On Thu, 24 Oct 2024, Chris Rapier wrote: > Have people given thought to the private key encryption methods in light of > potential quantum attacks? While the recent paper about breaking 50bit RSA > doesn't pose a threat I've been thinking about future harvest now, decrypt > later attacks against CC20 and AES. Are there post quantum ciphers that can > effectively replace these available or in development? Is the threat still > too far off to be a serious concern? Grover's search algorithm gives a cryptographically-relevant quantum computer a quadratic speedup. This effectively halves the strength, as expessed in bits, of symmetric ciphers and (I think) hash algorithms. I.e. AES-256 would be "as strong" as AES-128, and AES-128 would be reduced to 64-bit equivalent strength. The latter sounds pretty scary but AIUI the attacker would need to perform close to 2^64 quantum computations to break AES and that's still a huge expenditure. There's no analogous store-now-decrypt-later situation for signature schemes in SSH. The closest concern is long-lived signing keys that would be troublesome to rotate before a QC becomes available. There's not many of these in the SSH ecosystem, but examples could include hardware security devices (smartcards, tokens, TPMs, HSMs) and, to a lesser extent, CA keys. -d Disclaimer: I'm neither a cryptographer nor a quantum physicist. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
