, that are too short, it's quite likely that people use too short RSA keys.

Is 128-bit security still considered strong in 2020, within the context of both ECC Asym & Sym ciphers

3 Answers3

Linked