Below are table of various projects that can completely exhaust n-bits of keyspace. In other words, counting completely and fully from 0 to 2ⁿ-1.
This Gist implies no discussion about how this is relevant to quantum computing using Grover's algorithm, meet-in-the-middle or birthday attacks, or anything of the like. It's strictly a Gist about raw speed, measuring the result in bits.
If you know of other noteworthy and verifiable brute force searching projects, please reach out to me on Mastodon, and reference this Gist.
This is a table of the fastest rates collected from the rest of the tables below.
| Project | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|
| Bitcoin Mining | 68.787 | 80.600 | 85.185 | 87.993 | 90.108 | 93.698 |
| 448x 2080 GPUs | 44.855 | 56.669 | 61.254 | 64.061 | 66.181 | 69.765 |
| RC5-72 | 39.589 | 51.402 | 55.987 | 58.795 | 60.915 | 64.500 |
| 8x 1080 GPUs | 38.900 | 50.714 | 55.299 | 58.107 | 60.226 | 63.811 |
| RTX 4090 GPU | 38.070 | 49.884 | 54.469 | 57.276 | 59.396 | 62.981 |
| AES-NI | 35.528 | 47.341 | 51.927 | 54.734 | 56.853 | 60.438 |
| macOS M3 Pro | 33.181 | 44.995 | 49.580 | 52.387 | 54.503 | 58.093 |
| ThinkPad T480s | 31.616 | 37.522 | 48.014 | 50.822 | 52.941 | 56.526 |
Using the rates above, how long would it take to fully exhaust 128 bits? Note: human life will probably be extinct in about 1 billion years.
| Project | Years |
|---|---|
| Bitcoin Mining | 21.180 billion |
| 448x 2080 GPUs | 339.220 quadrillion |
| RC5-72 | 13.044 quintillion |
| 8x 1080 GPUs | 21.029 quintillion |
| RTX 4090 GPU | 37.383 quintillion |
| AES-NI | 217.866 quintillion |
| macOS M3 Pro | 1.107 sextillion |
| ThinkPad T480s | 3.280 sextillion |
This is my personal laptop running dd(1) on /dev/urandom. It's mimicking
getting data of various byte sizes, simulating key generation from 16 bytes
(128 bits) up to 8 kilobytes (64 kilobits).
I am running a Lenovo T480s ThinkPad with Linux kernel 5.16.11 on an Intel Core
i7-8650U CPU @ 1.90GHz with Debian Sid. nordrand is set as a kernel argument
during boot for performance.
Similar results could be run on your system with:
$ bs=16 # byte size
$ dd if=/dev/urandom of=/dev/null bs="$bs" count="$((1073741824/${bs}))"
The "Bytes/sec." column is calculated by taking 1073741824 divided by the
duration it took to execute provided by the dd(1) output. After 8192 bytes,
the speeds are comparable, and don't provide much value to practical
cryptographic key creation.
| Byte size | Bytes/sec. | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|---|
| 16 | 23321021.85405 | 27.475 | 39.288 | 43.874 | 46.681 | 48.801 | 52.386 |
| 32 | 46515958.46347 | 28.471 | 40.285 | 44.870 | 47.677 | 49.797 | 53.382 |
| 64 | 77907868.40997 | 29.215 | 41.029 | 45.614 | 48.421 | 50.541 | 54.126 |
| 128 | 132566938.20203 | 29.982 | 41.795 | 46.381 | 49.188 | 51.308 | 54.893 |
| 256 | 201689001.92533 | 30.588 | 42.401 | 46.986 | 49.794 | 51.913 | 55.498 |
| 512 | 270003501.33399 | 31.008 | 42.822 | 47.407 | 50.215 | 52.334 | 55.919 |
| 1024 | 336830591.82252 | 31.327 | 43.141 | 47.726 | 50.534 | 52.653 | 56.238 |
| 2048 | 377437526.45158 | 31.492 | 43.305 | 47.890 | 50.698 | 52.817 | 56.402 |
| 4096 | 399127886.93861 | 31.572 | 43.386 | 47.971 | 50.778 | 52.898 | 56.483 |
| 8192 | 411277151.77631 | 31.616 | 43.429 | 48.014 | 50.822 | 52.941 | 56.526 |
I asked on Mastodon if people could benchmark dd(1) on /dev/urandom
with a updated macOS on modern hardware. I got several replies with Intel, M1,
M2, and M3 chipsets. This result was the fastest I saw. Note that macOS
uses Fortuna with SHA-256. The M1 & M2 chipsets have hardware acceleration for
SHA-1 and SHA-2, and the M3 chipset also has hardware acceleration for SHA-3.
This is why you see the 3x speedup over Linux with ChaCha20.
Note, I did not get the performance differences for the different byte sizes as with my Debian laptop above. Also, only 1 GB of data off the CSPRNG was collected.
| Byte size | Bytes/sec. | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|---|
| 1048576 | 1217886594 | 33.181 | 44.995 | 49.580 | 52.387 | 54.503 | 58.093 |
On my same laptop, I was curious just how fast hardware AES performed. Because I'm benchmarking, I want the fastest speed possible, which translates into the fewest cycles per byte on the CPU. ECB mode (which technically isn't a "mode", but a lack of one), although insecure, will yield the least overhead, and AES-128 uses fewer rounds than AES-192 and AES-256.
I'm running the following command on an Intel Core i7-8650U CPU @ 1.90GHz on Debian Sid:
$ openssl speed -evp aes-128-ecb
Here are the results:
| Byte size | Bytes/sec. | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|---|
| 16 | 831310660 | 32.631 | 44.444 | 49.030 | 51.837 | 53.956 | 57.541 |
| 64 | 3423201320 | 34.673 | 46.486 | 51.071 | 53.879 | 56.998 | 59.583 |
| 256 | 5718308180 | 35.413 | 47.226 | 51.812 | 54.619 | 56.738 | 60.323 |
| 1024 | 6032474450 | 35.490 | 47.303 | 51.889 | 54.696 | 56.816 | 60.401 |
| 8192 | 6170443780 | 35.523 | 47.336 | 51.921 | 54.729 | 56.848 | 60.433 |
| 16384 | 6192305490 | 35.528 | 47.341 | 51.927 | 54.734 | 56.853 | 60.438 |
For 10 years, from 1997 to 2007, RSA Laboratories a challenge with a $10,000 reward as a public contest to crack ciphertexts with various key lengths.
Distributed.net successfully won the 56-bit and 64-bit challenges, and as of 3 December 2002, they have been actively working on cracking the 72-bit challenge, even though RSA Laboratories is no longer offering the $10,000 prize money for the correct solution.
| Date | Keys/sec. | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|---|
| 2011-04-06 | 282736729198 | 38.041 | 49.854 | 54.439 | 57.247 | 59.366 | 62.951 |
| 2013-03-08 | 402073129546 | 38.549 | 50.362 | 54.947 | 57.755 | 59.874 | 63.459 |
| 2014-08-18 | 419558906162 | 38.610 | 50.424 | 55.009 | 57.816 | 59.936 | 63.521 |
| 2015-02-09 | 428689137710 | 38.641 | 50.455 | 55.040 | 57.847 | 59.967 | 63.552 |
| 2016-01-15 | 443066834327 | 38.689 | 50.503 | 55.087 | 57.895 | 60.014 | 63.599 |
| 2017-02-23 | 465986309732 | 38.761 | 50.575 | 55.160 | 57.968 | 60.087 | 63.672 |
| 2018-01-25 | 502782030887 | 38.871 | 50.685 | 55.270 | 58.077 | 60.197 | 63.782 |
| 2019-04-03 | 519406064549 | 38.918 | 50.732 | 55.317 | 58.124 | 60.244 | 63.829 |
| 2020-04-22 | 562850644945 | 39.034 | 50.848 | 55.433 | 58.240 | 60.359 | 63.944 |
| 2021-05-01 | 621580914650 | 39.177 | 50.991 | 55.576 | 58.383 | 60.503 | 64.088 |
| 2022-03-24 | 658904889057 | 39.261 | 51.075 | 55.660 | 58.467 | 60.586 | 64.171 |
| 2023-04-07 | 730968072837 | 39.411 | 51.224 | 55.809 | 58.617 | 60.737 | 64.322 |
| 2024-04-12 | 827057140528 | 39.589 | 51.402 | 55.987 | 58.795 | 60.915 | 64.500 |
Jeremi Gosney, a professional password cracker, posted a Gist showing what 8x Nvidia GTX 1080 Ti GPUs could do with Hashcat 3.5. The Gist covers every algorithm Hashcat supports, and the results for each GPU as well as the combined results.
Below is a table of only a few selected algorithms.
| Algorithm | Hashes/sec. | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|---|
| bcrypt | 184.8E3 | 17.496 | 29.309 | 33.894 | 36.702 | 38.821 | 42.406 |
| sha512crypt | 1.8491E6 | 20.818 | 32.632 | 37.217 | 40.024 | 42.144 | 45.729 |
| md5crypt | 128.4E6 | 26.936 | 38.750 | 43.335 | 46.142 | 48.262 | 51.847 |
| descrypt | 11.4142E9 | 33.410 | 45.224 | 49.809 | 52.616 | 54.736 | 58.321 |
| SHA-512 | 13.0433E9 | 33.603 | 45.416 | 50.001 | 52.809 | 54.928 | 58.513 |
| SHA-256 | 39.2694E9 | 35.193 | 47.006 | 51.591 | 54.399 | 56.518 | 60.103 |
| SHA-1 | 101.3E9 | 36.560 | 48.374 | 52.959 | 55.766 | 57.885 | 61.470 |
| MD5 | 307.2E9 | 38.160 | 49.974 | 54.559 | 57.366 | 59.486 | 63.071 |
| NTLM | 513.1E9 | 38.900 | 50.714 | 55.299 | 58.107 | 60.226 | 63.811 |
Jeremi Gosney later produced a Tweet from his company TeraHash, showing what 448x Nvidia RTX 2080 GPUs could do with password cracking. He also tweeted that this GPU cluster cost a cool $1.4 million USD.
Below are the same selected algorithms as above with his 8x GPU cluster.
| Algorithm | Hashes/sec. | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|---|
| bcrypt | 11.37E6 | 23.439 | 35.253 | 39.837 | 42.645 | 44.764 | 48.349 |
| sha512crypt | 119.46E6 | 26.832 | 38.646 | 43.231 | 46.038 | 48.157 | 51.742 |
| md5crypt | 7.61E9 | 32.825 | 44.639 | 49.224 | 52.031 | 54.151 | 57.736 |
| descrypt | 647.59E9 | 39.236 | 51.050 | 55.635 | 58.442 | 60.562 | 64.147 |
| SHA-512 | 801.9E9 | 39.545 | 51.358 | 55.943 | 58.751 | 60.870 | 64.455 |
| SHA-256 | 2.42E12 | 41.138 | 52.952 | 57.537 | 60.344 | 62.464 | 66.049 |
| SHA-1 | 5.89E12 | 42.421 | 54.235 | 58.820 | 61.628 | 63.747 | 67.332 |
| MD5 | 17.77E12 | 44.015 | 55.828 | 60.413 | 63.221 | 65.340 | 68.925 |
| NTLM | 31.82E12 | 44.855 | 56.669 | 61.254 | 64.061 | 66.181 | 69.765 |
Sam Croley, core developer of Hashcat, released Hashcat benchmarks of the NVIDIA GeForce RTX 4090 GPU. This GPU is twice as fast as the RTX 3090, which in turn is twice as fast as the RTX 2080 above. This means 112 RTX 4090 GPUs can do the same work as 448 RTX 2080 GPUs. As of 2022, this GPU cost $1500.
Below are the same selected algorithms as above with this GPU:
| Algorithm | Hashes/sec. | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|---|
| bcrypt | 184.0E3 | 17.489 | 29.303 | 33.888 | 36.695 | 38.816 | 42.401 |
| sha512crypt | 1.1796E6 | 20.170 | 31.984 | 36.569 | 39.376 | 41.496 | 45.081 |
| md5crypt | 6.12838E6 | 25.869 | 37.683 | 42.268 | 45.075 | 47.196 | 50.780 |
| descrypt | 6.2766E9 | 32.547 | 44.361 | 48.946 | 51.753 | 53.874 | 57.459 |
| SHA-512 | 7.4834E9 | 32.801 | 44.615 | 49.200 | 52.007 | 54.128 | 57.713 |
| SHA-256 | 21.9755E9 | 34.355 | 46.169 | 50.754 | 53.561 | 55.682 | 59.267 |
| SHA-1 | 50.6387E9 | 35.560 | 47.373 | 51.958 | 54.766 | 56.886 | 60.471 |
| MD5 | 164.1E9 | 37.256 | 49.070 | 53.655 | 56.462 | 58.582 | 62.167 |
| NTLM | 288.5E9 | 38.070 | 49.884 | 54.469 | 57.276 | 59.396 | 62.981 |
Bitcoin mining is arguably the strongest verifiable distributed cluster doing a brute force search using double SHA-256 hashing to find valid Bitcoin. I know of no other project that can be verified that has a stronger brute force strength than this, even though we could make sound educated guesses on the sort of computing power the NSA or GCHQ could put together with their annual budget.
Sourced from Blockchain's hash rate.
| Date | Hashes/sec. | 2ⁿ/sec. | 2ⁿ/hr. | 2ⁿ/day | 2ⁿ/wk. | 2ⁿ/mo. | 2ⁿ/yr. |
|---|---|---|---|---|---|---|---|
| 2009-01-03 | 4.9710E4 | 15.601 | 27.415 | 32.000 | 34.807 | 36.927 | 40.512 |
| 2010-01-01 | 6.9975E6 | 22.738 | 34.552 | 39.137 | 41.945 | 44.064 | 47.649 |
| 2011-01-02 | 1.2960E11 | 36.915 | 48.729 | 53.314 | 56.121 | 58.241 | 61.826 |
| 2012-01-03 | 9.3410E12 | 43.087 | 54.900 | 59.485 | 62.293 | 64.412 | 67.997 |
| 2013-01-03 | 2.3699E13 | 44.430 | 56.244 | 60.829 | 63.636 | 65.755 | 69.340 |
| 2014-01-01 | 1.1741E16 | 53.382 | 65.196 | 69.781 | 72.589 | 74.708 | 78.293 |
| 2015-01-02 | 3.2324E17 | 58.165 | 69.979 | 74.564 | 77.371 | 79.491 | 83.076 |
| 2016-01-03 | 7.6942E17 | 59.417 | 71.230 | 75.815 | 78.623 | 80.742 | 84.327 |
| 2017-01-03 | 2.5899E18 | 61.168 | 72.981 | 77.566 | 80.374 | 82.493 | 86.078 |
| 2018-01-01 | 1.4976E19 | 63.699 | 75.513 | 80.098 | 82.905 | 85.025 | 88.610 |
| 2019-01-02 | 4.2175E19 | 65.193 | 77.007 | 81.592 | 84.399 | 86.519 | 90.104 |
| 2020-01-01 | 1.1935E20 | 66.694 | 78.508 | 83.093 | 85.900 | 88.019 | 91.604 |
| 2021-01-05 | 1.5995E20 | 67.116 | 78.930 | 83.515 | 86.322 | 88.442 | 92.027 |
| 2021-12-31 | 2.0753E20 | 67.491 | 79.305 | 83.890 | 86.697 | 88.817 | 92.402 |
| 2023-01-01 | 2.5666E20 | 67.798 | 79.612 | 84.197 | 87.004 | 89.124 | 92.709 |
| 2024-01-03 | 5.0930E20 | 68.787 | 80.600 | 85.185 | 87.993 | 90.108 | 93.698 |