CTR and OFB block cipher modes and their post-quantum security. Some questions

Question

It's said that quantum computers can break block ciphers with 2^(n/2) queries (being n the key size).

I read this paper: https://eprint.iacr.org/2016/197

It says that CTR and OFB modes are safe against quantum adversaries.

That left me doubts.

Can a quantum adversary break a block cipher in CTR/OFB mode with 2^(n/2) queries? Or the queries will be like classic computing ( 2^(n/2) )?

I have another question.

I have an external HD fully encrypted with Threefish block cipher in CTR mode with 3 layers of 1024-bit keys. I know that CTR is vulnerable to meet-in-the-middle attacks and I have in practice 2049-bits of security only (despite the adversary having to store 2^1024 blocks in memory).

/\ In case the security of CTR be 2^n (being n the key size) in a quantum scenario, will I have 2049-bits of post-quantum security using CTR mode with 3 1024-keys in CTR mode?

$O(2^{n/2})$-query for the Grover machine. For 128-bit quantum attack still problematic since it is not clear that how the $2^{64}$ queries will handle ( consider the setup time). Just use 256-bit keys and be secure and in this case one needs $2^{128}$ calls. — kelalaka, Dec 17 '21 at 07:44
Moreover, if you are using CTR mode for disk encryption, you are doing it in the way of softwares of 20 years ago. Check the Disk Encryption Theory from The WIkipedia. Just use VeryCrypt and be fine? — kelalaka, Dec 17 '21 at 08:10

poncho · Answer 1 · 2021-12-17T15:39:23.923

I read this paper: https://eprint.iacr.org/2016/197

It says that CTR and OFB modes are safe against quantum adversaries.

You have to understand the attack model that assumes. It assumes a scenario where the attacker can make quantum entangled queries to the Oracle, and get entangled responses back; what they show that, even in that scenario, the attacker does not have any significant advantage over just attacking the underlying block cipher itself [1].

Now, if what you have is disk encryption, and the 'queries' that the attacker is allowed to make is examining the ciphertext (which are made up of classical '0's and '1's), he has no opportunity in attempting such an attack, and so the paper is completely irrelevant to you.

I have an external HD fully encrypted with Threefish block cipher in CTR mode with 3 layers of 1024-bit keys.

And how do generate these keys? Unless you generate them completely randomly, and store them somewhere perfectly secure, you don't have nearly as much security as you think. For example, if you generate them based on a user-entered password, then you have no more security than what's in the password.

[1]: I feel the need to point out that this attack model feels extremely contrived; we literally do not know how to make an implementation that would allow such an attack.

I create my keys by using this little program: https://github.com/sandy-harris/maxwell -- I just use in "paranoid mode" which concentrates entropy in a single 1024-bit key; I trust it. — phantomcraft, Dec 17 '21 at 22:18

CTR and OFB block cipher modes and their post-quantum security. Some questions

1 Answers1