Adam LangleyMar 8
Filippo Valsorda

Dustin Moody from NIST: “you don’t need more than 128 bits of symmetric keys for post-quantum security” #rwc2026

Say it louder, for the people in the back!

Mar 8 at 1:21amWeb
Show threadClemensMar 8
@filippo Now, if they could only get their government colleagues at the NSA who wrote guidelines for large parts of that same government to agree, and ideally also convince them that SLH-DSA and SHA3 aren't the devil and hybrids are good, then we could probably start making some progress.
Show threadWolf480plMar 8
@filippo
noob question: doesn't Grover's algorithm make some attacks on 128-bit symmetric keys possible in 2^64 operations?
Show threadasanteMar 8

@wolf480pl @filippo there's a nice slide deck by Samuel Jaques from CHES 2024 giving insights on Grover's algorithm for this case:
https://ches.iacr.org/2024/Jaques_CHES_2024.pdf

From my understanding, the big-o sqrt speed up basically hides big constants that result in practical limitations, which results in an effort of 2^64 being not achievable.

Show threadWolf480plMar 9

@asante
that's a nice slide deck indeed, thank you!

@filippo

Show threadThomas LumleyMar 9
@wolf480pl @filippo yes, but you need to do 2^64 quantum operations, which is a lot slower than 2^64 classical operations, and Grover's algorithm doesn't parallelise well.
Show threadSophie SchmiegMar 9
@filippo I really need to get that internal document through publication approval…
Show threadEckes Mar 9
@filippo or you do need more but AES block length doesn’t make it very sensible.. who knows its time for a successor anyway if there are only 9 years left
Show threadjoel cretanMar 9
@filippo IIRC it was at RWC 2017 that NIST presented their PQC contest and some quantum computer people were telling me that all the fundamental challenges were solved and it was now just an engineering problem that within 10 years would produce something useful. 9 years later I’m glad to see we still have at least 9 more years.