2022.04.04 16:36:48 (1510989769152479246) from Daniel J. Bernstein, replying to "Yehuda Lindell (@LindellYehuda)" (1510973797981114372):
The third bullet item on https://blog.cr.yp.to/20151120-batchattacks.html is a large-scale but feasible (2^98-guess) attack against a batch of 2^40 AES-128 targets, expected to break roughly 2^10 targets. There's no out-of-range preprocessing. The users whose data is compromised can and should blame you.
2022.04.04 09:00:44 (1510874996188622852) from "Yehuda Lindell (@LindellYehuda)":
People often ask the question - is 128-bit security enough? Is AES-128 enough for high security applications? In this thread, I’ll do the calculation. I’ll assume that AES should be about 8 times faster than SHA256 in ASIC (this is conservative). 1/n
2022.04.04 15:30:25 (1510973064435179520) from "@neilmadden@infosec.exchange (@neilmaddog)", replying to "Yehuda Lindell (@LindellYehuda)" (1510874996188622852):
What is your opinion of arguments like https://blog.cr.yp.to/20151120-batchattacks.html ?
2022.04.04 15:33:20 (1510973797981114372) from "Yehuda Lindell (@LindellYehuda)", replying to "@neilmadden@infosec.exchange (@neilmaddog)" (1510973064435179520):
This is what I was half referring to when I said that even doing this once for preprocessing is far out of range. Even if you could break millions of keys with one shot, this is still way out of range for everyone. Anyway, my personal opinion.