Use multiple computers for faster brute force

Sure it's possible, but it doesn't really help. The number of possibilities is just too large.

Consider that a 256-bit key has 2256 possible values. That's 12✕1076, or 12 followed by 76 zeroes. If we generously assume that a computer can test a trillion (that's 1012) possible keys a second, and that we have a trillion computers (where will we get them from?) performing the key search, it will take 12✕1076/(1012✕1012) seconds to search the entire keyspace. That's 12✕1052 seconds. As there are only 3,155,760,000 seconds in a century, it will take approximately 4✕1043 centuries to try all possible keys. There's a 50-50 chance that you'll find the key in only half that time.

That's the way encryption is designed. The number of possibilities are just too large to be cracked in time that is interesting for humans.

I did a calculation on this one once. Let's assume AES can only be broken using brute force. Clearly we are going to need a counter, which counts from 0 to 2256-1, and on average it will need to count to 2255. Running this counter takes energy. How much energy does it take?

As it turns out, there is a thermodynamic limit here, Landauer's principle. At a given temperature, there is a minimum amount of energy it can take to set a bit (1 bit of entropy), because if we don't spend that much energy, we can actually decrease the entropy of the system, which is thermodynamically impossible. The energy it takes is kT ln 2, where k is Boltzman's constant (1.38×10−23 J/K) and T is the temperature in kelvin. Obviously we want to do this as affordably as possible, so lets do the calculations at 3 kelvin, which is roughly the temperature of the background radiation of the universe. We can't get any cooler than that without spending more energy to cool the system than we'd have spent on flipping the bits! This pins the energy cost of flipping a bit at 2.87×10−23 J/bit.

Now, how many bit flips do we need? The answer will be a lot, so to keep the energy quantities in human understandable terms, I'd like to simplify the problem. Rather than solving AES-256, let's pretend we were solving AES-192, which only requires counting to 2191. So how many bit flips do we need? If we counted in normal binary, we may need to flip multiple bits per increment of the counter. That's annoying to calculate, so lets pretend we could do this counter with Grey Codes, which only flip one bit per increment.

Incrementing a counter 2191 times, at 2.87×10−23 J/bit yields 9×1034 J. That's a lot of energy. In fact, if I go to one of my favorite Wikipedia pages, Order of Magnitude (energy), we see that the energy emitted by our sun every year is 1.2×1034 J. That's right. Just running the counter that would be at the core of the AES breaking process would take the sum total of nearly a decade of the sun's energetic output. All of it.

Now if we revisit the original AES-256 problem, the energy costs go up by 264. Thus that counter would take 1.6×1054 J. Again, looking at Order of Magnitude (energy), we find that the total visible mass energy in the milky way galaxy is 4×1058 J. Thus, if you were to convert 0.004% of the total mass energy of the galaxy (i.e. converting all of the mass to energy using E=mc2), you could run a counter which could count from 0 to 2255.

This is why one never brute forces a modern crypto algorithm. The amounts of energy called for are literally at the level of "heat death of the universe."

It's not just possible, people have actually done this successfully. But only with very short keys. managed to break a 64bit RC5-encryption in 2002 by using a distributed network of computers. The computers were mostly consumer-grade PCs owned by volunteers who installed a program to crunch keys in the background. This was part of the RSA secret key challenge - a contest by RSA Labs to decrypt messages encrypted with keys far shorter than you would use in the real world.

"After over four years of effort, hundreds of thousands of participants, and millions of cpu-hours of work, has brute forced the key to RSA Security's 64 bit encryption challenge"

  • Source:

They started another project to win the RSA 72-bit challenge in 2003. 13 years later, they are still calculating and have not even tested 4% of the keyspace.

Keep in mind that these are extremely simplified versions of RSA. The recommended key length for RSA-RC5 in the real world is at least 128bit. Every additional bit doubles the computation time, so these distributed approaches are still light-years away from attacking any real-world encryption.