Filippo ValsordaDustin Moody from NIST: “you don’t need more than 128 bits of symmetric keys for post-quantum security” #rwc2026
Say it louder, for the people in the back!
Wolf480pl@filippo
noob question: doesn't Grover's algorithm make some attacks on 128-bit symmetric keys possible in 2^64 operations?
noob question: doesn't Grover's algorithm make some attacks on 128-bit symmetric keys possible in 2^64 operations?
asante@wolf480pl @filippo there's a nice slide deck by Samuel Jaques from CHES 2024 giving insights on Grover's algorithm for this case:
https://ches.iacr.org/2024/Jaques_CHES_2024.pdf
From my understanding, the big-o sqrt speed up basically hides big constants that result in practical limitations, which results in an effort of 2^64 being not achievable.
Thomas Lumley@wolf480pl @filippo yes, but you need to do 2^64 quantum operations, which is a lot slower than 2^64 classical operations, and Grover's algorithm doesn't parallelise well.