# [dm-crypt] question regarding Sha1 and 512 bit key xts mode

Michael Kjörling michael at kjorling.se
Sat Aug 22 12:04:08 CEST 2015

```On 22 Aug 2015 03:38 +0000, from wurzelsepp1337 at web.de (Heinz):
> If i am not mistaken, a computing power of at least 10^42 FLOPS would be
> needed to effectively go through this area.
> 2^160 / 10^42 FLOPS = 1461501 Seconds = 16 Days to break SHA1, but
> technically we arrive until approximately 10^18 FLOPS or 1 exaFLOP.

This holds only if a full SHA-1 hash computation can be reduced to a
single floating-point operation, which it cannot; hashing a 64-byte
block with SHA-1 takes somewhere around 40,000 integer operations,
plus any applicable memory accesses. For a back-of-the-envelope

Also, it disregards the key derivation iteration, which adds another
several orders of magnitude in practice to converting a LUKS
passphrase into a keyslot key. Add another four or five orders of

So on this hypothetical system that can do 10^42 flops and has similar
something more like 1.6 billion to 16 billion (1.6 × 10^9 to
1.6 × 10^10) days.

To put this in perspective, that's only two orders of magnitude less
than the time elapsed since the Big Bang (13.798 × 10^9 years or
5.04 × 10^12 days).

And 10^42 flops isn't even on the horizon as far as computational
capability is concerned. Some comparison: Wikipedia lists the fastest
single computer as of mid-2013 as having a floating-point performance
of 33.86 petaflops (3.386 × 10^16 flops). You'd need some 2.95 × 10^25
(29,500,000,000,000,000,000,000,000), or something like 10^15 for
every person on Earth, of those computers to get to 10^42 flops. Again
Wikipedia claims that supercomputers are expected to reach one exaflop
(10^18 flops) in 2018; at 10^18 flops, you'd need 10^24 (that's a
measly 1,000,000,000,000,000,000,000,000) such computers to reach
10^42 flops. One manufacturer apparently claims to be able to deliver
a 17.1 exaflop (1.71 × 10^19 flops) computer in 2020; you'd need
5.85 × 10^22 (58,500,000,000,000,000,000,000) such computers to get
10^42 flops, and we currently don't even have _one_.

That's not to say that LUKS is invulnerable, especially in practice.
It does however make it seem likely that an adversary would pick a
different attack. It would be much cheaper, and less obvious, to
install a key logger, or hire some criminals to kidnap and torture
your family until you give up the passphrase.

--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)
```