> If from a 128 bit key 120 are correct, it's trivial to figure out the others, even if you don't know which bits are the flipped ones.
Can you elaborate a bit? Off the top of my head, I feel like that scenario would leave 128-choose-8 possibilities open, or about 1.4 trillion. Are we calling that "trivial" or am I misunderstanding the attack?
(If you're calling that "trivial", I think that could be reasonable in a cryptography context where you're considering attackers with a lot of resources. It's just different from how I usually use that word. I don't disagree with your conclusion that leakage of even a few bits is worth worrying about.)
If it's 1.4T it depends on what you're using it for. Someone on SO has a verify speed for 512 bit rsa keys at 350k/second which would leave it at I think a month and a half to run 1.4T. That's a random user and a single machine. ECDSA 128 bit verify maybe 6k/s on a single core of a not-great CPU. That puts you about a month or two of a moderate machine assuming there's no fancy gpu things for doing it.
Can you elaborate a bit? Off the top of my head, I feel like that scenario would leave 128-choose-8 possibilities open, or about 1.4 trillion. Are we calling that "trivial" or am I misunderstanding the attack?
(If you're calling that "trivial", I think that could be reasonable in a cryptography context where you're considering attackers with a lot of resources. It's just different from how I usually use that word. I don't disagree with your conclusion that leakage of even a few bits is worth worrying about.)