0

Grover, a quantum algorithm, weakens AES and ChaCha20. Is it possible to use multiple symmetric keys to encrypt a message multiple times to achieve 256-bit security for quantum computers?

Flan1335
  • 361
  • 2
  • 6
  • 3
    And why do you think that you need 256 bit security for Quantum Computers? – poncho Feb 21 '23 at 14:40
  • Kyber1024 provides 256-bit security, but symmetric key ciphers only provides 128-bit security, it's unfair. To be fair, it must ensure that symmetric key encryption provides the same security level as Kyber1024. – Flan1335 Feb 23 '23 at 06:33
  • Kyber1024 is generally believed to be "NIST level 5"; and that is defined as "as strong as AES-256". Hence, if you insist on something with approximately the same security level, you can just use AES-256 – poncho Feb 23 '23 at 13:31
  • https://www.ambit.inc/pdf/KyberDrive.pdf This research says: "Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum security (coreSVP hardness). It is a NIST Level 5 security level." "Not all modes of AES are post-quantum secure." Therefore, Kyber1024 is much more secure than AES256 for quantum computers, but has similar security for classical computers. – Flan1335 Mar 17 '23 at 12:32

1 Answers1

1

As mentioned in a comment, 256-bit quantum security is overkill. Even AES-128 is unlikely to be broken by a quantum computer, as discussed here. Briefly: Grover's algorithm is the best possible; it doesn't parallelize efficiently; and it's unlikely that quantum computers will reach similar clock speeds as classical computers.

But assume you're really paranoid and want 256-bit quantum security anyway, so you'll need 512-bit classical security. You could either design a new 512-bit symmetric cipher, or use a composition of 256-bit symmetric ciphers. A similar situation had to be considered a few decades ago, when DES was standardized but AES didn't exist yet, and it became clear that 56 bits was within reach of motivated attackers, as concretely demonstrated by the EFF DES Cracker and distributed.net.

It turns out that, somewhat counterintuitively, double-DES does not have $2 \times 56 = 112$-bit security, but rather 57-bit security due to a very simple meet-in-the-middle attack. To achieve 112-bit security, triple-DES was required, and indeed was used in practice.

So, if you really want 512-bit classical security, you'd have to use triple-AES. In principle you could use only 2 different keys (although still using 3 chained encryption/decryption operations), but there exist attacks on that scenario, so for the truly paranoid, you'll have to use 3 different keys. Thus, a total of 768 bits of key material to achieve 512-bit classical security and 256-bit quantum security.

swineone
  • 623
  • 4
  • 15
  • I'm pretty sure double AES is enough for 256 bits of quantum security. The double DES meet in the middle attack isn't practical for an attack against AES 256 since it would require roughly 2^256 bits of storage while the best estimates for the world's hard drive capacity is a bit hard to pin down, but almost certainly under 2^100 bits. – Oscar Smith Feb 21 '23 at 18:30
  • 1
    By that logic, and given the arguments about Grover's algorithm, 256-bit single AES is effectively unbreakable, so whether to use double or triple AES is a moot point. If someone is that worried about a quantum attack to 256-bit AES, the extra 50% execution time to go from double to triple AES is certainly warranted. – swineone Feb 21 '23 at 19:28
  • How secure is quadruple AES? – Flan1335 Feb 27 '23 at 04:57
  • @Flan1335 I'll answer if you give me one reasonable argument for going beyond 512-bit classical security. – swineone Feb 27 '23 at 05:19
  • Bruce schneier found classical attack method https://www.schneier.com/blog/archives/2011/08/new_attack_on_a_1.html to reduce the security with classical computers, can quantum computers borrow that attack method? If it's possible with quantum computers, it may need several AES keys. – Flan1335 Mar 11 '23 at 08:06
  • Generally you cannot just take a solution using classical computing, magically apply a quantum computer to any subtask and then have quantum supremacy. You'd have to prove the combined solution to be a break. As the biclique attacks hardly speed up anything by itself it's unlikely that any attack will be more efficient than Grover (and even if it would, it would probably not constitute a practical attack). But without any other input it's like saying "hey, there could be another attack" and while that's true, it seems more likely in this case that there isn't... – Maarten Bodewes Mar 12 '23 at 00:18
  • https://www.ambit.inc/pdf/KyberDrive.pdf This research says: "Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum security (coreSVP hardness)." So Kyber1024 is much more secure than 256-bit AES for quantum computers, where 256-bit AES has at most 128-bit security for quantum computers. – Flan1335 Mar 17 '23 at 12:36
  • @Flan1335 usually there's some structure to the plaintext. Maybe it's ASCII characters only, or there's some kind of header/magic number. That way you can filter the decryptions that resulted in the expected structure, throwing away the majority of invalid keys. With a few plaintexts and some structure, it should be possible to narrow it down to a single valid key. – swineone Apr 06 '23 at 14:10
  • @Flan1335 looks like you have a lot of questions that are unrelated to the original question. You should ask new questions instead of polluting the comments section of an unrelated one. – swineone Apr 13 '23 at 15:11
  • Please only ask for clarifications. Asking additional questions in comments is not allowed and there is certainly no onus on the answerer to also answer additional questions. – Maarten Bodewes Apr 16 '23 at 16:35