Score:0

CTR and OFB block cipher modes and their post-quantum security. Some questions

pf flag

It's said that quantum computers can break block ciphers with 2^(n/2) queries (being n the key size).

I read this paper: https://eprint.iacr.org/2016/197

It says that CTR and OFB modes are safe against quantum adversaries.

That left me doubts.

Can a quantum adversary break a block cipher in CTR/OFB mode with 2^(n/2) queries? Or the queries will be like classic computing ( 2^(n/2) )?

I have another question.

I have an external HD fully encrypted with Threefish block cipher in CTR mode with 3 layers of 1024-bit keys. I know that CTR is vulnerable to meet-in-the-middle attacks and I have in practice 2049-bits of security only (despite the adversary having to store 2^1024 blocks in memory).

/\ In case the security of CTR be 2^n (being n the key size) in a quantum scenario, will I have 2049-bits of post-quantum security using CTR mode with 3 1024-keys in CTR mode?

kelalaka avatar
in flag
$O(2^{n/2})$-query for the Grover machine. For 128-bit quantum attack still problematic since it is not clear that how the $2^{64}$ queries will handle ( consider the setup time). [Just use 256-bit keys and be secure](https://crypto.stackexchange.com/q/76738/18298) and in this case one needs $2^{128}$ calls.
kelalaka avatar
in flag
Moreover, if you are using CTR mode for disk encryption, you are doing it in the way of softwares of 20 years ago. Check the [Disk Encryption Theory from The WIkipedia](https://en.wikipedia.org/wiki/Disk_encryption_theory). Just use VeryCrypt and be fine?
phantomcraft avatar
pf flag
@kelalaka Thanks, it anwered my question.
Score:0
my flag

I read this paper: https://eprint.iacr.org/2016/197

It says that CTR and OFB modes are safe against quantum adversaries.

You have to understand the attack model that assumes. It assumes a scenario where the attacker can make quantum entangled queries to the Oracle, and get entangled responses back; what they show that, even in that scenario, the attacker does not have any significant advantage over just attacking the underlying block cipher itself [1].

Now, if what you have is disk encryption, and the 'queries' that the attacker is allowed to make is examining the ciphertext (which are made up of classical '0's and '1's), he has no opportunity in attempting such an attack, and so the paper is completely irrelevant to you.


I have an external HD fully encrypted with Threefish block cipher in CTR mode with 3 layers of 1024-bit keys.

And how do generate these keys? Unless you generate them completely randomly, and store them somewhere perfectly secure, you don't have nearly as much security as you think. For example, if you generate them based on a user-entered password, then you have no more security than what's in the password.


[1]: I feel the need to point out that this attack model feels extremely contrived; we literally do not know how to make an implementation that would allow such an attack.

phantomcraft avatar
pf flag
I create my keys by using this little program: https://github.com/sandy-harris/maxwell -- I just use in "paranoid mode" which concentrates entropy in a single 1024-bit key; I trust it.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.