On 10/24/24 10:38 PM, Damien Miller wrote:
On Thu, 24 Oct 2024, Chris Rapier wrote:
Have people given thought to the private key encryption methods in light of
potential quantum attacks? While the recent paper about breaking 50bit RSA
doesn't pose a threat I've been thinking about future harvest now, decrypt
later attacks against CC20 and AES. Are there post quantum ciphers that can
effectively replace these available or in development? Is the threat still
too far off to be a serious concern?
Grover's search algorithm gives a cryptographically-relevant quantum
computer a quadratic speedup. This effectively halves the strength,
as expessed in bits, of symmetric ciphers and (I think) hash algorithms.
I.e. AES-256 would be "as strong" as AES-128, and AES-128 would be
reduced to 64-bit equivalent strength. The latter sounds pretty scary
but AIUI the attacker would need to perform close to 2^64 quantum
computations to break AES and that's still a huge expenditure.
This was my understanding as well but I am, like you, neither a
cryptographer or a quantum physicist. That said, this came up and people
had been asking me about the implications. So I thought I would ask here
so I don't inadvertently give people bad information. In my world we
mostly use encryption for authentication and some PHI, PII, and CUI but
generally not anything that is of long term value that would make sense
for a harvest/decrypt attack.
Thanks for the insight.
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev