2

When people ask for a block-cipher with a larger key space than AES-256 replies usually just state that there is no need. I see where that is coming from the future is hard to predict.

The two main problems I can see are Grover's algorithm (see below) and the fact that we can not see all the problems.

I have no idea how powerful quantum computers will be in 2120 so we may consider upper bounds. e.g. At 20ºC, the Landauer limit* is about 2^-80 watt-hours per bit. I do know that some other ciphers (like threefish) have larger key spaces.

The fact that AES may be broken within 100 years (exactly) was apparently addressed by the OneHundredYearCryptography project by XORing it with XSalsa20.

To reiterate I want to know if AES-256 will be safe throughout our life time.

*To the best of my knowledge, experimental quantum computers that operate at the limit are actually much faster than other experimental computers that are also at/near the limit. I don't know if there is a price difference however.

Edit for background: Grover's algorithm is an attack that is analogous to brute force attack. The differences are that its complexity is the square root of the key space (2^(256/2)) rather than the key space itself, and that it can only be run on a quantum computer. I'm confident that no conventional or quantum computer will be able near-brute-force it, but I'm not that sure that a quantum computer won't be able to Grover it. Therefore, the power of quantum computers by 2120 is of more interest than the power of electrical computers at that time.

Nic
  • 498
  • 2
  • 9
  • 3
    AES-256 implementations are cracked thru side channels (timing/cache, DPA/DEMA). I find it credible that this will remain the main and the only exploited security issue of AES, with the marginally satisfactory block width a distant second concern. – fgrieu May 20 '20 at 04:51

1 Answers1

8

I want to know if AES-256 will be safe throughout our life time.

No one knows that. Here is what we do know:

  • A brute force search (by conventional computers) will be totally impossible. This can be shown by a power analysis of the minimal amount of power used per step (the minimal amount of power to change a state is $kT$, where $k$ is Boltzman's constant circa $1.38 \cdot 10^{-16} \text{ erg/}^\circ\text{K}$, and $T$ is the temperature in Kelvin. If we assume a computer that's running at cosmic background radiation temperature ($3.2 ^\circ K$), the minimal energy to step a counter though $2^{256}$ keys would be about $5 \cdot 10^{61}$ ergs; the annual output of the Sun is about $1.21 \cdot 10^{41}$ ergs, so unless you can harness a considerably larger output than our Sun within 100 years, this is impossible

  • A Grover's search (by a Quantum Computer) will also be impossible. In theory, Grover's could find a 256 bit key in $O(2^{128})$ steps (which is far more achievable than the $2^{256}$ steps in the previous paragraph), it turns out that, to achieve this "low" amount of computation, Grover's search would require $O(2^{128})$ sequential AES evaluations (where you can't start the next until the previous one has completed). If we assume that our Quantum Computer can't compute an AES function in less than a femtosecond ($10^{-15}$ seconds [1]), then this would take $10^{16}$ years, rather longer than your 100 year deadline. To meet your deadline of 100 years, you would need to split up the key space into $2^{94}$ parts, and give each part to one of a total of $2^{94}$ Quantum Computers (each one performing AES operations at this completely unrealistic speed).

  • Cryptographical advancement (that allows an attacker to recover the plaintext without trying all possible keys); this is an open question. I personally don't expect a total break; that is, something that, given a reasonable amount of ciphertext (and possibly some known plaintext), will allow them to decrypt; I wouldn't be that shocked if someone in the next hundred years found a theoretical break (e.g. $O(2^{150})$ effort given vast mounds of chosen plaintext). However, this is what people are worried about (as it is easy to see that the other two break methods are totally infeasible).

[1]: For reference, a femtosecond is approximately the time it takes light to travel 0.3 microns; this implies that our AES evaluation engine must be considerably smaller than your average bacteria...

poncho
  • 147,019
  • 11
  • 229
  • 360
  • To whoever downvoted me: why? Is there something that I wrote which was incorrect? That did not address the question? – poncho May 21 '20 at 20:07