2022.04.04 22:56:04 (1511085216147804161) from Daniel J. Bernstein, replying to "David Andersen (@dave_andersen)" (1511078596265271300):
Even without advances in semiconductors, the attack is feasible for large-scale attackers today. @LindellYehuda now claims that the attack isn't worthwhile (see "attacker economist" in https://blog.cr.yp.to/20151120-batchattacks.html), which is very different from his false claims that there's no attack.
2022.04.04 15:33:20 (1510973797981114372) from "Yehuda Lindell (@LindellYehuda)", replying to "@neilmadden@infosec.exchange (@neilmaddog)" (1510973064435179520):
This is what I was half referring to when I said that even doing this once for preprocessing is far out of range. Even if you could break millions of keys with one shot, this is still way out of range for everyone. Anyway, my personal opinion.
2022.04.04 16:36:48 (1510989769152479246) from Daniel J. Bernstein, replying to "Yehuda Lindell (@LindellYehuda)" (1510973797981114372):
The third bullet item on https://blog.cr.yp.to/20151120-batchattacks.html is a large-scale but feasible (2^98-guess) attack against a batch of 2^40 AES-128 targets, expected to break roughly 2^10 targets. There's no out-of-range preprocessing. The users whose data is compromised can and should blame you.
2022.04.04 19:39:08 (1511035655790415877) from "Yehuda Lindell (@LindellYehuda)":
I just find this theoretical. To spend about $128B on equipment to run for 1 year (plus huge electricity) to break one thousand out of 1 trillion keys… I find it hard to see where that would actually make sense.
2022.04.04 22:29:46 (1511078596265271300) from "David Andersen (@dave_andersen)", replying to "Yehuda Lindell (@LindellYehuda)" (1511035655790415877):
I agree with you in an overall handwavy sort of way, but the calculation does need to depend on the duration for which you want to keep the stuff secret and your model of continued advances in semiconductors (uncertain). Are there 2^40 intercepted msgs w/20year secrecy? no idea.