Noone get whooshed Noone get whooshed Noone get whooshed Noone get whooshed Noone get whooshed Noone get whooshed Noone get whooshed Noone get whooshed
@@codycast the OC is obvious whoosh bait. Designed to make someone go "but he does have a channel," (which he indeed does) after which they get whooshed. The OC is pretending to not know about that channel.
The same error is in the video at 6:06 -- a bit of sloppy language, and I know he understands this (much better than me), but the video does say that Grover's algorithm can hypothetically reduce AES-256 to AES-128 and "halve the keyspace" -- no, in that case it can divide the keyspace by 2^128, i.e. reduce it by a factor of 3.4 * 10^38.
Was just going through a Dr. Pound binge of old Computerphile videos, and bam! All of a sudden, a new one 12 mintues ago. He is definitely my favourite presenter on this channel.
I'm glad he addressed the naivety of the quantum computing argument. If I had a nickel for every uninformed person I've heard say "none of this encryption stuff even matters cuz QUANTUM," then, I'd be a very rich man.
Well, I'm not an expert on the quatum computers, but history is full of statements where some expert says "It can never be done" and then someone does it. We don't know what we don't know, is particularly relevant on a field that's just getting started.
The maths is there to support. I don't care if the implementation comes after decades. The next task can be to find something new which is hard for even a quantum system.
The best technique won't help you if the key size is 1 or 2 in length. So the length is also important up a minimum threshold. We are still talking about crypto, right?
I'm sure he would include you in the list of idiots who not only uses obviously weak passwords but also shares passwords with strangers. And probably try to educate you NOT to share ANY passwords with ANYONE. The principle of least privilege. Look it up. User accounts exist for a reason.
@@1337GameDev but, the time required for computing this giberish of bits into concurrent data, gets up exponentially! So, also Computing time and power of your super computer or quantum computer also matters
@@1337GameDev but encryption is a military weapon and should be banned past 40 bit encryption as weapon exportation, because it ensures no one can access your private information. That's bad because our benevolent NSA, who has done no sketchy things in the past ever, cannot access the data!
Just appending the key to the end of the file is my new favorite encryption scheme. I mean that would probably prevent the file from opening properly for any format other than plain text so it would sort of protect you if the person stealing your data wasn't super motivated to figure out what was happening if the files didn't open right away, haha.
Not at all. Many formats will happily allow you to append garbage at the end. That is assuming the format is strongly structured. Read up on file formats if you don't believe me. I've hidden messages in images in the past by the way. No, not in the actual displayed image but as plain text in the file itself. It was all part of a little quest i set up once.
@@danieljensen2626 In short, file formats that are strongly structured are defined like... 2 to n bytes magic "number". For example, BMP files (Bitmaps) start with the bytes 42 4D (hex) or "BM" in text. Gif files (common animated images on the internet) start with "GIF87a" and "GIF89a" in text. Executable files (.exe) start with "MZ" Depending on the format, the rest of the file then follows a strict pattern from that point that explains the data in question. Let's use a bitmap (.bmp) file as an example here. So it starts with the magic number "BM", which is 2 bytes. Then the next four bytes tell the file size. This is just a check to see if the file is damaged or not, the actual file doesn't have to be that size. The next 4 bytes are "reserved", meaning they are left there for future implementations of the format and for other applications to use however they please. Then comes 4 more bytes, describing where the actual image data starts. So far, we've dealt with the bitmap file header. Next up is the DIB header (Device Independant Bitmap header) Starting with 2 bytes which tells the size of this header. This size generally NEEDS to be correct, but again isn't absolutely necessary. But assumptions would have to be made at that point. Then comes another 2 bytes describing the width of the image in pixels. (Technically limiting bitmap files to a max of 65536 pixels wide and high) The next 2 bytes describe the height. The next 2 bytes is the number of color planes. Unused and must be 1. Finally, 2 more bytes for the number of bits per pixel. At this point, you have essentially everything you need to read an uncompressed bitmap image. (Yes, bitmaps do support compression but almost never used) Starting at the offset given in the first header, you read W*H*BPP bits and start drawing the image using that data. I won't go into details on Red/Green/Blue/Alpha here but that is a strongly typed format that is EASY enough to explain. Adding garbage at the end of such a file has absolutely NO effect on the file's readability. That is entirely up to the application opening the file. And even then you can probably trick such "validity checks" by altering the reported file size and pixel data accordingly. That's just one file format, if you find it interesting you can search for any file ending and append "file format" to the end to learn more. Such as "BMP file format" or "ZIP file format" or "EXE file format" or "DOC file format" etc etc.
Correction, the DIB header i explained was the OS/2 1.x header. The Windows 3.1 and beyond header has 4 bytes for width and height, making the technical limit for size be 4.2 billion pixels.
@@RealCadde Sounds like it would work if you put your "key" at the beginning of the file then though. Also I appreciate the explanation but you really didn't need to explain what a gif is, haha.
Grover's algorithm will crack 128-bit encryption once they make quantum computers with the same clock speed as classical computers (i.e. in the very far future). 256-bit encryption would be crackable with galaxy-scale quantum computers, but not by a machine that would fit on one small planet.
Wow, what an informative video! I like the forward-thinking question of how these encryption standards will age as computing technology develops. You've got me off to research Grover's Algorithm.
You can double the effective key length by triply encrypting with three different keys (or EDE encrypting as per 3DES). So AES256 triple-encrypted with a 768-bit key gives you effectively a 512-bit key. Note that naively double encrypting doesn't give you any extra security because of a thing called a meet-in-the-middle attack.
David Gilles Wrong. Despite the meet in the middle attack does double encryption give you extra security, it actually doubles the key space, so Double-DES gives you 2⁵⁷ instead of 2⁵⁶. Sure that's not what you initially intended: 2¹¹² (for that you indeed need 3-DES), but 2⁵⁷ is still twice as large as 2⁵⁶ (although that's indeed not a significant increase in security).
I worked at NSA from 1999 to early 2001. I wish I could talk about your theories and how long it takes to get a password. So, 20 years ago I asked someone in the "Z group" to crack some password protected files. It was actually encrypted files that were zipped together and the zip file also was password protected. Both different passwords. I was given all I needed in about 5 days. This was over 20 years ago. I can't even imagine what's going on these days.
big brain logic you got going on there. "lol they were able to crack shitty 8 digit password encryption! even 2 layers of it! that was 20 years ago, so imagine what they can do now, so clearly you are wrong, and the NSA DOES have these pie in the sky dream computers. in fact they have one for every agent working for them I bet!"
What key lengths? Assuming the keys were 8 character passwords, probably about 48 bits worth of security on each stage. And the zip file has structure to itself that enabled you to determine when that stage is successfully decrypted. Add 20 years of Moores law, looks like less than 64 bits of encryption security vs. modern computers.
Maybe a 10 years ago I was taking part in an urban game. We all got a pendrive with encrypted zip file and we were supposed to do some tasks, each of them shoudl give you one letter of the password. I just downloaded some free tool that used brute force to crack the zip file. I knew lenght of the password an that it consists only of letters - it took just a few minutes... so you see, not all encryptions are equal ;)
Interesting vid. Thanks. If a quantum computer can effectively halve the key space for a symmetric key, why can't they then feed the result through the computer again for additional halvings?
Grover's algorithm lets you search a 2^n sized search space in 2^(n/2) operations. E.g., you can search 2^128 possibilities in 2^64 operations. It doesn't actually make the search space 2^64, though, so you can't do it again.
Let’s say that you encrypt your data and then encrypt that data with a different key. It would then take 2 decryptions with 2 keys to get the original data. But if you brute force the end data, how would you know a correct decryption from a test that fails as they would both just look random? It seems to me that any decryption that is successful needs to be able to get something that looks normal to determine that it has actually decrypted the data correctly. I can’t see how you could get that with a double encryption. This should be true even if the code breaker knows both the public keys of the double encryption.
You are completely right, if the attacker has no idea that you encrypted your data twice they cant determine "a hit". That is also true if the attacker does not know which algorithm you used for your encryption. So look at it this way you wrote an algorithm that has two steps, both smaller algorithms. If the attacker knows, they just repeat the bute forcing twice. I have to add, many encryption systems might get weaker if you do it twice. Weird effects might happen, so you are probably safer by using a stronger encryption once.
Schnorzel1337 I don’t think it would matter if the decrypting party knows about the double encrypting or not. The brute force would have to try all combinations for every one of the results from the first brute force encryption. If x tries are required to break the first encryption then x squared would be needed to get the actual result. This is a huge difference from single encryption. I use the package NaCl which is elliptical. If 2 encryptions weren’t enough then 3 should be even better. Output from NaCl encryption doesn’t make the data any bigger so I should be able to create a simple program to 1. encrypt using first public key and random nonce, 2. encrypt that with second public key and random nonce and then encode with Base64 and present it so that it could be cut and pasted into an email with no encryption. Send your public keys by unsecured email if you like.
Like Schnorzel said, it's not as simple as "double the encryption, double the security". Among other issues, encrypting a payload twice may actually reduce the entropy in some cases. And you always have to assume the attacker knows your tools and methods, like e.g. that you're encrypting twice, for various reasons, not the least of which being source code analysis and reverse engineering of software.
@0:40 The graphic, symbolizing different key lengths is a case of graphics gone wrong. The critical part of the key is in all 4 cases of the same length and they don't seem to differ at all. :)
@@djchristian82 The key bits, the teeth of the keys, should be of different length - else they would not supply different security (physical keys, as in doors). I'm not in the key making business and don't even know the professional expression in my mother tongue, but maybe it's the shaft, which differs in length in the graphic? You may reach into a deeper keyhole with a longer key, but it is not more complex.
Back in university I remember my crypto professor mentioning that AES192 and 256 are technically a couple bits less secure because their rounds to key-size ratio is lower. Since 128 has 10 rounds but 192/256 only have 12/14 rounds, he said their effective key-space was a couple bits lower than their key-size. Never really been sure if he was correct or not.
Grover's algorithm. An algorithm that could be run on a universally programmable quantum computer (so nothing like D-Wave) and would effectively reduce the effective key lengths. In the end this just means: the moment quantum computers come into existence, simply increase the key length of AES and everything is still fine.
Just wanted to add that quantum computers, if performing only classical computations, are _slower_ than a classical computer. I'm not sure if you can pass Grover's Algorithm to a classical computer (I'm guessing not because of quantum), but I did want to note that. Quantum computers aren't 2^64 times slower though, obviously.
I'm not a computer expert, but I think of quantum computers as classical computers extended with quantum operators. Think of it like a regular x86_64 computer with extra quantum processors that do the quantum stuff while the traditional CPU does the classical computing. If quantum computers every get miniaturized (and somehow they fix the subzero temperature requirements), quantum would become just a CPU extension like SSE2, AVX etc.
What I don't undestand, how can brute force work, when most 'applications' of let you try password like 3 or 5 times, if you miss you must try again 30 minute later or so... So how its possible that a hacker tries to break in my for example xyz mail acount with brute force if after 5 times fail the account gets locked for 30 minutes?
The kind of brute forcing he's talking about would typically apply to a situation where, for example, someone captured traffic that was sent over the network and they are trying to decrypt the message(s). I.e., in that case they already have the message on their own machine and don't need to wait for the account to unlock again. But you're right that enforcing wait times (aka "throttling", sometimes) is a good security mechanism against trying to guess an account password, or other attacks that require talking to an application's API.
Good question. If an attacker has a copy of a file encrypted with AES-128 or AES-256 they can write their own AES decryption program and have it try millions of passwords per second. The AES alogrithm itself is public so this isn't an issue. If you are thinking more along the lines of getting a login password to a remote service the usual process is the hacker steals the password file from the target. The password file stores what's called a hash of each password but not the password itself. The hashing process is conceptually similar to encryption in the sense that it's quick and easy to get the scrambled hash from the original password but should be impossible to get the password from the hash. The hash algorithms are public so the attacker starts brute forcing, fe.g. first try AAAAAA, generate the hash, see if it matches any hash in the stolen password file, if not try AAAAAB and so on. Once a match is found then go back to the official login page and use the password you found. This is simplified, there are different strengths of hash, passwords get extra protection from a process called "salting the hash" etc but I hope it helps you see the approximate process.
@@Cruz0e same as your original comment. He is speaking of encrypted files. Doesn't matter how many different things you think of that isn't decrypting a file or how many smiley faces you type. He is speaking of encrypted files.
@@frankschneider6156 Someone raised questions about the NSA recommended parameters for ECC, and suggested that there might be a back door associated with those specific parameters. One sound rule when considering an encryption method, be suspicious of any parameter in the algorithm if you can't be sure how it was derived. So of course all the serious security people, if they continued using ECC, would avoid those specific parameters. This may relate the the NSA no longer pushing the method.
@@hanelyp1 Yeah, that's of course true, if there is no reason given, how specific parameters have been selected, this means that the reason is just not being disclosed, which means someone knows more than he says, and this might be benign, but could also have very malign reasons. ECCs (and even more hyper elliptic curves) are still not THAT well researched, so it is not generally impossible that ECC in principle has backdoors, but I'm not that familiar with the maths of ECC and this suspicion is in principle valid for DLP or factoring too. You can always assume someone has such advanced maths that they can analytically break all of the asymmetric stuff, that everybody else can't. That's imho somewhere near the border between being "healthy" and "pathologically" paranoid. The NSA famously tried to put a backdoor via NIST into ECC by compromising the random number generation process (which was imho a pretty smart try, that truly deserves appreciation) . Imho they wouldn't have done that, if they had a general method of breaking ECC. This of course doesn't rule out that the suggested curves have been also been rigged. So if you want to be on the secure side of things, just don't use the ECC curves suggested by NIST, but those by Dan Bernstein (famous curve 25519).
Lol, I wonder if UA-cam recommends Linus Tech Tips to everyone watching computerphile? I didn't even question it because those are same kind of recommendations I get.
The US military has been using 256 bit key for well over 40 years. Combine that with what appears to be a total lack of information about how the key is applied and in what manner of operation(s). One can only guess at how far behind the civilian world is today.
Question: From what I took away, quantum computers half the effectiveness of bit length for encryption. This isn't a problem for symmetric encryption because it can easily double the the key length with a minimal increase in encryption / decryption time. RSA has large keys however, and doubling those keys would increase encryption / decryption time significantly. What about ECC? From the example you gave the key size is fairly small, would it be too much to double ECC's key size?
It's way worse than halving the effectiveness for both RSA and ECC. Shor's algorithm (that breaks both RSA and ECC) works in polynomial time, effectively turning the problem from O(2^n) to O(n), where n is the size of the key.
Grover's algorithm cuts the effective number of bits for symmetric algorithm security in half - so AES 256 can be broken with approximately 128 bits of difficulty. Shor's algorithm cuts the effective number of bits for asymmetric algorithm security to basically zero - ECC 256 under Shor's algorithm becomes (log_2 256) bits of difficulty (i.e. about 8 bit).
the biggest problem with encryption is the key really isnt the actual key length its the effective key length; Often the key is been generated form some short phrase or sentence and a hashing functions beenran on it; while for an ideal hash function it would be okay.... most of ours arent and we end up with real key strengths that are much much less than the intended; or even worse the LFR random number generators on emulated computers;which dont get back actual hardware noise to add as a salt; ending up with known next values for the inputs. its neat.
I only just noticed the video was out, but it came out pretty much exactly as I was discussing this precise topic with my husband a couple hours ago. Eerie.
Given the number of couples on this planet, things like this have to happen. Not eerie, just statistics. Don't forget: a one in a million chance happens 10 times every single day in New York (or 7500 times a day globally)
hello I have a question my seed password is 56 letters long each letter is 8 bits so 8 for 56 and 448 bits right I can't understand can you explain me better thanks everyone
Is there a real reason not go for 256 right now? I mean pretty much every cryptography library will support AES256, so there's no real reason to go for 128. Unless you're working with limited hardware, in let's say an embedded device.
No there isn't. Not even on limited hardware. What sets them apart is the importance of the data. If it's just your SMS conversation with your loved one, you don't really need to go that far. But if it's about money, then it's best to go with the strongest available one. The risk of attack is at the highest level. Just shy of government stuff.
@@RealCadde agreed, and literally raspberry pi's can handle it no problem. we are talking about merely using the encryption, not brute forcing a decryption. not sure where people got he idea that using the encryption requires massive processing. it only become a problem if you are handling these things en masse like if you were running a payment processing server that was getting hammered with transactions all hours of the day.
Technology wise, I'm seeing no reason not to use 256 bit keys. Legal wise, keys larger than 56 bits can run into export controls where some of us live.
I find Dr Pounds videos to be some of the most interesting and educational on this chanel. But, his mannerisms always make me think that if his life took a different path, he'd be down at the Saturday market in Staines flogging hi-fi systems that fell off the back of a lorry
Your 128 bit key is only as good as the random number generator that it came out of. If the RNG has known fixed zeros, ones or zero/one pairs it is not effectively 128 bit
the weaknes of AES is ristricting to 128bit blocksize where its base algorithm rijndael supports also 256bit blocks - but nope - NSA needed its backdoor
i just want want simple answer 128-bit graphics card is better or 256-bit graphics card is better for gaming performance....i don't understand your technical information
If Quantum computing can affect RSA how about DH key exchange it can be also affected? Since the AES key is derived using that in many protocols, could my derived key be exposed?
People who are not in the know may think 256 bit is double 128. A small example to show it's not. 4 bits = 2^4 = 16 5 bits = 2^5 = 32 6 bits = 2^6 = 64 7 bits = 2^7 = 128 8 bits = 2^8 = 256 Every time you add 1 bit, the total bits doubles. So try continuing the example and see how fast the total bits gets huge.
It's like when you're up after midnight (like I am now) and still referring to 'tomorrow' when you mean 'later today'. If we think about it for a second, we know it's wrong but instinctively that's what it feels like. I should go to bed =(
It's not that "total bits" doubles. The number of combinations you can arrange those bits doubles. I mean 1 bit - two combinations - 0 or 1 2 bits - 4 combinations - 00, 01, 10, 11 3 bits - 8 combinations... What you probably wanted to say is that every extra bit makes your password twice as hard to brute force.
Im going to ask a very noob question but if people are looking to brute force keys at specific lengths e.g 128, 192 etc why do we not use the full range such as odd numbers guessing I'm missing something?
You totally ignored number of rounds for each AES keylength (10, 12 and 14 respectively) - and this is the problem with AES256 Bruce Schneier was pointing at over 10 years ago (he suggested switching to 16, 20 and 28 rounds). In 2009 Shamir et al presented fully practical (2^70) attack against 10-rounds AES256...
A thing i always think about considering symmetric cypher is, if you attempt to brute force the key, how would you even decide if what you deciphered is the encrypted message? Maybe your encryption would allow decyphering with a wrong key and give you a result, that could be what was encrypted, but you would need another program that actually looks at it to decide it. And maybe you decypher a message that makes sense, but it's the wrong output?
That's the point behind Vernam's cipher - key is random so there is no way to decipher it because there is no way to verify the result. Doing that with some more practical cipher is hard, though. The probability of this happening is so low (and keeps dropping as you encrypt more and more input), that you can be almost sure that if you decrypt at least something, it is the input. To increase the chance of this happening, you would need to either make key very long or derive the key specifically to be more likely to decipher to multiple possible inputs. That would lower it's security, though. One interesting thing you can do is to deliberately include random text in some places in your input - this would make your message indistuingishable from randomly found inputs that are partially valid, while human could clearly recognize and filter out random bits. Something like a steganography, in a way. Interesting thought.
If your key is equaly long or longer than the payload data it would be impossible to decide if you found the real key or not, since by pure bruteforcing the key you would find any possible data set with equal length of the input payload. But since your key is usually much, much smaller than the payload you want to encrypt, thats not the case. Basically your key will be repeated until it's the same length as your payload (thats not entirely true, but it's easier to imagine). And that will greatly limit the possible valid input data sets. Its unlikely that repeating a random bruteforced key until the same length is reached, will yield something sensible when trying to decrypt the data with it.
@@blenderpics But yet, i imagine a program that can decide if the output is just random garbage or already the right output (it has to look for unimaginable amount of correlations to find that out, if you just zip your files before using another tool to encrypt it and put some picture in your files with it for example, or maybe you used another compressor or whatever) that would dramatically increase computing time for each brute force try, making it impossible to test all.
I think you're talking about the one time pad or vernoms cipher, in that case yes, youre right. Its basically unbreakable. But other ciphers that are brute forcible will generate you 1 correct deciphered message and alot of jibberish, the way you find that one correct deciohered message is through letter frequencies i think.
You talked about bank data expires with the expiration date from the card, but wat about medical data? Do you guys think 256 is necessary. The thing is, the data only expires with the death of the person, but in the other hand medical reports are a timeframe and can be irrelevant a few months or a year later..
It depends. Often there is a mac tag attached to the message that uses the same key as the encryption algorithm - you can just check if the ciphertext (or the plaintext if you use mac-then-encrypt) matches the mac with a given key. Otherwise using frequency analysis or whatever. If your decrypted message only consists of ascii characters then you probably have the correct key.
Next to an encryption scheme has every modern symmetric block cipher also a key generation scheme. In typical crypto-explanations, that's practically always omitted, as the topic is already deemed "too complex" for the average Joe anyhow, so nobody talks about it and its simply ignored. The encryption scheme of symmetric block ciphers is typically iterative and each (often identical) iteration is called a "round". Eg AES-128 has 10 rounds, AES-192 has 12 and AES-256 has 14. The block sizes as well as the round key length are the same for all 3 (128-bit). So the length of what you consider "key" varies (128, 192, 256), but the round key size is the same in all 3 (128-bit). If you consider that different amount of rounds (10,12,14) require different amounts of round keys, it becomes obvious that schemes with more rounds require a longer key to be able to derive more key material (round keys) of it. A key is primarily used to introduce entropy (randomness) into the encryption process. To do this, the key itself is typically not used for encryption, but just used to derive a larger numbers of round keys from it, which are then used witin the rounds. Every round thus receives a freshly dervied, unique round key that introduces entropy into each encryption round. These keys are all of the same size. So the the different key lengths are handled within the key derivation scheme, not within the encryption scheme.
(1:20) With absolutely random keys,, you should find it at one less bit on average. So 128 bit requires 2^127 attempts on average, and 256 bit key requires 2^255 attempts on average.
Quantum Computers (QCs) are designed primarily to attack Public Key cryptography, practically RSA, then ECC. Normal PCs have trouble doing the math of RSA/ECC which are VERY LARGE prime numbers. QCs can process them with ease AND at twice the rate! regular ciphers like AES, Twofish, Camelia, and Company are safe because key sizes are based on bit strength and bits are no more than one One and one Zero (1 and 0, respectively) to the power of the bit strength (2^B; where B = Bit Strength). So, AES128 is already Quantum safe because the key space of AES128 is 2^128 possible keys. For example, a cipher with a 8 bits has a key space of 2^8, or 256 possible keys. a 9 bit cipher has a key space of 2^9, or 512 possible keys, and so on, etc. Thus AESS128 has a key space of 2^128, or 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys. A dedicated QC attacking a single AES128 key would half the space making the key space reduced to 2^127, or 170,141,183,460,469,231,731,687,303,715,884,105,728 possible keys. Even with the key size of 2^128 being cut in half, it is still impracticable. But attack the RSA that encrypts the very first AES128 Session key (the key used to begin encrypting your visit to a website), then the attacker has access to your session key and may decrypt your recorded internet traffic! So he not only knows what website you're visit but after a few days of attacking the RSA key, he will discover what you were looking at, downloaded, posted, etc. on that website! The info may be used for malicious purposes. You see, RSA2048 has a theoretical key space of 2^2048 which would make ANY Cryptographer go BOING! But, it is only theoretical. Practically, only 4 numbers out of 10 are prime numbers and the rest are composite numbers. So the actual key space my be calculated as (2^2048(0.4)) While still a number so much higher than Snoop D. O. double G, it significantly lowers the search time needed, and WHAT it is the the QCs need to look for. However, since only very large numbers are used, then the key space may be further reduced by eliminating the smaller prime numbers. And if a single RTX 3090 dedicated to brute force numbers may run 650,000,000,000 keys per second (and it can on a dedicated PC software), then a QC would run at 130,000,000,000 per second! As a reminder, a PC only needs to run though half of a key space to find the key, on average( ((2^2048(0.4)/8)/2 )! If a rig of 60 QCs attacked a key, then it would run at 78,000,000,000,000 per second! Even though the numbers are large, a QC can factor the RSA program with ease; as fast as our current PCs processing 1+1. TL;DR If a QC is a thief, then AES128 is Fort Knox. If RSA and ECC were younglings hiding in the Jedi Temple during Order 66, then a QC is Anakin Skywalker.
Would it get much slower with 512 or 1024 bits? Even if 256 are enough today, I would prefer it even more secure, if that only means a few milliseconds of more computing time. I would even go so far to always allow a full second of computing time for each encryption of a message for example. That way encryption would become more and more secure, if computers become faster. A kind of "hyper encryption" that is totally over the top even if we do not see a reason for such an encryption today. You can measure encryption in dollars. How many dollars worth of computing time would it cost to decrypt an encryption? And then imagine you would fill the whole known universe with 100-dollar-bills. That's how much a decryption should cost at least.
It depends on the algorithm. I do not think that it would get more than 4 times as slow. Anyway, 1024-bit keys are overkill. It would make more sense to increase the rounds instead if you have speed to spare.
@Pronto all kinds, I saw that bitcoin algorithm is made by NSA. Is it really just made and give it to the people to enjoy? also whatsup telegram etc... are free because they can listen you, or?
Nope. Symmetric algorithms are resistant is the key is just long enough. Only asymmetric ones are vulneranerable, but they are anyhow not used for information storage, but key exchange. If you worry about sniffing and storing data now to decrypte them in 30 years, just substitute the common asymmetric algorithm used now with a PQC cipher and you are fine. Quantum computers won't change a lot in cryptography. A few cipher changes, that's all.
@@frankschneider6156 "Nope" - Argenteus said "who need public key cryptography", so yes, they do have a legitimate cause to worry. "but key exchange" - and signatures "PQC cipher" - Asymmetric algorithms are not ciphers.
no point in this... even for decrypting 256 Bit by brute force on any speed computer there is not enough energy in the universe to break it with conventional computing.
Oh well For me speed of AES does not matter I am using LUKS and this would scale its speed according to speed of processor, so changing CPU to slower one will make reading my data awfully slow.
there are 2¹²⁸ keys, but statistically you just need to brute force half of them to get the solution. That's an average. Sometimes your first guess is the right one, sometime it's the last, but statistically that averages out to the middle, so on average you need to go through half of the keys (that's 2¹²⁷) to bruteforce a 2¹²⁸ key. Simply because statistically the key will follow a uniform distribution.
why dont this dude has his own channel this guy is amazing wish i had a computer teacher like him
I really would love a teacher like this
+💯
Noone get whooshed
Noone get whooshed
Noone get whooshed
Noone get whooshed
Noone get whooshed
Noone get whooshed
Noone get whooshed
Noone get whooshed
alan smithee uh what?
@@codycast the OC is obvious whoosh bait.
Designed to make someone go "but he does have a channel," (which he indeed does) after which they get whooshed.
The OC is pretending to not know about that channel.
I think it's really important people understand 256 bits is not twice the security of 128 bits. It's twice that of "255 bits".
That's something that took me an embarrassing amount of time to understand in my crypto lecture🥴
I understand that each bit doubles the difficulty it is to brute force, but the difference between 128 and 256 is just unfathomable to think about
be me
try to bruteforce a 512 bit aes hash
on my laptop
ouch
The same error is in the video at 6:06 -- a bit of sloppy language, and I know he understands this (much better than me), but the video does say that Grover's algorithm can hypothetically reduce AES-256 to AES-128 and "halve the keyspace" -- no, in that case it can divide the keyspace by 2^128, i.e. reduce it by a factor of 3.4 * 10^38.
@@exscape It reduces the keyspace, as in the number of bits required to represent the key, by half.
When an engineer says "20-25 years", they mean "well, it's hypothetically possible".
@Marty McFly Williams Not sure moore has factored in quantum computers when he noted his observation.
@@MazeFrame Yeah, moore only applies to silicon and it's already breaking down
@@zUJ7EjVD
No, they mean "We havent disproven all hypothetical cases being possible yet".
Fusion power plants have been twenty years away for sixty years.
@@salvation122 Exactly.
That aged well!
Wait. Didn't this just happen?!
See 7:21.
I actually LOL’d
Anyone else had enough of so called "Experts" ?
@@fcoamezcuag your ignorance of science doesn't invalidate it
Was just going through a Dr. Pound binge of old Computerphile videos, and bam! All of a sudden, a new one 12 mintues ago. He is definitely my favourite presenter on this channel.
I'm glad he addressed the naivety of the quantum computing argument. If I had a nickel for every uninformed person I've heard say "none of this encryption stuff even matters cuz QUANTUM," then, I'd be a very rich man.
Well, I'm not an expert on the quatum computers, but history is full of statements where some expert says "It can never be done" and then someone does it.
We don't know what we don't know, is particularly relevant on a field that's just getting started.
@@samik83 He's not saying it can't be done though. He's saying we're not even close to that point yet.
I just cracked 513 bit inscription with my fusion powered QUANTUM computer a few weeks back. I had to create AI in order to control the system.
@@psyoperator Love that one
The maths is there to support. I don't care if the implementation comes after decades. The next task can be to find something new which is hard for even a quantum system.
This guy is my favorite on the channel
"It's not about size. It's about the technique" :)
( ͡° ͜ʖ ͡°)
Yeah but you can't get across the ocean in a rowboat lol
@@benjamincox9762 yes you can, you not pay attention 3:30
The best technique won't help you if the key size is 1 or 2 in length. So the length is also important up a minimum threshold. We are still talking about crypto, right?
@@TheGenerationGapPodcast I don't think that innuendo was about crypto.
I can listen to his talks all day long. He is amazing and his skills in explaining things is incredible.
00:40 196 bit key should be 192 bit key ... Mike even says so a few seconds later :)
I would trust Dr. Pound with my passwords in plaintext
but he would be very disappointed that your storing your passwords in plaintext!
@@burntpotatoes999 you're *
that's at least slightly better than the post-its on the monitor
I'm sure he would include you in the list of idiots who not only uses obviously weak passwords but also shares passwords with strangers. And probably try to educate you NOT to share ANY passwords with ANYONE. The principle of least privilege. Look it up. User accounts exist for a reason.
@@qwerasdfhjkio Conjuction used mid-sentence is a bad thing! :-D
0:56
Key length.
2:39
AES attack.
3:49
RSA and Diffie-Hellman
*4:30 --> Elliptic Curves.
5:13
Quantum Computing.
5:33
Grover's algorithm.
6:59
Publick-key vs Quantum.
I actually LOL'd
4:44 _It's not the size of the key, it's the encryption method you're throwing it at!_
Yes, he's Back!
The US Government: 40 Bit is enough
that means 128 bit is way about military level!
It is though
@@1337GameDev but, the time required for computing this giberish of bits into concurrent data, gets up exponentially!
So, also Computing time and power of your super computer or quantum computer also matters
@@1337GameDev but encryption is a military weapon and should be banned past 40 bit encryption as weapon exportation, because it ensures no one can access your private information. That's bad because our benevolent NSA, who has done no sketchy things in the past ever, cannot access the data!
@@NateROCKS112 Lol, did the NSA actually suggest civilians should only be allowed to use 40 bit encryption?
Just appending the key to the end of the file is my new favorite encryption scheme. I mean that would probably prevent the file from opening properly for any format other than plain text so it would sort of protect you if the person stealing your data wasn't super motivated to figure out what was happening if the files didn't open right away, haha.
Not at all. Many formats will happily allow you to append garbage at the end. That is assuming the format is strongly structured.
Read up on file formats if you don't believe me.
I've hidden messages in images in the past by the way. No, not in the actual displayed image but as plain text in the file itself.
It was all part of a little quest i set up once.
@@RealCadde Interesting, I guess I've never had a reason to learn much about the details of file structures.
@@danieljensen2626 In short, file formats that are strongly structured are defined like...
2 to n bytes magic "number".
For example, BMP files (Bitmaps) start with the bytes 42 4D (hex) or "BM" in text.
Gif files (common animated images on the internet) start with "GIF87a" and "GIF89a" in text.
Executable files (.exe) start with "MZ"
Depending on the format, the rest of the file then follows a strict pattern from that point that explains the data in question.
Let's use a bitmap (.bmp) file as an example here.
So it starts with the magic number "BM", which is 2 bytes.
Then the next four bytes tell the file size. This is just a check to see if the file is damaged or not, the actual file doesn't have to be that size.
The next 4 bytes are "reserved", meaning they are left there for future implementations of the format and for other applications to use however they please.
Then comes 4 more bytes, describing where the actual image data starts.
So far, we've dealt with the bitmap file header. Next up is the DIB header (Device Independant Bitmap header)
Starting with 2 bytes which tells the size of this header. This size generally NEEDS to be correct, but again isn't absolutely necessary. But assumptions would have to be made at that point.
Then comes another 2 bytes describing the width of the image in pixels. (Technically limiting bitmap files to a max of 65536 pixels wide and high)
The next 2 bytes describe the height.
The next 2 bytes is the number of color planes. Unused and must be 1.
Finally, 2 more bytes for the number of bits per pixel.
At this point, you have essentially everything you need to read an uncompressed bitmap image. (Yes, bitmaps do support compression but almost never used)
Starting at the offset given in the first header, you read W*H*BPP bits and start drawing the image using that data.
I won't go into details on Red/Green/Blue/Alpha here but that is a strongly typed format that is EASY enough to explain.
Adding garbage at the end of such a file has absolutely NO effect on the file's readability. That is entirely up to the application opening the file.
And even then you can probably trick such "validity checks" by altering the reported file size and pixel data accordingly.
That's just one file format, if you find it interesting you can search for any file ending and append "file format" to the end to learn more.
Such as "BMP file format" or "ZIP file format" or "EXE file format" or "DOC file format" etc etc.
Correction, the DIB header i explained was the OS/2 1.x header.
The Windows 3.1 and beyond header has 4 bytes for width and height, making the technical limit for size be 4.2 billion pixels.
@@RealCadde Sounds like it would work if you put your "key" at the beginning of the file then though.
Also I appreciate the explanation but you really didn't need to explain what a gif is, haha.
Grover's algorithm will crack 128-bit encryption once they make quantum computers with the same clock speed as classical computers (i.e. in the very far future). 256-bit encryption would be crackable with galaxy-scale quantum computers, but not by a machine that would fit on one small planet.
Wow, what an informative video! I like the forward-thinking question of how these encryption standards will age as computing technology develops. You've got me off to research Grover's Algorithm.
At ~0:40 you show encryption bit sizes of 64, 128, *_then 196-bit_** instead of 192 , just FYI*
I have been looking for this type of explanation for a year now!!! Thank goodness I finally found this video.
What's on the whiteboard in the background? Did someone explain filters and convolutions?
You can double the effective key length by triply encrypting with three different keys (or EDE encrypting as per 3DES). So AES256 triple-encrypted with a 768-bit key gives you effectively a 512-bit key. Note that naively double encrypting doesn't give you any extra security because of a thing called a meet-in-the-middle attack.
"man-in-the-middle"
@@jdilksjr nope
@@jdilksjr nope it's really meet in the middle attack
David Gilles
Wrong. Despite the meet in the middle attack does double encryption give you extra security, it actually doubles the key space, so Double-DES gives you 2⁵⁷ instead of 2⁵⁶. Sure that's not what you initially intended: 2¹¹² (for that you indeed need 3-DES), but 2⁵⁷ is still twice as large as 2⁵⁶ (although that's indeed not a significant increase in security).
Man in the middle is entirely different concept than meet in the middle. @jdilksjr
Best video in years! It's answers one of the most important questions I had for years ... by somebody I trust.
A 256 AES bit encryption can be paired in sequence with another 256 AES bit key making it crazy to get into
1:46 If the key has 2^256 bits, that would be a lot of overkill.
Naaah, it'd just require all the atoms in the known universe for a starter... Then quite a bit more.
I worked at NSA from 1999 to early 2001. I wish I could talk about your theories and how long it takes to get a password. So, 20 years ago I asked someone in the "Z group" to crack some password protected files. It was actually encrypted files that were zipped together and the zip file also was password protected. Both different passwords. I was given all I needed in about 5 days. This was over 20 years ago. I can't even imagine what's going on these days.
Passworded zips were already unsecure even then
big brain logic you got going on there. "lol they were able to crack shitty 8 digit password encryption! even 2 layers of it! that was 20 years ago, so imagine what they can do now, so clearly you are wrong, and the NSA DOES have these pie in the sky dream computers. in fact they have one for every agent working for them I bet!"
What key lengths? Assuming the keys were 8 character passwords, probably about 48 bits worth of security on each stage. And the zip file has structure to itself that enabled you to determine when that stage is successfully decrypted. Add 20 years of Moores law, looks like less than 64 bits of encryption security vs. modern computers.
@@hanelyp1 zip files were 8 length max on the passwords.
Maybe a 10 years ago I was taking part in an urban game. We all got a pendrive with encrypted zip file and we were supposed to do some tasks, each of them shoudl give you one letter of the password. I just downloaded some free tool that used brute force to crack the zip file. I knew lenght of the password an that it consists only of letters - it took just a few minutes... so you see, not all encryptions are equal ;)
Interesting vid. Thanks.
If a quantum computer can effectively halve the key space for a symmetric key, why can't they then feed the result through the computer again for additional halvings?
Grover's algorithm lets you search a 2^n sized search space in 2^(n/2) operations. E.g., you can search 2^128 possibilities in 2^64 operations. It doesn't actually make the search space 2^64, though, so you can't do it again.
Let’s say that you encrypt your data and then encrypt that data with a different key. It would then take 2 decryptions with 2 keys to get the original data. But if you brute force the end data, how would you know a correct decryption from a test that fails as they would both just look random? It seems to me that any decryption that is successful needs to be able to get something that looks normal to determine that it has actually decrypted the data correctly. I can’t see how you could get that with a double encryption. This should be true even if the code breaker knows both the public keys of the double encryption.
You are completely right, if the attacker has no idea that you encrypted your data twice they cant determine "a hit". That is also true if the attacker does not know which algorithm you used for your encryption. So look at it this way you wrote an algorithm that has two steps, both smaller algorithms.
If the attacker knows, they just repeat the bute forcing twice.
I have to add, many encryption systems might get weaker if you do it twice. Weird effects might happen, so you are probably safer by using a stronger encryption once.
Schnorzel1337 I don’t think it would matter if the decrypting party knows about the double encrypting or not. The brute force would have to try all combinations for every one of the results from the first brute force encryption. If x tries are required to break the first encryption then x squared would be needed to get the actual result. This is a huge difference from single encryption. I use the package NaCl which is elliptical. If 2 encryptions weren’t enough then 3 should be even better.
Output from NaCl encryption doesn’t make the data any bigger so I should be able to create a simple program to 1. encrypt using first public key and random nonce, 2. encrypt that with second public key and random nonce and then encode with Base64 and present it so that it could be cut and pasted into an email with no encryption. Send your public keys by unsecured email if you like.
Like Schnorzel said, it's not as simple as "double the encryption, double the security". Among other issues, encrypting a payload twice may actually reduce the entropy in some cases. And you always have to assume the attacker knows your tools and methods, like e.g. that you're encrypting twice, for various reasons, not the least of which being source code analysis and reverse engineering of software.
@0:40 The graphic, symbolizing different key lengths is a case of graphics gone wrong. The critical part of the key is in all 4 cases of the same length and they don't seem to differ at all. :)
@@djchristian82 The key bits, the teeth of the keys, should be of different length - else they would not supply different security (physical keys, as in doors).
I'm not in the key making business and don't even know the professional expression in my mother tongue, but maybe it's the shaft, which differs in length in the graphic?
You may reach into a deeper keyhole with a longer key, but it is not more complex.
Back in university I remember my crypto professor mentioning that AES192 and 256 are technically a couple bits less secure because their rounds to key-size ratio is lower.
Since 128 has 10 rounds but 192/256 only have 12/14 rounds, he said their effective key-space was a couple bits lower than their key-size.
Never really been sure if he was correct or not.
I really want to see this video again in 40 years time, see how broken it is by then.
What's the algorithm he mentions on 5:33 to break AES?
Grover's algorithm. An algorithm that could be run on a universally programmable quantum computer (so nothing like D-Wave) and would effectively reduce the effective key lengths. In the end this just means: the moment quantum computers come into existence, simply increase the key length of AES and everything is still fine.
Yes! Another Mike video
Loving the sketch part with the comment section. Great stuff :)
Just wanted to add that quantum computers, if performing only classical computations, are _slower_ than a classical computer. I'm not sure if you can pass Grover's Algorithm to a classical computer (I'm guessing not because of quantum), but I did want to note that. Quantum computers aren't 2^64 times slower though, obviously.
You can actually simulate a quantum computer on a classical computer, at least currently this still works, because the number of qubits is so low.
I'm not a computer expert, but I think of quantum computers as classical computers extended with quantum operators.
Think of it like a regular x86_64 computer with extra quantum processors that do the quantum stuff while the traditional CPU does the classical computing.
If quantum computers every get miniaturized (and somehow they fix the subzero temperature requirements), quantum would become just a CPU extension like SSE2, AVX etc.
My hard drive is encrypted with 512 bit AES, thank you VeraCrypt!
Anybody know the name of the green font from the thumbnail?
@Marty McFly Williams thanks I'll search that
OCR Extended
What I don't undestand, how can brute force work, when most 'applications' of let you try password like 3 or 5 times, if you miss you must try again 30 minute later or so...
So how its possible that a hacker tries to break in my for example xyz mail acount with brute force if after 5 times fail the account gets locked for 30 minutes?
The kind of brute forcing he's talking about would typically apply to a situation where, for example, someone captured traffic that was sent over the network and they are trying to decrypt the message(s). I.e., in that case they already have the message on their own machine and don't need to wait for the account to unlock again.
But you're right that enforcing wait times (aka "throttling", sometimes) is a good security mechanism against trying to guess an account password, or other attacks that require talking to an application's API.
Good question. If an attacker has a copy of a file encrypted with AES-128 or AES-256 they can write their own AES decryption program and have it try millions of passwords per second. The AES alogrithm itself is public so this isn't an issue. If you are thinking more along the lines of getting a login password to a remote service the usual process is the hacker steals the password file from the target. The password file stores what's called a hash of each password but not the password itself. The hashing process is conceptually similar to encryption in the sense that it's quick and easy to get the scrambled hash from the original password but should be impossible to get the password from the hash. The hash algorithms are public so the attacker starts brute forcing, fe.g. first try AAAAAA, generate the hash, see if it matches any hash in the stolen password file, if not try AAAAAB and so on. Once a match is found then go back to the official login page and use the password you found. This is simplified, there are different strengths of hash, passwords get extra protection from a process called "salting the hash" etc but I hope it helps you see the approximate process.
You're speaking of breaking log-in information. He is speaking of having an encrypted file and brute forcing.
@@saintchuck9857 what about storing the file in a place then where you have to login first to access it :)
@@Cruz0e same as your original comment. He is speaking of encrypted files. Doesn't matter how many different things you think of that isn't decrypting a file or how many smiley faces you type. He is speaking of encrypted files.
6:07 - small correction: not half, but square root. 2^128 is not half of 2^256.
Why does the NSA push ecliptic curve when they are not in the data security business?
They stopped massively pushing ECC around 2016. Nobody (outside of the NSA) knows exactly why.
@@frankschneider6156 Someone raised questions about the NSA recommended parameters for ECC, and suggested that there might be a back door associated with those specific parameters. One sound rule when considering an encryption method, be suspicious of any parameter in the algorithm if you can't be sure how it was derived. So of course all the serious security people, if they continued using ECC, would avoid those specific parameters. This may relate the the NSA no longer pushing the method.
@@hanelyp1
Yeah, that's of course true, if there is no reason given, how specific parameters have been selected, this means that the reason is just not being disclosed, which means someone knows more than he says, and this might be benign, but could also have very malign reasons.
ECCs (and even more hyper elliptic curves) are still not THAT well researched, so it is not generally impossible that ECC in principle has backdoors, but I'm not that familiar with the maths of ECC and this suspicion is in principle valid for DLP or factoring too. You can always assume someone has such advanced maths that they can analytically break all of the asymmetric stuff, that everybody else can't. That's imho somewhere near the border between being "healthy" and "pathologically" paranoid.
The NSA famously tried to put a backdoor via NIST into ECC by compromising the random number generation process (which was imho a pretty smart try, that truly deserves appreciation) . Imho they wouldn't have done that, if they had a general method of breaking ECC. This of course doesn't rule out that the suggested curves have been also been rigged.
So if you want to be on the secure side of things, just don't use the ECC curves suggested by NIST, but those by Dan Bernstein (famous curve 25519).
This channel makes me want to enroll at Nottingham just to have more time with these guys
At 7:30, did you mean to be advertising Linus Tech Tips? Not complaining, just wondering ;-)
Lol, I wonder if UA-cam recommends Linus Tech Tips to everyone watching computerphile? I didn't even question it because those are same kind of recommendations I get.
@@danieljensen2626 I started to get those recommendations recently!
03:18
using more key material can actually weaken the algorithm because it might not have perfect diffusion when doing rounds. so i hear ;)
Nice quick video about a key part of encryption. Is this a part of a series? *me goes to check the channel*
Would love more compression vids
The US military has been using 256 bit key for well over 40 years. Combine that with what appears to be a total lack of information about how the key is applied and in what manner of operation(s). One can only guess at how far behind the civilian world is today.
Question: From what I took away, quantum computers half the effectiveness of bit length for encryption. This isn't a problem for symmetric encryption because it can easily double the the key length with a minimal increase in encryption / decryption time. RSA has large keys however, and doubling those keys would increase encryption / decryption time significantly. What about ECC? From the example you gave the key size is fairly small, would it be too much to double ECC's key size?
It's way worse than halving the effectiveness for both RSA and ECC. Shor's algorithm (that breaks both RSA and ECC) works in polynomial time, effectively turning the problem from O(2^n) to O(n), where n is the size of the key.
Grover's algorithm cuts the effective number of bits for symmetric algorithm security in half - so AES 256 can be broken with approximately 128 bits of difficulty.
Shor's algorithm cuts the effective number of bits for asymmetric algorithm security to basically zero - ECC 256 under Shor's algorithm becomes (log_2 256) bits of difficulty (i.e. about 8 bit).
@@deadNightTiger That makes sense, maybe I missed that!
the biggest problem with encryption is the key really isnt the actual key length its the effective key length; Often the key is been generated form some short phrase or sentence and a hashing functions beenran on it; while for an ideal hash function it would be okay.... most of ours arent and we end up with real key strengths that are much much less than the intended; or even worse the LFR random number generators on emulated computers;which dont get back actual hardware noise to add as a salt; ending up with known next values for the inputs. its neat.
VirtIORNG has been supported in qemu for a while now.
I only just noticed the video was out, but it came out pretty much exactly as I was discussing this precise topic with my husband a couple hours ago. Eerie.
What were you discussing?
Given the number of couples on this planet, things like this have to happen. Not eerie, just statistics. Don't forget: a one in a million chance happens 10 times every single day in New York (or 7500 times a day globally)
@@Brainstorm4300 Bremermann's limit and the eventuality of brute-force attacks against 128-, 256- and 512-Bit encryption.
Your house key is 2^17 and can be "cracked" in 3 seconds with a bent hairpin.
And, as said in the video, it isn't a problem with the encryption, but the algorithm itself
What key do you have that has 17 pins, but only two heights? That doesn't make much sense.
It's more around 8^6.
@@privateger well 8^6 = 2^18..
different base and exponent but you express the same kinda number
@@jmvr You mean the isn't problem with the key length
Could you do a video on Isogeny based asymetric crypto?
What is the difference between bits of entropy vs key length entropy?
hello I have a question my seed password is 56 letters long each letter is 8 bits so 8 for 56 and 448 bits right I can't understand can you explain me better thanks everyone
Is there a real reason not go for 256 right now?
I mean pretty much every cryptography library will support AES256, so there's no real reason to go for 128.
Unless you're working with limited hardware, in let's say an embedded device.
No there isn't. Not even on limited hardware.
What sets them apart is the importance of the data. If it's just your SMS conversation with your loved one, you don't really need to go that far.
But if it's about money, then it's best to go with the strongest available one. The risk of attack is at the highest level. Just shy of government stuff.
@@RealCadde agreed, and literally raspberry pi's can handle it no problem. we are talking about merely using the encryption, not brute forcing a decryption. not sure where people got he idea that using the encryption requires massive processing. it only become a problem if you are handling these things en masse like if you were running a payment processing server that was getting hammered with transactions all hours of the day.
Technology wise, I'm seeing no reason not to use 256 bit keys. Legal wise, keys larger than 56 bits can run into export controls where some of us live.
@@hanelyp1 how would customs know anything about how well its encrypted? they would only bother testing it if you were being detained for something.
I find Dr Pounds videos to be some of the most interesting and educational on this chanel. But, his mannerisms always make me think that if his life took a different path, he'd be down at the Saturday market in Staines flogging hi-fi systems that fell off the back of a lorry
Oddly specific my dude
bro what
Your 128 bit key is only as good as the random number generator that it came out of. If the RNG has known fixed zeros, ones or zero/one pairs it is not effectively 128 bit
If you ever want to see how quickly the compute time grows for decryption, do a 3 disk hanoi, then a 10 disk hanoi, then a 30disk hanoi
oke fine,, for application 3d rendering Ray tracing ON better bit 256 or 128 ?
the weaknes of AES is ristricting to 128bit blocksize where its base algorithm rijndael supports also 256bit blocks - but nope - NSA needed its backdoor
i just want want simple answer 128-bit graphics card is better or 256-bit graphics card is better for gaming performance....i don't understand your technical information
If Quantum computing can affect RSA how about DH key exchange it can be also affected? Since the AES key is derived using that in many protocols, could my derived key be exposed?
*What if p = np i heard it will break all encryption*
People who are not in the know may think 256 bit is double 128. A small example to show it's not.
4 bits = 2^4 = 16
5 bits = 2^5 = 32
6 bits = 2^6 = 64
7 bits = 2^7 = 128
8 bits = 2^8 = 256
Every time you add 1 bit, the total bits doubles. So try continuing the example and see how fast the total bits gets huge.
It's like when you're up after midnight (like I am now) and still referring to 'tomorrow' when you mean 'later today'. If we think about it for a second, we know it's wrong but instinctively that's what it feels like. I should go to bed =(
It's not that "total bits" doubles. The number of combinations you can arrange those bits doubles.
I mean
1 bit - two combinations - 0 or 1
2 bits - 4 combinations - 00, 01, 10, 11
3 bits - 8 combinations...
What you probably wanted to say is that every extra bit makes your password twice as hard to brute force.
Im going to ask a very noob question but if people are looking to brute force keys at specific lengths e.g 128, 192 etc why do we not use the full range such as odd numbers guessing I'm missing something?
I used 3084 bit Blowfish for the longest time, but after I found out not every bit adds a relevant bit I gave up on that.
Is Dr Mike Pound teaching security at University of Nottingham? If yes, does anyone have his lecture notes or sth? He is awesome
You totally ignored number of rounds for each AES keylength (10, 12 and 14 respectively) - and this is the problem with AES256 Bruce Schneier was pointing at over 10 years ago (he suggested switching to 16, 20 and 28 rounds). In 2009 Shamir et al presented fully practical (2^70) attack against 10-rounds AES256...
A thing i always think about considering symmetric cypher is, if you attempt to brute force the key, how would you even decide if what you deciphered is the encrypted message? Maybe your encryption would allow decyphering with a wrong key and give you a result, that could be what was encrypted, but you would need another program that actually looks at it to decide it. And maybe you decypher a message that makes sense, but it's the wrong output?
That's the point behind Vernam's cipher - key is random so there is no way to decipher it because there is no way to verify the result. Doing that with some more practical cipher is hard, though. The probability of this happening is so low (and keeps dropping as you encrypt more and more input), that you can be almost sure that if you decrypt at least something, it is the input.
To increase the chance of this happening, you would need to either make key very long or derive the key specifically to be more likely to decipher to multiple possible inputs. That would lower it's security, though. One interesting thing you can do is to deliberately include random text in some places in your input - this would make your message indistuingishable from randomly found inputs that are partially valid, while human could clearly recognize and filter out random bits. Something like a steganography, in a way. Interesting thought.
If your key is equaly long or longer than the payload data it would be impossible to decide if you found the real key or not, since by pure bruteforcing the key you would find any possible data set with equal length of the input payload. But since your key is usually much, much smaller than the payload you want to encrypt, thats not the case. Basically your key will be repeated until it's the same length as your payload (thats not entirely true, but it's easier to imagine). And that will greatly limit the possible valid input data sets. Its unlikely that repeating a random bruteforced key until the same length is reached, will yield something sensible when trying to decrypt the data with it.
@@blenderpics But yet, i imagine a program that can decide if the output is just random garbage or already the right output (it has to look for unimaginable amount of correlations to find that out, if you just zip your files before using another tool to encrypt it and put some picture in your files with it for example, or maybe you used another compressor or whatever) that would dramatically increase computing time for each brute force try, making it impossible to test all.
I think you're talking about the one time pad or vernoms cipher, in that case yes, youre right. Its basically unbreakable. But other ciphers that are brute forcible will generate you 1 correct deciphered message and alot of jibberish, the way you find that one correct deciohered message is through letter frequencies i think.
@@danielroder830 you are talking about AGI (Artificial General Intelligence) there. Making meaning.
Are all key available ? Or some value are forbidden for security reason (like not letting key with the first 100 bits at zero) ?
I remember that for asymmetrical algorithms you are restricted to only prime numbers. Not sure about symmetrical ones...
@@jarlfenrir if I recall, the prime number are used to construct the key not as the key itself
@@Tutul_ ok, I have to refresh my memory
You talked about bank data expires with the expiration date from the card, but wat about medical data? Do you guys think 256 is necessary. The thing is, the data only expires with the death of the person, but in the other hand medical reports are a timeframe and can be irrelevant a few months or a year later..
Where is subtitle?
If you brute-force an encrypted message how do you know you've got it? 🤔
It depends. Often there is a mac tag attached to the message that uses the same key as the encryption algorithm - you can just check if the ciphertext (or the plaintext if you use mac-then-encrypt) matches the mac with a given key.
Otherwise using frequency analysis or whatever. If your decrypted message only consists of ascii characters then you probably have the correct key.
@@AP-dc1ks Your TLS connection right now uses the same key for both the MAC tag and for encrypting its data.
@@jonnyjohn5178 Ah thank you 😀
If you have some idea what the format of the plaintext might be, there are tests to see if the decrypted data fits any likely format.
So what do you think about random chicken generator
If AES only encrypts blocks of 128 bits, how does using a 256 bit key, give me 256 bits of security in a block that only contains 128 bits?
I'd guess padding up to the full size of the block? I'm no expert.
Next to an encryption scheme has every modern symmetric block cipher also a key generation scheme. In typical crypto-explanations, that's practically always omitted, as the topic is already deemed "too complex" for the average Joe anyhow, so nobody talks about it and its simply ignored.
The encryption scheme of symmetric block ciphers is typically iterative and each (often identical) iteration is called a "round". Eg AES-128 has 10 rounds, AES-192 has 12 and AES-256 has 14. The block sizes as well as the round key length are the same for all 3 (128-bit). So the length of what you consider "key" varies (128, 192, 256), but the round key size is the same in all 3 (128-bit). If you consider that different amount of rounds (10,12,14) require different amounts of round keys, it becomes obvious that schemes with more rounds require a longer key to be able to derive more key material (round keys) of it.
A key is primarily used to introduce entropy (randomness) into the encryption process. To do this, the key itself is typically not used for encryption, but just used to derive a larger numbers of round keys from it, which are then used witin the rounds. Every round thus receives a freshly dervied, unique round key that introduces entropy into each encryption round. These keys are all of the same size. So the the different key lengths are handled within the key derivation scheme, not within the encryption scheme.
Video on PBKDF please!!
MORE MIKE POUND
Wait, didn't this just happen?
What do you mean not exist? There are already 1 or 2 quantum computers that were already built and announced like a year or 2 ago.
(1:20) With absolutely random keys,, you should find it at one less bit on average. So 128 bit requires 2^127 attempts on average, and 256 bit key requires 2^255 attempts on average.
Can you make a video on block chain encryption?
And here I am with my password of six zeroes...
Are you the nuclear missile silo?
Quantum Computers (QCs) are designed primarily to attack Public Key cryptography, practically RSA, then ECC. Normal PCs have trouble doing the math of RSA/ECC which are VERY LARGE prime numbers. QCs can process them with ease AND at twice the rate! regular ciphers like AES, Twofish, Camelia, and Company are safe because key sizes are based on bit strength and bits are no more than one One and one Zero (1 and 0, respectively) to the power of the bit strength (2^B; where B = Bit Strength). So, AES128 is already Quantum safe because the key space of AES128 is 2^128 possible keys. For example, a cipher with a 8 bits has a key space of 2^8, or 256 possible keys. a 9 bit cipher has a key space of 2^9, or 512 possible keys, and so on, etc. Thus AESS128 has a key space of 2^128, or 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys. A dedicated QC attacking a single AES128 key would half the space making the key space reduced to 2^127, or 170,141,183,460,469,231,731,687,303,715,884,105,728 possible keys. Even with the key size of 2^128 being cut in half, it is still impracticable.
But attack the RSA that encrypts the very first AES128 Session key (the key used to begin encrypting your visit to a website), then the attacker has access to your session key and may decrypt your recorded internet traffic! So he not only knows what website you're visit but after a few days of attacking the RSA key, he will discover what you were looking at, downloaded, posted, etc. on that website! The info may be used for malicious purposes. You see, RSA2048 has a theoretical key space of 2^2048 which would make ANY Cryptographer go BOING! But, it is only theoretical. Practically, only 4 numbers out of 10 are prime numbers and the rest are composite numbers. So the actual key space my be calculated as (2^2048(0.4)) While still a number so much higher than Snoop D. O. double G, it significantly lowers the search time needed, and WHAT it is the the QCs need to look for. However, since only very large numbers are used, then the key space may be further reduced by eliminating the smaller prime numbers. And if a single RTX 3090 dedicated to brute force numbers may run 650,000,000,000 keys per second (and it can on a dedicated PC software), then a QC would run at 130,000,000,000 per second! As a reminder, a PC only needs to run though half of a key space to find the key, on average( ((2^2048(0.4)/8)/2 )! If a rig of 60 QCs attacked a key, then it would run at 78,000,000,000,000 per second! Even though the numbers are large, a QC can factor the RSA program with ease; as fast as our current PCs processing 1+1.
TL;DR
If a QC is a thief, then AES128 is Fort Knox. If RSA and ECC were younglings hiding in the Jedi Temple during Order 66, then a QC is Anakin Skywalker.
Would it get much slower with 512 or 1024 bits? Even if 256 are enough today, I would prefer it even more secure, if that only means a few milliseconds of more computing time.
I would even go so far to always allow a full second of computing time for each encryption of a message for example. That way encryption would become more and more secure, if computers become faster. A kind of "hyper encryption" that is totally over the top even if we do not see a reason for such an encryption today.
You can measure encryption in dollars. How many dollars worth of computing time would it cost to decrypt an encryption? And then imagine you would fill the whole known universe with 100-dollar-bills. That's how much a decryption should cost at least.
It depends on the algorithm. I do not think that it would get more than 4 times as slow.
Anyway, 1024-bit keys are overkill. It would make more sense to increase the rounds instead if you have speed to spare.
I love your videos, thank you for making great content
make a video about back door used by nsa
@Pronto all kinds, I saw that bitcoin algorithm is made by NSA. Is it really just made and give it to the people to enjoy? also whatsup telegram etc... are free because they can listen you, or?
Will he make a video about convolutions, that behind him?
If I had 2 bits for everytime someone said quantum computer...
And if you had 2 qubits for every time someone said that, this video would be obsolete very quickly.
You'd have a qubit
So, do those who need public key cryptography and need it to remain secure longterm have legitimate cause to worry, with regards to quantum computing?
Nope. Symmetric algorithms are resistant is the key is just long enough. Only asymmetric ones are vulneranerable, but they are anyhow not used for information storage, but key exchange. If you worry about sniffing and storing data now to decrypte them in 30 years, just substitute the common asymmetric algorithm used now with a PQC cipher and you are fine. Quantum computers won't change a lot in cryptography. A few cipher changes, that's all.
@@frankschneider6156 "Nope" - Argenteus said "who need public key cryptography", so yes, they do have a legitimate cause to worry.
"but key exchange" - and signatures
"PQC cipher" - Asymmetric algorithms are not ciphers.
Guess its time for me to switch from 1 to 2 bit encryption
Dr Mike Pound should teach a whole computer science curriculum
Cesar, is the best encryption method.
Just out of curiosity what if every computer does this part of the calculation, how long would that take?
still a lot years
The universe would probably end before cracking it
I chuckled at the fast edit and SURPRISE commentator question at the 5 minute mark.
Hashtag there's a ton of bots on this channel and I'm utterly sad.
So use 128?
We can use 1024 bit encryption right? If not please explain it to me
no point in this...
even for decrypting 256 Bit by brute force on any speed computer there is not enough energy in the universe to break it with conventional computing.
@@Christian-ev1zu oh ok
@@Christian-ev1zu but what about quantum computers?
@@0_- the energy restriction may not be the problem there. But I do not know. My guess: not in the next 10 years... maybe never
I love this man, i want to be skilled like him ! Hard way but possible
Oh well
For me speed of AES does not matter
I am using LUKS and this would scale its speed according to speed of processor, so changing CPU to slower one will make reading my data awfully slow.
In the first place using LUKS renders encryption strength irrelevant, because the encryption algorithm is no longer the weakest link
What even?
@@KingHalbatorix could you elaborate, please?
@@WizardNumberNext please respond. How on earth did you deduce that for you the speed of AES does not matter?
@@WizardNumberNext please respond. How on earth did you deduce that for you the speed of AES does not matter?
Too many maybes in this one, Dr Mike is definitely working for MI6
Halfway through 2^128 is 2^127? 1:18
yeah, (2^128)/2 = 2^(128-1) = 2^127
@@lefterislazaropoulos8846 you're right yea i got confused there for a bit
@@aronpop1447 or for a qubit?
i'll see myself out, thanks
there are 2¹²⁸ keys, but statistically you just need to brute force half of them to get the solution. That's an average. Sometimes your first guess is the right one, sometime it's the last, but statistically that averages out to the middle, so on average you need to go through half of the keys (that's 2¹²⁷) to bruteforce a 2¹²⁸ key. Simply because statistically the key will follow a uniform distribution.