Filippo ValsordaMar 8

Dustin Moody from NIST: “you don’t need more than 128 bits of symmetric keys for post-quantum security” #rwc2026

Say it louder, for the people in the back!

Show threadWolf480plMar 8
@filippo
noob question: doesn't Grover's algorithm make some attacks on 128-bit symmetric keys possible in 2^64 operations?
Show threadThomas Lumley
@wolf480pl @filippo yes, but you need to do 2^64 quantum operations, which is a lot slower than 2^64 classical operations, and Grover's algorithm doesn't parallelise well.
Mar 9 at 1:49amWeb