How secure is 256 bit security?


In the main video on cryptocurrencies, I made two references to situations where, in order to break a given piece of security, you would have to guess a specific string of 256 bits. One of these was in the context of digital signatures and the other in the context of a cryptographic hash function. For example, if you want to find a message whose SHA-256 hash is some specific string of 256 bits, you have no better method than to just guess and check random messages, and this would require, on average, 2^256 guesses. Now this is a number so far removed from anything that we ever deal with that it can be hard to appreciate its size. But let’s give it a try. 2^256 is the same as 2^32, multiplied by itself 8 times. Now what’s nice about that split is that 2^32 is 4 billion. Which is at least a number we can think about, right? It’s the kind of thing you might see in a headline. So what we need to do is appreciate what multiplying 4 billion times itself 8 successive times really feels like. As many of you know the GPU on your computer can let you run a whole bunch of computations in parallel incredibly quickly. So if you were to specially program a GPU to run a cryptographic hash function over and over, a really good one might be able to do a little less than a billion hashes per second. Let’s say that you just take a bunch of those and cram your computer full of extra GPUs so that your computer can run 4 billion hashes per second. So the first 4 billion here is going to represent the number of hashes per second per computer. Now, picture four billion of these GPU-packed computers. For comparison, even though Google does not at all make their number of servers public, estimates have it somewhere in the single-digit millions. In reality, most of those servers are going to be much less powerful than our imagined GPU-packed machine. But let’s say Google replaced all of its millions of servers with a machine like this. Then four billion machines would mean about a thousand copies of this souped-up Google. Let’s call that one KiloGoogle worth of computing power. There’s about 7.3 billion people on Earth, so next imagine giving a little over half of every individual on Earth their own personal KiloGoogle. Now, imagine four billion copies of this Earth. For comparison, the Milky Way has somewhere between 100 and 400 billion stars. We don’t really know, but the estimates tend to be in that range. So this would be akin to a full 1% of every star in the galaxy, having a copy of Earth, where half the people on that Earth have their own personal KiloGoogle. Next, try to imagine 4 billion copies of the Milky Way. And we’re going to call this your GigaGalactic Super Computer, running about 2^160 guesses every second. Now four billion seconds? That’s about 126.8 years. Four billion of those? Well, That’s 507 billion years, which is about 37 times the age of the universe. So even if you were to have your GPU-packed KiloGoogle per person multiplanetary GigaGalactic computer guessing numbers for 37 times the age of the universe, it would still only have a 1 in 4 billion chance of finding the correct guess. By the way, the state of Bitcoin hashing these days is that all of the miners put together guess-and-check at a rate of about five billion billion hashes per second. That corresponds to one-third of what I just described as a KiloGoogle. This is not because there are actually billions of GPU-packed machines out there, but because miners actually use something that’s about a thousand times better than a GPU – Application Specific Integrated Circuits. These are pieces of hardware specifically designed for Bitcoin mining, for running a bunch of SHA-256 hashes and nothing else. Turns out, there’s a lot of efficiency gains to be had when you throw out the need for general computation, and design your integrated circuits for one and only one task. Also, on the topic of large powers of two that I personally find it hard to get my mind around, this channel recently surpassed 2^18 subscribers, and to engage a little more with some sub-portion of those 2^18 people, I’m going to do a Q&A session. I’ve left a link in the description to a Reddit thread where you can post questions and upload the ones you want to hear answers to, and probably in the next video or on Twitter or something like that, I’ll announce the format in which I’d like to give answers. See you then.

100 thoughts on “How secure is 256 bit security?”

  1. Yes and no. No one in their right mind attacks a cipher from the actual hashed key. They will attack the cipher itself or the faulty hash algorithms on the side and so on.

  2. Thanks for sharing this sense of scale! It's amazing to think about how large the numbers we are able to represent actually are. すごい!

  3. At 0:34, don't you mean it would require, on average, 2^255 guesses, not 2^256, which is the same as saying (2^256) / 2?

  4. And now imagine your password.
    > password123
    being hashed using sha256.
    Now, that is going to be cracked within 5 seconds on my old phone.

  5. I know it’s a old video now, but it would be awesome if you could explain the different algorithms and how they work or differentiate from each other like X11 (DASH) and Equihash (BTG) or Blake or what not 😁

    (I already posted this on the main video, bit i hope it will get recognized if i post it more often😅)

  6. that shit ain't secure, there's collisions, loopholes, compressions, backdoor extractions.

  7. The decryption would actually take 2^255 guesses on average.
    2^256 guesses is the worst case scenario because there are 2^256 possibilities!

  8. brute force is the last resort of the ignorant. probably easier to devise a turing oracle and quicker in the long run.
    very scary to think that the best thing we have in security is a race against time to find a better computer.

  9. All of SHA softwares on market including bitlocker are either using unsafe key storing method, able to be hacked when software is running or even backdoor-planted. So for safetest solution for your company, build a encrypting software by yourself. Or it's like 30kg Titianium lock on a wooden door.

  10. I once saw an argument based on energy rather than speed that followed this very general outline:

    Suppose you had a computer that operated at absolute maximum theoretical efficiency, so that there was no way it could possibly use less energy to flip a bit from zero to one, or one to zero. Suppose that's all this computer did: flip a single bit from one to zero and back again, over and over. (No counting: that's too complicated, reserved for a future version of the system. Certainly no complicated hashing or other common brute-force crypto-attack techniques: this is just a prototype.) Suppose you put this computer in the most naturally-cold place in the universe, to maximize its efficiency. (Don't want to spend energy on cooling, only on bit-flipping.)

    Now suppose you could capture the entire energy output of a standard-size supernova, and feed this energy into your super-cold bit-flipper–assuming the existence of whatever energy-storage technology would be necessary to spread out the energy consumption over whatever time interval the bit-flipper required.

    A supernova's worth of energy would be enough to power the bit-flipper through about 2^192 bit flips; which means you'd need to feed in 2^64 supernovas to get all the way up to 2^256. So that's version 0.1. By version 1.0, you'd need an actual crypto-attack algorithm, rather than just bit flipping, where each of the 2^256 attempts would require hundreds of thousands or maybe millions of bit flips. But..first things first.

    So I probably have the numbers wrong, and perhaps some of the details as well…but that was the overall shape of the argument. I'd love to see you do a video on the real argument with actual numbers.

  11. I love this video.
    However, it's misleading to say, as is commonly said, "no better way" to find the answer is to guess randomly. The reason this is misleading involves a pretty cool concept: posterior probability. Lacking this concept leads to insane energy waste. It would be interesting to hear you tackle this concept.

  12. How would you know if you got the correct code? I guess you have to try every possible combination by entering it as a the password on the website. Is that going to happen?

  13. Why the hell is this description translated by translator to polish? I'm polish and I totally can't understand a shit. Please turn this disabled feature off.

  14. The problem with these kinds of videos is they don't really describe a realistic scenario. Most importantly, they neglect to explain the fact that security is only as strong as the weakest link.
    Sure, if you find a random hash and the only information you have about it is the hash function and the fact that the input was 256 bits, then yes you have 2^256 possibilities. However, in reality that is rarely the case when the user is involved. If the 256bits are a 32 character/byte long password, then an assumption of 96 options per byte is not too unrealistic. It represents roughly all printable characters in 7 bit ASCII. This reduces the complexity by about 40 000 billion. So instead of a 4 billionth chance after 37 times the age of the universe, you have a roughly 400 000th chance after 126.8 years. It is of course, still a ridicules large amount of effort. If we throw in the ASICs, we can of course slice the number by 1000 and end up with 1/400th chance. Still an impractical amount of effort given galaxies of super computers.

    Now lets assume that we know that this password is from someone a little bit more stupid and unaware. Lets say the password is only lower case a-z. This gives 26 options per byte and thus 26^32 options in total. This is still 256 bits into the hash function, but we know the complexity of the input is far lower. In fact, it reduces the complexity by about 6*10^31 or 60 000 billion billion billion. In other words, the giga galactic super computer has a roughly 1/900th chance of solving this every second. If we throw in ASICs, it should solve this every second even at worst case. Still ridiculously impractical, but also very far away from what this video describes. However, if we start stripping out more complexity, say reducing the input down to 12 characters, each with 26 options, we are left with a complexity of 26^12, roughly 95 million billion or something a single computer with ASICs could solve within 47 days at worst. Still 256 bit security, but knowing the true complexity means it's solvable.

  15. Why would the average number of guesses be 2^256? Isn't the the maximum number of guesses you would have to make?

  16. I'm Italian, we solve problems in other ways… For example you just have to put a false information at the beginning of the blockchain to create a disaster… That's something to think about, not the security of the data sent. My opinion

  17. i used to program radios with AES 256 bit encryption, i couldnt do the math then but i realized it's virtually impossible especially when keys are changed at least daily

  18. Good theory, but you don't explain all the factors of pen testing, 256 is somewhat secure, but if you know a certain way someone codes or their theories of math, and you account for those factors, I'm sure you can severely cutdown the time for a brute force hack, not to mention looking for random data sets, that you know would be in the message, i.e you know who it's addressed to. That's how they broke the enigma machine. Not everything is boiled down to a math formula x = y2.

  19. No matter how many "kilogoogles" you have, the server you are trying to crack would be instantly ddosed by all these tries to find the correct password.

  20. Can't we use a quantum computer to explore all 2^32 possibilities in one 'quantum step', for example, once Google bristlecone is quilt?

  21. Olá, meu comentário é em português, em meu país tem um jogo de loteria que você pode ganhar um prêmio em dinheiro se acertar 6 números entre 01-60, a chance disso é 1:50 milhões numa aposta simples de 6 números, se isso for convertido em bits seria aproximadamente 25,57545 bits de criptografia q a pessoa teria uma chance de acertar, ou seja algo surreal e difícil.

  22. My personal favorite "big number" is the number of atoms in the universe – about 10^80 (Wikipedia), or 2^83. Molecules vibrate at 10^13 .. 10a^14 Hz – call it 2^17. So, if every atom did one guess-and-check every time it twitched, you'd still need 2^156 seconds – about 2^40 years, which is 250 times the age of the universe.

  23. 2100, quantum computers era. A power of a galaxy of kilogoogle computers in your hands, as a gift in laundry detergent.

  24. 3 blue 1 brown always comes In clutch with the visualizations. This reminds of combinatorial explosion, and how often it comes up in real world problems, it would be interesting to see you make a video going into depth on this topic.

Leave a Reply

Your email address will not be published. Required fields are marked *