[Cryptography] quantum computers & crypto

Jon Callas jon at callas.org
Wed Nov 3 15:37:38 EDT 2021

> On Nov 3, 2021, at 12:07, cherry <cherry at cpal.pw> wrote:
> since ChaCha and Salsa are based on irreversible operations, quantum calculations just not work on them, and the same is doubtless true for many other symmetric encryption protocols.  They should be completely unaffected.
> Some symmetric encryption algorithms will be affected.  I don't understand AES well enough to say whether it will be affected or not.

Those of us who do, expect that the best quantum attack on AES is Grover's algorithm and that AES-256 provides 128-quantum-bit security. 

If a symmetric cipher is constructed in a way that it would have quantum breaks, it almost certainly has classical breaks, too. By break, I mean something other than brute force; you can think of Grover's algorithm as quantum brute force. The quantum speedup is the halving of key size.


More information about the cryptography mailing list