[tczMUFlmoNk]

> If from a 128 bit key 120 are correct, it's trivial to figure out the others, even if you don't know which bits are the flipped ones.

Can you elaborate a bit? Off the top of my head, I feel like that scenario would leave 128-choose-8 possibilities open, or about 1.4 trillion. Are we calling that "trivial" or am I misunderstanding the attack?

(If you're calling that "trivial", I think that could be reasonable in a cryptography context where you're considering attackers with a lot of resources. It's just different from how I usually use that word. I don't disagree with your conclusion that leakage of even a few bits is worth worrying about.)

[IanCal]

If it's 1.4T it depends on what you're using it for. Someone on SO has a verify speed for 512 bit rsa keys at 350k/second which would leave it at I think a month and a half to run 1.4T. That's a random user and a single machine. ECDSA 128 bit verify maybe 6k/s on a single core of a not-great CPU. That puts you about a month or two of a moderate machine assuming there's no fancy gpu things for doing it.

[dist-epoch]

These are symmetric keys - AES, not ECDSA. Much faster to test.

[cloudbonsai]

> scenario would leave 128-choice-8 possibilities open

That only amounts to log2(C(128, 8)) ~= 40.3.

Your encryption key is now just 40-bit strength.

[dist-epoch]

A NVIDIA 3090 with HashCat can do 3 billion AES decryptions per second. That would test all 1.4 trillion in less than an hour.