maxdancona wrote: "When we talk about the security, we talk about the number of possible answers. Then if you know how many answers the fastest computers currently available can try each second, you can calculate how long such a brute force attack will take."
I think this is exactly right, though we can also ask how many fast computers will be used in parallel, since this is a problem whose range can be split between multiple processors. Once the tables are compiled for a particular encryption app the tough work is finished and decryption can take place almost in real time for each new message.
maxdancona wrote: "Most people think an 128 bit key which lead to 3.4 x 10^38 (that's 34 followed by 37 zeros) possibilities a computer needs to try is plenty good enough. I have used 1024 bit keys professionally."
That's 2 to the 128th power alright, but I'm not sure there are that many possible keys in practice. For example, would a short random string followed by a bunch of zeroes be used if this is technically equivalent to the same string without the zeroes? What I mean is, if a key is 128 bits, wouldn't that have to include only binary strings of 128 bits, rather than all the much shorter numbers that can be expressed in 128 bits (but also with fewer than 128 bits)? I mean, 0, 1, 2, etc., are counted among those 3.4 times ten to the 38 possibilities, but (I assume) many or most partial string equivalents would be excluded for security reasons, by design, as potential keys. If we only have to consider keys that cannot be expressed in fewer than 128 bits, how many possibilities does that leave?
James Bamford's book Body of Secrets was written 15 years ago. In Chapter 14 he writes about then extant processor in memory (PIM) chips manufactured by the NSA's Special Processing Lab capable of performing a quadrillion (10 to the 15th) operations per second. He writes that "by 2005 the SRC (NSA's Supercomputer Research Center), with years of secret, highly specialized development accumulated, will likely be working with computers operating at exaflop speeds -- a quintillion operations a second -- and pushing for zettaflop and even yottaflop machines, capable of a septillion (10 to the 24th) operations a second."
Even with multiple supercomputers that fast, 2 to the 128 is still a lot of possibilities, though. If you had 100 yottaflop machines working simultaneously, it would still take more than 100,000 years to perform that many calculations, if I did the math correctly.
But as you point out, there can be short cuts. And I still need to know if in practice a 128 bit key actually implies 2 to the 128th power possibilities (per above).
Question: if your cellphone knows the unencrypted key, and it's connected to the Internet or some other data stream capable of being manipulated, wouldn't it be easier to upload something that scanned your phone's memory for the decrypted key?