[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Table of Key Lengths and Brute Force Cracking Times
Here are some numbers from Bruce Schneier's article in the April 1994
"Dr. Dobb's." The article is a review of the "Cambridge Algorithms
Workshop," where Bruce also presented a paper on Blowfish.
These estimates are in a slightly different form than what "Applied
Cryptography" has (on pp. 130-135), and incorporate (apparently) the
Michael Wiener DES-busting estimates from last summer.
First, some typical key lengths for block ciphers, as reported by
Schneier:
Algorithm Key Block Problems/Comments
DES 56 64 key too small
Triple DES (3DES) 112 64 slow
Khufu (Merkle/Xerox) 64 64 patented, key too small
FEAL 32 64 64 patented, key too small
LOKI-91 64 64 weaknesses, key too small
REDOC II 160 80 patented
REDOC III variab. 64 patented
IDEA (Europe) 128 64 patented
RC2 (RSADSI) variab. 64 proprietary
Skipjack (NIST/NSA) 80 64 secret algorithm
GOST (FSU, Russia) 256 64 not completely specified
MMB 128 128 insecure
The "problems" reported are exactly as reported by Schneier. No
mention of RC4, which may in "exportable" versions may be as short as
40-45 bits.
Second, some estimates of brute-force cracking time:
Key Length Time for a $1M Time for a $1B ($1000M)
Machine to Break Machine to Break
40 0.2 second 0.0002 sec
56 3.5 hours (Wiener) 13 sec
64 37 days 54 minutes
80 2000 years 6.7 years (2 years?)
100 7 billion years 7 million years
128 10^18 10^15 years
192 10^37 years 10^34 years
256 10^56 years 10^53 years
Note that a billion dollar cipher-busting machine is not out of the
question. Norm Hardy once described to us the $100M "Harvest" machine
(also described by Bamford). NSA has its won on-site wafer fab
facility (built by National Semiconductor several years back).
A single Space Shuttle launch costs around a billion dollars (NASA
says $0.6B, GAO says $1.5B), and many of the launches are just put up
reconnaisance and SIGINT satellites, so spending $500M to $1B on
special computers to crunch the data seems plausible. (However, it's
hard for NSA to make plans for what key length they'll have to target.
It's also not clear that enough non-financial users have been using
DES to make it "necessary" for such large expenditures....a single
machine that can crack a DES-encrypted message in, say, 1-10 hours may
be enough for their current needs. All of this is just speculation.)
For logistical and other reasons, I would expect they may have
_several_ smaller machines. Just as effective, of course,
cumulatively.
Obviously a billion dollars worth of hardware will not be dedicated
for a couple of years to crack a single 80-bit cipher.
Anyway, you all can fool with these numbers and draw your own
conclusions.
Ron Rivest did some similar calculations for RSA modulus sizes and
came to similar conclusions (e.g., 1200-bit modulus will withstand
even attacks by billion-dollar machines for several more decades).
--Tim May
--
..........................................................................
Timothy C. May | Crypto Anarchy: encryption, digital money,
[email protected] | anonymous networks, digital pseudonyms, zero
408-688-5409 | knowledge, reputations, information markets,
W.A.S.T.E.: Aptos, CA | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."