Post quantum encryption question

[Chris Rapier]

On 10/24/24 10:38 PM, Damien Miller wrote:
> On Thu, 24 Oct 2024, Chris Rapier wrote:
> 
>> Have people given thought to the private key encryption methods in light of
>> potential quantum attacks? While the recent paper about breaking 50bit RSA
>> doesn't pose a threat I've been thinking about future harvest now, decrypt
>> later attacks against CC20 and AES. Are there post quantum ciphers that can
>> effectively replace these available or in development? Is the threat still
>> too far off to be a serious concern?
> 
> Grover's search algorithm gives a cryptographically-relevant quantum
> computer a quadratic speedup. This effectively halves the strength,
> as expessed in bits, of symmetric ciphers and (I think) hash algorithms.
> 
> I.e. AES-256 would be "as strong" as AES-128, and AES-128 would be
> reduced to 64-bit equivalent strength. The latter sounds pretty scary
> but AIUI the attacker would need to perform close to 2^64 quantum
> computations to break AES and that's still a huge expenditure.
>

This was my understanding as well but I am, like you, neither a 
cryptographer or a quantum physicist. That said, this came up and people 
had been asking me about the implications. So I thought I would ask here 
so I don't inadvertently give people bad information. In my world we 
mostly use encryption for authentication and some PHI, PII, and CUI but 
generally not anything that is of long term value that would make sense 
for a harvest/decrypt attack.

Thanks for the insight.


Chris