Contrary to Popular Superstition, AES 128 is Just Fine in a Post

by
janrinok
from SoylentNews on (#756W5)

"Fnord666" writes:

A stubborn misconception is hampering the already hard work of quantum readiness:

With growing focus on the existential threat quantum computing poses to some of the most crucial and widely used forms of encryption, cryptography engineer Filippo Valsorda wants to make one thing absolutely clear: Contrary to popular mythology that refuses to die, AES 128 is perfectly fine in a post-quantum world.

AES 128 is the most widely used variety of the Advanced Encryption Standard , a block cipher suite formally adopted by NIST in 2001. While the specification allows 192- and 256-bit key sizes, AES 128 was widely considered to be the preferred one because it meets the sweet spot between computational resources required to use it and the security it offers. With no known vulnerabilities in its 30-year history, a brute-force attack is the only known way to break it. With 2 128 or 3.4 x 10 38 possible key combinations, such an attack would take about 9 billion years using the entire Bitcoin mining resources as of 2026.

Over the past decade, something interesting happened to all that public confidence. Amateur cryptographers and mathematicians twisted a series of equations known as Grover's algorithm to declare the death of AES 128 once a cryptographically relevant quantum computer (CRQC) came into being. They said a CRQC would halve the effective strength to just 2 64 , a small enough supply that-if true-would allow the same Bitcoin mining resources to brute force it in less than a second (the comparison is purely for illustration purposes; a CRQC almost certainly couldn't run like clusters of Bitcoin ASICs and more importantly couldn't parallelize the workload as the amateurs assume).

On Monday Valsorda finally channelled years' worth of frustration fueled by the widely held misunderstanding into a blog post titled Quantum Computers Are Not a Threat to 128-bit Symmetric Keys .

"There's a common misconception that quantum computers will 'halve' the security of symmetric keys, requiring 256-bit keys for 128 bits of security," he wrote. "That is not an accurate interpretation of the speedup offered by quantum algorithms, it's not reflected in any compliance mandate, and risks diverting energy and attention from actually necessary post-quantum transition work."

That's the easy part of the argument. The much harder part is the math and physics that explains it. At its highest level it comes down to a fundamental difference in the way a brute-force search works on classical computers versus the way it works using Grover's algorithm. Classical computers can perform multiple searches simultaneously, a capability that allows large tasks to be broken into smaller pieces to complete the overall job faster. Grover's algorithm, by contrast, requires a long-running serial computation, where each search is done one at a time.

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments