[raverbashing]

Yes, reading 2^80 bytes for a practical attac is impossible today (and also for the near future)

However, remember when attacks to 3DES, MD5 were only theoretical?

Also, you may not even need to read 2^80 bytes, there might be a (future) vulnerability that allows you to shortcut this.

[RyanZAG]

There are physical limits to our reality and it's very unlikely those limits can be broken (eg, speed of light). Given those limits, 2^80 is large enough that the limit cannot be surpassed without fully breaking reality (eg, timetravel).

If you can break reality, all bets are off though and trying to defend against attacks that break reality in the future are impossible.

[johncolanduoni]

The difference is that weaknesses were found in 3DES and MD5. Increasing computing power was not the main factor. "Only" being able to produce 2^80 random bytes is a known and expected limitation. Sure, the CSPRNG could in theory be found to have a weakness, but that has nothing to do with the 2^80 bytes and the same could be said for virtually any cryptographic algorithm.

[tptacek]

What weaknesses in 3DES are you thinking about that yield practical attacks?

[johncolanduoni]

I am not arguing that there are; that was the parent comment. However, while the 3DES weaknesses don't yield practical attacks now, they still reduce the effective key length. My point was not that 3DES is different in that it is exploitable, but that it is different from the 2^80 limit in that the CSPRNG in that the later is not a result of a mistake in the algorithm's design but instead an expected feature. Just like the fact that any fixed-size key symmetric cipher is "limited" by that key size.

Now, if someone found a lower limit based on exploiting some weakness in the random number generation, the analogy with 3DES and MD5 would make more sense.

[tptacek]

Which practical attacks on 3DES are you thinking of?

[raverbashing]

Just brute force basically

But there seems to be smarter attacks (ref 21) https://en.wikipedia.org/wiki/Triple_DES#Security

[tptacek]

Those are not practical attacks. But your argument hinges on their being non-theoretical attacks on 3DES. Are there others you were thinking of?

[raverbashing]

3DES might have been a bad example.

My point is that even if today some sizes and lengths seem only of theoretical concern, tomorrow there might be a vulnerability, a new approach to the problem, or even natural technological evolution that might turn it into a practical attack (even when it seems impossible today)

[tptacek]

But that's true of every cryptographic primitive. You can't make reasoned decisions based on that logic.

[ReidZB]

From what I recall, the consensus is that the smarter attack is less efficient than brute force overall.