# How Humans Beat Computers

### Introduction Figure 1: Number of keys related to the number of bits in the key

Every code is crackable and the measure of the security of a code is the amount of time it takes a person not addressed in the code to break it. Unless there are weaknesses in the encryption algorithm, the normal way to break cipher text is where a computer tries all the possible keys, until it finds a match. Thus a 1-bit code would only have two keys; a 2-bit code would have four keys; and so on. Figure 1 shows the number of possible keys, as a function of the number of bits in the key. For example it can be seen that a 64-bit code has 18,400,000,000,000,000,000 different keys. Thus if one key is tested every 10 ms then it would take 1.84´1014 seconds (5.11´1010 hours or 2.13´108 days or 5834602 years). So, for example, if it takes 1 million years for a person to crack the code, it can be considered safe. Unfortunately, from the point of security of an encrypted message, the performance of computer systems increases by the year. For example, if a computer takes 1 million years to crack a code, then assuming an increase in computing power of a factor of two per year, it would take 500000 years the next year. Then, Figure 2 shows that after almost 20 years it would take Figure 2: Time to decrypt a message assuming an increase in computing power

only 1 year to decrypt the same message. This is a worrying factor as encryption algorithms which are used in the financial applications, which was one of the first after the military to adopt encryption, are now over 30 years old.

The increasing power of computers is one factor in reducing the processing time; another is the increasing usage of parallel processing, as data decryption is well suited to parallel processing as each processor element can be assigned a number of keys to check the encrypted message. Each of them can then work independently of the other. Figure 3 gives example times, assuming a doubling of processing power each year, for processor arrays of 1, 2, 4…4096 elements. It can thus be seen that with an array of 4096 processing elements it takes only seven years before the code is decrypted within two years. Thus an organization which is serious about deciphering messages is likely to have the resources to invest in large arrays of processors, or networked computers. It is also likely that many governments have computer systems which have thousands of processors, operating in parallel. Figure 3: Time to decrypt a message with increasing power and parallel processing

### Real-life example So let’s take a real-life example. Let’s say that we can process 1billion keys per second. So the key to try a key is 1 nano second (1e-9), and we have a 64-bit key. For this we have:

18,446,744,073,709,551,616 keys

Thus, on average, it will take us to have the key space, so the time to crack is:

T = 1e-9 * 18,446,744,073,709,551,616 / 2 = 9,223,372,036 seconds

which is: 153,722,867 minutes (we divide the seconds value by 60) or 2,562,047 hours (we divide again by 60) or 106,751 days (we again divide by 24) or 292 years (we divide again by 365). If you want to try this I have setup an example:

http://www.asecuritysite.com/Encryption/keys?keys=1000000000

The result is thus:

 64 18,446,744,073,709,551,616 keys 292.47 years

This is quite a long time, and a few era, so our message seems to be safe. One thing we have not taken into account is that we can have more than one core on a processor, and we can have more than processors, so if we have an array of 1,024 processors, then the time to crack will be: 0.29 years, which is a much shorter time.

Let’s view the time to crack for:

• 1 million keys per second. Here. If we assume that we have one day to crack, then the limit will be about 37/38 bits.
• 10 million keys per second (approximately a standard Intel i7 core). Here. If we assume that we have one day to crack, then the limit will be about 41/42 bits.
• 100 million keys per second. Here. If we assume that we have one day to crack, then the limit will be about 47/48 bits.
• 1 billion keys per second. Here. If we assume that we have one day to crack, then the limit will be about 51/52 bits.

### So where are we now?

It can be seen that if we have 1,024 we gain a speed-up of 1,024, but for every doubling of the number of processes we can crack one more bit in the time. So 1,024 is 2 to the power of 10, so we can crack 10 more bits in the same time as one processor. So for our 1 billion keys per second we can crack around 62 bits in a day, which is where the current state-of-the-art it. I’ve taken the table up to 72 bits which is about the limit for massively parallel systems. For 72 bits we have:

4,722,366,482,869,645,213,696 keys

and even if we process at 10 billion keys per second it will take:

7,400 years

to crack the encryption, on average, which is a long time. Over the past few years RSA labs have had an encryption challenge, where in 1997, distributed.net cracked a 56-bit code (by search almost 47% of the key space) and it took them 250 days. With the distributed.net system, an agent is installed on a machine, and when the screen saver comes on, the agent will download a number of keys and try then. Eventually one of the agents will find the correct key. In this way we have a massively parallel processing system. So for encryption methods such as AES, 3DES, Blowfish, and so on, it seems the limit of cracking a code in a resonable time is 72-bits, so if you are using 128-bit

So, in conclusion:

Humans 1 Computers 0

… oh … I’ll tell you about how computers are fighting back in another blog … and the score will be:

Humans 1 Computers 1

Postscript

If you look at the code I’ve used for the table of encryption keys, you’ll find I use BigIntegers. This is because whole numbers in computer only go up to:

4,294,967,296 (32-bit) or 18,446,744,073,709,551,616 (64-bit)

So if we need to operate on 72-bits, for example, we need a new type of variable, and that is where BigIntegers come in. So we can calculate 2 to the power of 72 as:

4,722,366,482,869,645,213,696

which is a largely large number.

 DES is the standard encryption algorithm used in financial transactions and was first published in 1977.

 This differs from many applications in parallel processing which suffer from interprocess(or) communication