[Cryptography] quantum computers & crypto

Jerry Leichter leichter at lrw.com
Fri Nov 5 22:07:04 EDT 2021 

> ...One limitation is the lack of any standard  symmetric cipher with keys stronger than 256 bits. For a long time 256 bits seemed to provide a safety margin far beyond what is needed, but the prospect of quantum computers reduces the long term security to an equivalent of 128-bit conventional security. In addition we have seen the security of past ciphers and hashes slowly erode through intricate attacks on their algorithms, so we should never assume their security matches the nominal strength of their key length. Down the road, there is at least a possibility that AI-assisted mathematical analysis might find deeper vulnerabilities. 
> 
> I would like to call attention to an alternative: the Rijndael cipher scheduled with Keccak, specifically AES-256 with the AES key schedule replaced by cSHAKE256. This has been proposed in:
> 
>   "Towards post-quantum symmetric cryptography,” John Gregory Underhill and Stiepan Aurélien Kovac, and Xenia Bogomolec,  https://eprint.iacr.org/2019/553.pdf
> 
> AES consists of two parts: a cipher algorithm that uses an extended key and a key scheduling algorithm that produces the extended key from the primary key, the later ranging in size from 128 to 256 bits. In the case of AES-256, the primary key is 256 bits, while the extended key consists of 15 round keys, each being four 32-bit words (15 is the number of rounds plus one). Underhill, et. al., recommend increasing the AES round count, but I would stick with the standard AES round count so that the cipher part of the AES specification is unchanged....
This kind of thing requires *great* care.  We went through it with DES, and discovered that it's really, really hard to safely extend the key length.  In fact, as I recall it was shown that DES with no key scheduling at all - but rather a key as long as the entire schedule - was actually no stronger than DES.

The paper you mention may well have considered this; I haven't looked at it.  But beware of "obvious" improvements to algorithms.  They often aren't improvements at all.
                                                        -- Jerry

More information about the cryptography mailing list