[Cryptography] quantum computers & crypto
Jon Callas
jon at callas.org
Wed Nov 3 02:45:15 EDT 2021
> On Nov 2, 2021, at 15:40, Ray Dillinger <bear at sonic.net> wrote:
>
>
[...]
> ... As I understand it there are reasons
> to believe most symmetric crypto that's safe from conventional attacks
> with key length N is equally safe from QC attacks with key length 2N.
> So where the longer key-lengths are just twice the length of a
> "reasonable" pre-QC key, we can call them "reasonable" post-QC keys.
> Assuming your opponent has fully working Quantum Computers on the same
> scale as their conventional computers, which is a whole lot to assume.
> Even given that very pessimistic assumption however, there's no reason,
> AFAIK, to *more* than double key lengths.
Another way to state the same thing is that a symmetric cipher with key of N bits is N/2-bits quantum-safe. This is because they're only vulnerable to Grover's algorithm, which is the quantum search algorithm.
So yeah, if you (e.g.) use AES-256, it's got quantum security of 128 bits.
Jon
More information about the cryptography
mailing list