[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Counter Mode Security: Attacks, Storage & a Proposal

To: tytso@mit.edu
Subject: Re: Counter Mode Security: Attacks, Storage & a Proposal
From: "The Purple Streak, Hilarie Orman" <ho@alum.mit.edu>
Date: Fri, 22 Nov 2002 11:59:34 -0700
Cc: ipsec@lists.tislabs.com
In-reply-to: Yourmessage <20021122040009.GA549@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

Creating a lookup table for a cipher with a key of N bits is 2^N in
time and space, not O(1).  The 2^85 figure for counter mode is the
right way to look at it.

We are talking about 2^85 in storage and 2^85 in time for counter mode,
as noted several times.  The argument is over whether or not there is such a
large linear factor associated with storage that we should take it into
account in the measure of difficulty.  There are some reasons to do so,
two being the cost of access and the fact that storage is committed for
the duration of the calculation, while CPU cycles just keep accumulating.

Based on today's storage technology, it would appear that, given Moore's
Law, there is a 50 year safety margin in the 2^85 storage difficulty.
I'd cut that down considerably, because storage is area with the most
room for improvement, based on physics.  Nonetheless, I guess it is
unlikely to change dramatically in the next 20 years.  That puts it at
the edge of acceptability.  I'd still vote no, were anyone voting.

Hilarie

References:
- Re: Counter Mode Security: Attacks, Storage & a Proposal
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SPD policy document/article
Next by Date: Re: SPD policy document/article
Prev by thread: Re: Counter Mode Security: Attacks, Storage & a Proposal
Next by thread: RE: Counter Mode Security: Attacks, Storage & a Proposal
Index(es):
- Date
- Thread