Post quantum encryption question
Damien Miller
djm at mindrot.org
Fri Oct 25 13:38:17 AEDT 2024
On Thu, 24 Oct 2024, Chris Rapier wrote:
> Have people given thought to the private key encryption methods in light of
> potential quantum attacks? While the recent paper about breaking 50bit RSA
> doesn't pose a threat I've been thinking about future harvest now, decrypt
> later attacks against CC20 and AES. Are there post quantum ciphers that can
> effectively replace these available or in development? Is the threat still
> too far off to be a serious concern?
Grover's search algorithm gives a cryptographically-relevant quantum
computer a quadratic speedup. This effectively halves the strength,
as expessed in bits, of symmetric ciphers and (I think) hash algorithms.
I.e. AES-256 would be "as strong" as AES-128, and AES-128 would be
reduced to 64-bit equivalent strength. The latter sounds pretty scary
but AIUI the attacker would need to perform close to 2^64 quantum
computations to break AES and that's still a huge expenditure.
There's no analogous store-now-decrypt-later situation for signature
schemes in SSH. The closest concern is long-lived signing keys that
would be troublesome to rotate before a QC becomes available. There's
not many of these in the SSH ecosystem, but examples could include
hardware security devices (smartcards, tokens, TPMs, HSMs) and, to
a lesser extent, CA keys.
-d
Disclaimer: I'm neither a cryptographer nor a quantum physicist.
More information about the openssh-unix-dev
mailing list