7

According to this and this, seems even 128 bit encryption should remain secure for a much longer time than what security organizations say.

I saw the standards with this: http://www.keylength.com/en/compare/

For example NIST apparently says 128 bit encryption is considered secure up to around 2030. (it is written '> 2030' - what does it mean exactly?)

Are such near dates because of the possibility of quantum computers becoming real at that time?

Community
  • 1
H M
  • 2,957
  • 6
  • 22
  • 21
  • 3
    It is worth pointing out that quantum computers don't help much against symmetric encryption. It is primarily asymmetric encryption which is weakened by quantum computing due to the ability to factor large semi-primes. – AJ Henderson May 22 '13 at 20:18
  • 2
    > clearly means at some point after 2030. – Ramhound May 23 '13 at 00:30
  • 2
    @AJHenderson they do help, effectively halving the level of security. A quantum computer could break AES-128 with $2^{64}$ steps, which is feasible. – Conrado May 29 '13 at 16:37
  • 1
    @ConradoPLG - I do see that Grover's algorithm may be able to be used to halve the bit depth. Good observation. – AJ Henderson May 29 '13 at 17:05

2 Answers2

7

By ">2030", NIST is actually stating that 128-bit symmetric encryption should be safe until at least the year 2030. If the current version of any given piece of software that relies on 128-bit cryptography is still around in 17 years, bravo.

As Dan said, it's NIST's job to be pessimistic about these things, because everyone listens to them, and because cryptography, in the cold light of day, has a pretty bad track record; if we had, by now, developed the ideal symmetric encryption primitive (as in, we can mathematically prove there are no attacks more efficient than brute force) that used a finite key length (OTP is provably uncrackable because it uses an infinite key length), we would still be using it.

As it is, almost every cryptographic system that has ever been devised through human history has since been cracked, and while the ones currently in use today (an elite minority of all ciphers ever invented) are believed secure, it's only because the best attacks known against them right now are only better than brute force when applied against a reduced-complexity version of the algorithm (fewer "rounds" of the cipher).

KeithS
  • 6,758
  • 1
  • 22
  • 39
  • "128-bit cryptography is still around in 17 years, bravo." -- true for commercial, but I'd bet you money that there will be big organizational systems alive and well today that are still using the same legacy components in 2030 with software that is no longer supported but still running. :) – bethlakshmi May 23 '13 at 15:58
4

One reason would be the potential for flaws discovered in the 128-bit algorithms that reduce its effective entropy.

As an example, perhaps a flaw is discovered that leaks information. This leak might reduce the effective number of bits to say, < 100-bit, making attacks more than 228 times easier.

It's essentially hedging bets against a multitude of possibilities, both from technological advancement (e.g. Quantum computers) to design flaws in the algorithm.

Dan McGrath
  • 219
  • 1
  • 3
  • The [website](https://web.archive.org/web/20130430222712/http://www.keylength.com/en/compare/) linked specifically states: "*The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.*" Additionally, if we extend this argument we could say that no encryption standard is truly safe since it's theoretically possible that a critical flaw could be discovered (or is already known to some) at any point between now and 2030 so no useful estimates can be given if we wanted to account for non-mathematical attacks. – Lilienthal Oct 26 '15 at 22:30