I’m not a cryptographer, but we can see what they have to say about it. According to Bruce Schneier in Applied Cryptography (as quoted in ):
One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)
Given that k = 1.38×10-16 erg/K, and that the ambient temperature of the universe is 3.2 K, an ideal computer running at 3.2 K would consume 4.4×10-16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.
Now, the annual energy output of our Sun is about 1.21×1041 ergs. This is enough to power about 2.7×1056 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2192. Of course, it wouldn’t have the energy left over to perform any useful calculations with this counter.
But that’s just one star, and a measly one at that. A typical supernova releases something like 1051 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.
These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.
He also wrote, in “Quantum Computing and Cryptography”:
Quantum computers promise to upend a lot of this. Because of the way they work, they excel at the sorts of computations necessary to reverse these one-way functions. For symmetric cryptography, this isn’t too bad. Grover’s algorithm shows that a quantum computer speeds up these attacks to effectively halve the key length. This would mean that a 256-bit key is as strong against a quantum computer as a 128-bit key is against a conventional computer; both are secure for the foreseeable future.
There’s one more future scenario to consider, one that doesn’t require a quantum computer. While there are several mathematical theories that underpin the one-wayness we use in cryptography, proving the validity of those theories is in fact one of the great open problems in computer science. Just as it is possible for a smart cryptographer to find a new trick that makes it easier to break a particular algorithm, we might imagine aliens with sufficient mathematical theory to break all encryption algorithms. To us, today, this is ridiculous. Public-key cryptography is all number theory, and potentially vulnerable to more mathematically inclined aliens. Symmetric cryptography is so much nonlinear muddle, so easy to make more complex, and so easy to increase key length, that this future is unimaginable. Consider an AES variant with a 512-bit block and key size, and 128 rounds. Unless mathematics is fundamentally different than our current understanding, that’ll be secure until computers are made of something other than matter and occupy something other than space.
Ok, so that seems to leave us with a few takeaways:
- Grover’s algorithm effectively halves key lengths. 256-bit keys are effectively as strong as 128-bit keys against quantum computers, while 128-bit keys are effectively as strong as 64-bit keys against quantum computers, and so on.
- In spite of this, Schneier thinks both 256-bit and 128-bit keys are secure for the foreseeable future.
- When we start to consider threats that go even beyond quantum computers (e.g., aliens with advanced mathematics), then he thinks at least 512-bit keys would be secure. (Note that he doesn’t claim this is the minimum; he just provides it as an example of something that would almost certainly be secure even in that scenario.)
So, let’s assume we’re aiming for a 256-bit key size (with the effective strength of a 128-bit key against quantum computers). What kind of passphrase do we need to achieve 256 bits of entropy? According to the “password strength” Wikipedia article, 256 bits of desired passphrase entropy would require either 39 truly random ASCII characters or a truly random 20-word Diceware word list.
Ok, but the original question was whether a 10-12 Dicware word list would be sufficient. So, how much entropy would that get us? According to the same article, a truly random 10-word Diceware word list would provide 128-bits of passphrase entropy. Given that Schneier said that 128-bit keys (effective strength of 64-bit keys against quantum computers) should be secure for the foreseeable future, it appears that the answer to the original question is basically yes.