AES and other modern encryption algorithm are considered strong and sometimes one can see quotes like "it's not recommended to use classic zip encryption since it is no longer considered strong". But is there a really non-linear difference between them? For example, if both produce sequences with high entropy, does it mean that with a very long password (512 bit and more) they both become indistinguishably strong since lets say theoretically we can break AES for example with billion year computer time and zip with 1/10 of that time?
views:
91answers:
1
+4
A:
Yes. When people talk about "strong" encryption, they refer to an encryption scheme where there are no known techniques to recover plaintext that are significantly better than a brute-force key search. "Significant" is an important word here: there is an attack on 256-bit AES with a complexity of 2^119. That's an enormous reduction in the search space, but 256-bit AES is still considered strong because it's simply computationally unfeasible to pull off.
In comparison, the attacks on classic pkzip encryption are as low as 2^27. That's so much simpler than the attack on AES that it's actually quite difficult to visualise; calling it non-linear simply doesn't do it justice. One is trivial, the other impossible.
The reduction to 2^119 for AES is based on a very very special scenario and practically not usable. See http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
tuergeist
2009-08-26 08:30:31
2^27 is 130 million. A 2 GHz CPU does 130 million operations in 1/15 of a second. Assuming it takes 1500 operations to test a key, you will still break a key in well under 2 minutes. Now, assume you have a CPU that is 1000 times faster, and you have 1000 of them, and testing an AES key takes only one operation, you still need 10 trillion years.
Jörg W Mittag
2009-08-29 13:36:09