I am wondering if is there any (secure!) cipher like AES or Camelia with keys longer than 256 bits (and offering higher security than 256 bits). I have not found anything except http://www.ciphers.de/eng/index.html where they say they have such cipher (but I have not found anything about that cipher).
-
256 bit AES in a EDE chain is trivially 768 bits – ratchet freak Sep 13 '13 at 11:34
-
1@ratchetfreak That is incorrect. 256-bit AES in EDE would be 512 bits due to the meet-in-the-middle attack. This is also the reason 3DES has a 112 bit security level, not 168 (despite it taking 168 bits of key material). – forest Apr 23 '18 at 03:32
1 Answers
There is no higher security than 128 bits. There are longer keys, for sure, but we cannot say that they offer "more" security, because they is no security level beyond "meh, cannot break it".
A symmetric encryption algorithm can be generically broken by exhaustive search, i.e. trying out all possible key values; with n-bit keys, there are 2n possible key values. When n grows, this number soon rises way beyond that which is technologically feasible. Threshold depends on current technology, but physics tell us that there are hard limits which seem unavoidable, related to energy consumption (see this answer for details). Right now, all the might of mankind, united for a decade for a single crypto-breaking goal, might pull off an exhaustive search on a 95-bit or so key, but a realistic organization (say, with the combined resources of Apple, Google and Microsoft together) would stop below, around 80 bits. Each additional bit doubles the cost, so 128 bits are more than enough to be in the "cannot break now or in twenty years" zone.
Additional key bits are there for the psychological effect, not for security. We like to go to 128 bits because 128 is a power of 2 and cryptographers just love powers of 2. Beyond that, extra key size is no more than an assertion of manhood. It is a bit like cars. A 128-bit key is a comfortable, fast and powerful BMW car. A 192-bit key is a Hummer with chrome bumpers. A 256-bit is an Aircraft Carrier. When looking for a "more than 256 bits" key, you are actually trying to paint your Aircraft Carrier in bright red.
Now there are a few algorithms which allow for longer keys, not because it helps with anything, but because there was room for it and it would have taken some effort to forbid it. For instance, Blowfish goes to 448 bits. SHACAL (both SHACAL-1 and SHACAL-2) accept keys up to 512 bits. Threefish works with a whooping 1024 bits.
-
Ok, I know that 128 bit ciphers are totally sufficient (for now or next thirty years). But I was thinking about a cipher that would be (probably secure for over 50 years even against quantum computers). According to this http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit/19762#comment21986_14072, the quantum computer divides the security by two. So if there is a cipher with complexity about 2^128 it would become 2^64 which might be breakable. That is the reason of my question. – Pter Sep 13 '13 at 15:39
-
Then 256-bit keys provide 128-bit security against quantum computers -- if they ever exist. – Tom Leek Sep 13 '13 at 15:44
-
-
-
Bitcoin miners reached ≈2^92 SHA-256 hashes per year in 06 Agust 2019. Also, this answer missing the Grover's algorithm. If ready we must switch to 256-bit. – kelalaka Sep 17 '19 at 15:20