6

We know that Grover's algorithm can speed up cracking symmetric keys. Basically the keyspace is halved. This means we have to use at least a 256-bit key (to get 128-bit security).

I heard somewhere it also has an effect on the block size (so we should use 256-bit blocks instead of 128)!

Is that true?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
mary
  • 1,031
  • 3
  • 11
  • 13
  • 3
  • I don't see that paper mentioning Rijndael with 256 bit blocks at all. It talks about AES with 128 bit blocks. AES-256 has a 256 bit key and 128 bit blocks. 2) Summarizing the paper as "AES-256 is not secure" is highly misleading. Related key attacks are irrelevant for pretty much every protocol that uses AES. 3) "Grover [...] cracking symmetric keys 2x faster" That's wrong too. A 2x speedup would be completely harmless. Grover halves the effective key-length, which is an exponential speedup.
    • – CodesInChaos Jan 04 '13 at 09:29
  • @CodesInChaos so AES 264 don't have that problem ? (the main question is about protocol now not key size) – mary Jan 04 '13 at 13:57
  • 1
    What do you mean by "protocol size"? – CodesInChaos Jan 04 '13 at 18:34
  • 3
    Mary. I edited the title to use "block size" instead of "protocol size". Please check that this is actually what you mean, otherwise please edit your question again to clarify it. – Paŭlo Ebermann Jan 04 '13 at 19:15
  • @mary I think it is time you should accept a few answers, read the FAQ if you don't know how or when. – Maarten Bodewes Jan 05 '13 at 18:15