[Cryptography] quantum computers & crypto

Jerry Leichter leichter at lrw.com
Wed Nov 3 18:12:00 EDT 2021

> Another way to state the same thing is that a symmetric cipher with key of N bits is N/2-bits quantum-safe. This is because they're only vulnerable to Grover's algorithm, which is the quantum search algorithm.
> So yeah, if you (e.g.) use AES-256, it's got quantum security of 128 bits.
BTW, to the limited degree I understand this, it's a *really* worst-case estimate.  To actually get the speedup, you need an oracle that can tell you if you've "guessed right."  To be useful, the oracle has to itself be implemented as a quantum computation - i.e., on a mixed state:  If you first measure, then use a classical implementation of the oracle (i.e., you first measure, then try out the key you get using a classical implementation of AES), you've lost your advantage.

Exactly what searches allow you to construct such an oracle is a very non-trivial question.  I don't think we know if it's possible for AES.  If it is possible, it could well require a huge number of quantum gates - i.e., the naive approach would be to essentially replicate a classical implementation using quantum gates, but that's so far beyond anything we can imagine doing today as to not be worth worrying about.  Of course there might be a better approach; I don't believe we know.
                                                        -- Jerry

More information about the cryptography mailing list