[Cryptography] quantum computers & crypto

Ray Dillinger bear at sonic.net
Tue Nov 2 18:40:19 EDT 2021

On 11/1/21 8:18 PM, Ron Garret wrote:
> On Nov 1, 2021, at 2:11 AM, Stephan Neuhaus <stephan.neuhaus at zhaw.ch> wrote:
> This is a case of doing the right thing for the wrong reasons.  QC is only a threat to public-key encryption (and specifically, only to PKE based on group exponentiation and discrete logarithms, which in practical terms means elliptic curves and RSA), not hashes or symmetric encryption.  Of course, there are weak hashes (MD5, SHA1) and weak symmetric encryption schemes (RC4) and modes (ECB) but these have nothing to do with QC.

I don't think that's quite right.  As I understand it there are reasons
to believe most symmetric crypto that's safe from conventional attacks
with key length N is equally safe from QC attacks with key length 2N. 
So where the longer key-lengths are just twice the length of a
"reasonable" pre-QC key, we can call them "reasonable" post-QC keys. 
Assuming your opponent has fully working Quantum Computers on the same
scale as their conventional computers, which is a whole lot to assume. 
Even given that very pessimistic assumption however, there's no reason,
AFAIK, to *more* than double key lengths.


More information about the cryptography mailing list