I am currently looking at fixing a bit strength for some crypto work so I thought it may be good time to check the state of the parties, so to speak.
If we brute forced n bits the likelihood of our first guess being correct is the same as having to exhaust the whole key space. As the number of tests tends to infinity the average 'hit' will tend to half of the key space. For 80 bits then we should use 2^80/2 = 2^79.
The fastest computer on the planet at the moment is the Sunway TaihuLight knocking out 93 petaflops.
Here are some expected value breaking points based upon the Chinese machine.
80 bit => 9.5 weeks
96 bit => 11,988 years.
112 bit => 785.6 million years
128 bit => 51,489 billion years
192 bit => 9.5 x 10^32 years
256 bit => 1.7 x 10^52 years.
The NIST, not long ago, stopped recommending 80 bit as the minimum strength for passwords and are now recommending 112 bit.
I have been using at least 96 bit for some time and expected the NIST to go for 96. Hash functions are treated as having n/2 bits of strength for a n bit hash. However, there isn't a 192 bit hash. The 'shortest' hash that the NIST recommends is SHA224 which has a bit strength of 112. <smile>
Putting aside an algorithmic 'break through' and quantum computing, 128 bit should be adequate for the majority of folk for some time to come.
The NIST reckon that 112 bit should hold us in good stead until about 2030. Now, I know that Moore's Law has been under pressure for the last few years but if it held then in 12 years time the 112 bit value above would reduce to 12.3 million years so I don't know how the NIST came up with 2030. In my view they took too long to drop 80 bit and are now taking a pessimistic view on 112 bit. Perhaps they know something we don't.
Anyway, I will be settling on 128 bit for my stuff.
Crypto bit strength

 Posts: 1718
 Joined: Jan 02, 2017 0:34
 Location: UK