I think it's really important people understand 256 bits is not twice the security of 128 bits. It's twice that of "255 bits".

why dont this dude has his own channel this guy is amazing wish i had a computer teacher like him

That aged well!

When an engineer says "20-25 years", they mean "well, it's hypothetically possible".

This guy is my favorite on the channel

I'm glad he addressed the naivety of the quantum computing argument. If I had a nickel for every uninformed person I've heard say "none of this encryption stuff even matters cuz QUANTUM," then, I'd be a very rich man.

Was just going through a Dr. Pound binge of old Computerphile videos, and bam! All of a sudden, a new one 12 mintues ago. He is definitely my favourite presenter on this channel.

I can listen to his talks all day long. He is amazing and his skills in explaining things is incredible.

I have been looking for this type of explanation for a year now!!! Thank goodness I finally found this video.

Yes, he's Back!

Best video in years! It's answers one of the most important questions I had for years ... by somebody I trust.

"It's not about size. It's about the technique" :)

I actually LOL'd

I love your videos, thank you for making great content

Yes! Another Mike video

I would trust Dr. Pound with my passwords in plaintext

Wow, what an informative video! I like the forward-thinking question of how these encryption standards will age as computing technology develops. You've got me off to research Grover's Algorithm.

Loving the sketch part with the comment section. Great stuff :)

00:40 196 bit key should be 192 bit key ... Mike even says so a few seconds later :)

0:56 Key length. 2:39 AES attack. 3:49 RSA and Diffie-Hellman *4:30 --> Elliptic Curves. 5:13 Quantum Computing. 5:33 Grover's algorithm. 6:59 Publick-key vs Quantum.

Nice quick video about a key part of encryption. Is this a part of a series? *me goes to check the channel*

I really want to see this video again in 40 years time, see how broken it is by then.

Just appending the key to the end of the file is my new favorite encryption scheme. I mean that would probably prevent the file from opening properly for any format other than plain text so it would sort of protect you if the person stealing your data wasn't super motivated to figure out what was happening if the files didn't open right away, haha.

The US Government: 40 Bit is enough

4:44 _It's not the size of the key, it's the encryption method you're throwing it at!_

I love this man, i want to be skilled like him ! Hard way but possible

What's on the whiteboard in the background? Did someone explain filters and convolutions?

Thank you so much for this!

Grover's algorithm will crack 128-bit encryption once they make quantum computers with the same clock speed as classical computers (i.e. in the very far future). 256-bit encryption would be crackable with galaxy-scale quantum computers, but not by a machine that would fit on one small planet.

I only just noticed the video was out, but it came out pretty much exactly as I was discussing this precise topic with my husband a couple hours ago. Eerie.

Can anyone smart say how long it takes to break a 32 digit key if using the 128 ASCii characters? Minutes or weeks? It’s something we use at work, just debating if it needs updating. If its over a week then changing the key regularly makes more sense than going for AES 256

Back in university I remember my crypto professor mentioning that AES192 and 256 are technically a couple bits less secure because their rounds to key-size ratio is lower. Since 128 has 10 rounds but 192/256 only have 12/14 rounds, he said their effective key-space was a couple bits lower than their key-size. Never really been sure if he was correct or not.

Would love more compression vids

A 256 AES bit encryption can be paired in sequence with another 256 AES bit key making it crazy to get into

If Quantum computing can affect RSA how about DH key exchange it can be also affected? Since the AES key is derived using that in many protocols, could my derived key be exposed?

This channel makes me want to enroll at Nottingham just to have more time with these guys

At ~0:40 you show encryption bit sizes of 64, 128, *_then 196-bit_** instead of 192 , just FYI*

Thank you. Very nice explanation :)

Interesting vid. Thanks. If a quantum computer can effectively halve the key space for a symmetric key, why can't they then feed the result through the computer again for additional halvings?

Could you do a video on Isogeny based asymetric crypto?

Im going to ask a very noob question but if people are looking to brute force keys at specific lengths e.g 128, 192 etc why do we not use the full range such as odd numbers guessing I'm missing something?

You can double the effective key length by triply encrypting with three different keys (or EDE encrypting as per 3DES). So AES256 triple-encrypted with a 768-bit key gives you effectively a 512-bit key. Note that naively double encrypting doesn't give you any extra security because of a thing called a meet-in-the-middle attack.

Is Dr Mike Pound teaching security at University of Nottingham? If yes, does anyone have his lecture notes or sth? He is awesome

MORE MIKE POUND

My hard drive is encrypted with 512 bit AES, thank you VeraCrypt!

I worked at NSA from 1999 to early 2001. I wish I could talk about your theories and how long it takes to get a password. So, 20 years ago I asked someone in the "Z group" to crack some password protected files. It was actually encrypted files that were zipped together and the zip file also was password protected. Both different passwords. I was given all I needed in about 5 days. This was over 20 years ago. I can't even imagine what's going on these days.

Will he make a video about convolutions, that behind him?

6:07 - small correction: not half, but square root. 2^128 is not half of 2^256.

Question: From what I took away, quantum computers half the effectiveness of bit length for encryption. This isn't a problem for symmetric encryption because it can easily double the the key length with a minimal increase in encryption / decryption time. RSA has large keys however, and doubling those keys would increase encryption / decryption time significantly. What about ECC? From the example you gave the key size is fairly small, would it be too much to double ECC's key size?

Are all key available ? Or some value are forbidden for security reason (like not letting key with the first 100 bits at zero) ?

Awesome video

I find Dr Pounds videos to be some of the most interesting and educational on this chanel. But, his mannerisms always make me think that if his life took a different path, he'd be down at the Saturday market in Staines flogging hi-fi systems that fell off the back of a lorry

You totally ignored number of rounds for each AES keylength (10, 12 and 14 respectively) - and this is the problem with AES256 Bruce Schneier was pointing at over 10 years ago (he suggested switching to 16, 20 and 28 rounds). In 2009 Shamir et al presented fully practical (2^70) attack against 10-rounds AES256...

Thanks a lot, verry clear ! :D

@0:40 The graphic, symbolizing different key lengths is a case of graphics gone wrong. The critical part of the key is in all 4 cases of the same length and they don't seem to differ at all. :)

Let’s say that you encrypt your data and then encrypt that data with a different key. It would then take 2 decryptions with 2 keys to get the original data. But if you brute force the end data, how would you know a correct decryption from a test that fails as they would both just look random? It seems to me that any decryption that is successful needs to be able to get something that looks normal to determine that it has actually decrypted the data correctly. I can’t see how you could get that with a double encryption. This should be true even if the code breaker knows both the public keys of the double encryption.

Just wanted to add that quantum computers, if performing only classical computations, are _slower_ than a classical computer. I'm not sure if you can pass Grover's Algorithm to a classical computer (I'm guessing not because of quantum), but I did want to note that. Quantum computers aren't 2^64 times slower though, obviously.

Can you make a video on block chain encryption?

7:28 When your auto-playlist is the same as Dr Pounds :)

If you ever want to see how quickly the compute time grows for decryption, do a 3 disk hanoi, then a 10 disk hanoi, then a 30disk hanoi

What is the difference between bits of entropy vs key length entropy?

Gosh I love those cryptography videos

I enjoyed watching the video Thank You : )

Just out of curiosity what if every computer does this part of the calculation, how long would that take?

Video on PBKDF please!!

03:18 using more key material can actually weaken the algorithm because it might not have perfect diffusion when doing rounds. so i hear ;)

What I don't undestand, how can brute force work, when most 'applications' of let you try password like 3 or 5 times, if you miss you must try again 30 minute later or so... So how its possible that a hacker tries to break in my for example xyz mail acount with brute force if after 5 times fail the account gets locked for 30 minutes?

What's the algorithm he mentions on 5:33 to break AES?

I chuckled at the fast edit and SURPRISE commentator question at the 5 minute mark.

oke fine,, for application 3d rendering Ray tracing ON better bit 256 or 128 ?

Watching this while working on my CNNs. I use the same hyperparameters ;)

1:46 If the key has 2^256 bits, that would be a lot of overkill.

hello I have a question my seed password is 56 letters long each letter is 8 bits so 8 for 56 and 448 bits right I can't understand can you explain me better thanks everyone

the weaknes of AES is ristricting to 128bit blocksize where its base algorithm rijndael supports also 256bit blocks - but nope - NSA needed its backdoor

So, do those who need public key cryptography and need it to remain secure longterm have legitimate cause to worry, with regards to quantum computing?

Cesar, is the best encryption method.

Anybody know the name of the green font from the thumbnail?

thanks lot !

At 7:30, did you mean to be advertising Linus Tech Tips? Not complaining, just wondering ;-)

Why does the NSA push ecliptic curve when they are not in the data security business?

*What if p = np i heard it will break all encryption*

A thing i always think about considering symmetric cypher is, if you attempt to brute force the key, how would you even decide if what you deciphered is the encrypted message? Maybe your encryption would allow decyphering with a wrong key and give you a result, that could be what was encrypted, but you would need another program that actually looks at it to decide it. And maybe you decypher a message that makes sense, but it's the wrong output?

You talked about bank data expires with the expiration date from the card, but wat about medical data? Do you guys think 256 is necessary. The thing is, the data only expires with the death of the person, but in the other hand medical reports are a timeframe and can be irrelevant a few months or a year later..

Guess its time for me to switch from 1 to 2 bit encryption

Your house key is 2^17 and can be "cracked" in 3 seconds with a bent hairpin.

Is there a real reason not go for 256 right now? I mean pretty much every cryptography library will support AES256, so there's no real reason to go for 128. Unless you're working with limited hardware, in let's say an embedded device.

With regards to "military-grade", at least when it comes to the US, includes AES-256. Other algorithms listed in CNSA is ECDH-P384, ECDSA-P384, SHA384, DH-3072, RSA-3072

Your 128 bit key is only as good as the random number generator that it came out of. If the RNG has known fixed zeros, ones or zero/one pairs it is not effectively 128 bit

People who are not in the know may think 256 bit is double 128. A small example to show it's not. 4 bits = 2^4 = 16 5 bits = 2^5 = 32 6 bits = 2^6 = 64 7 bits = 2^7 = 128 8 bits = 2^8 = 256 Every time you add 1 bit, the total bits doubles. So try continuing the example and see how fast the total bits gets huge.

What do you mean not exist? There are already 1 or 2 quantum computers that were already built and announced like a year or 2 ago.

And here I am with my password of six zeroes...

The US military has been using 256 bit key for well over 40 years. Combine that with what appears to be a total lack of information about how the key is applied and in what manner of operation(s). One can only guess at how far behind the civilian world is today.

If you brute-force an encrypted message how do you know you've got it? 🤔

What is AS in this context?

I feel like a primary school student every time I listen to Dr Pound. To have just a quarter of his understanding...

Quantum Computers (QCs) are designed primarily to attack Public Key cryptography, practically RSA, then ECC. Normal PCs have trouble doing the math of RSA/ECC which are VERY LARGE prime numbers. QCs can process them with ease AND at twice the rate! regular ciphers like AES, Twofish, Camelia, and Company are safe because key sizes are based on bit strength and bits are no more than one One and one Zero (1 and 0, respectively) to the power of the bit strength (2^B; where B = Bit Strength). So, AES128 is already Quantum safe because the key space of AES128 is 2^128 possible keys. For example, a cipher with a 8 bits has a key space of 2^8, or 256 possible keys. a 9 bit cipher has a key space of 2^9, or 512 possible keys, and so on, etc. Thus AESS128 has a key space of 2^128, or 340,282,366,920,938,463,463,374,607,431,768,211,456 possible keys. A dedicated QC attacking a single AES128 key would half the space making the key space reduced to 2^127, or 170,141,183,460,469,231,731,687,303,715,884,105,728 possible keys. Even with the key size of 2^128 being cut in half, it is still impracticable. But attack the RSA that encrypts the very first AES128 Session key (the key used to begin encrypting your visit to a website), then the attacker has access to your session key and may decrypt your recorded internet traffic! So he not only knows what website you're visit but after a few days of attacking the RSA key, he will discover what you were looking at, downloaded, posted, etc. on that website! The info may be used for malicious purposes. You see, RSA2048 has a theoretical key space of 2^2048 which would make ANY Cryptographer go BOING! But, it is only theoretical. Practically, only 4 numbers out of 10 are prime numbers and the rest are composite numbers. So the actual key space my be calculated as (2^2048(0.4)) While still a number so much higher than Snoop D. O. double G, it significantly lowers the search time needed, and WHAT it is the the QCs need to look for. However, since only very large numbers are used, then the key space may be further reduced by eliminating the smaller prime numbers. And if a single RTX 3090 dedicated to brute force numbers may run 650,000,000,000 keys per second (and it can on a dedicated PC software), then a QC would run at 130,000,000,000 per second! As a reminder, a PC only needs to run though half of a key space to find the key, on average( ((2^2048(0.4)/8)/2 )! If a rig of 60 QCs attacked a key, then it would run at 78,000,000,000,000 per second! Even though the numbers are large, a QC can factor the RSA program with ease; as fast as our current PCs processing 1+1. TL;DR If a QC is a thief, then AES128 is Fort Knox. If RSA and ECC were younglings hiding in the Jedi Temple during Order 66, then a QC is Anakin Skywalker.

the biggest problem with encryption is the key really isnt the actual key length its the effective key length; Often the key is been generated form some short phrase or sentence and a hashing functions beenran on it; while for an ideal hash function it would be okay.... most of ours arent and we end up with real key strengths that are much much less than the intended; or even worse the LFR random number generators on emulated computers;which dont get back actual hardware noise to add as a salt; ending up with known next values for the inputs. its neat.

I only use AES-4294967296 encryption, because the legend on the bar graph I read said "higher is better."

I used 3084 bit Blowfish for the longest time, but after I found out not every bit adds a relevant bit I gave up on that.

Would it get much slower with 512 or 1024 bits? Even if 256 are enough today, I would prefer it even more secure, if that only means a few milliseconds of more computing time. I would even go so far to always allow a full second of computing time for each encryption of a message for example. That way encryption would become more and more secure, if computers become faster. A kind of "hyper encryption" that is totally over the top even if we do not see a reason for such an encryption today. You can measure encryption in dollars. How many dollars worth of computing time would it cost to decrypt an encryption? And then imagine you would fill the whole known universe with 100-dollar-bills. That's how much a decryption should cost at least.