Join Log in
Score:0
Flan1335 avatar Crypto

Do multiple keys mitigate Grover algorithm?

tc flag
Flan1335

Grover, a quantum algorithm, weakens AES and ChaCha20. Is it possible to use multiple symmetric keys to encrypt a message multiple times to achieve 256-bit security for quantum computers?

125
1 + 4
aes
poncho avatar
my flag
poncho
And why do you think that you need 256 bit security for Quantum Computers?
3
Reply
Flan1335 avatar
tc flag
Flan1335
Kyber1024 provides 256-bit security, but symmetric key ciphers only provides 128-bit security, it's unfair. To be fair, it must ensure that symmetric key encryption provides the same security level as Kyber1024.
0
Reply
poncho avatar
my flag
poncho
Kyber1024 is generally believed to be "NIST level 5"; and that is defined as "as strong as AES-256". Hence, if you insist on something with approximately the same security level, you can just use AES-256
0
Reply
Flan1335 avatar
tc flag
Flan1335
https://www.ambit.inc/pdf/KyberDrive.pdf This research says: "Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum security (coreSVP hardness). It is a NIST Level 5 security level." "Not all modes of AES are post-quantum secure." Therefore, Kyber1024 is much more secure than AES256 for quantum computers, but has similar security for classical computers.
0
Reply
Score:1
swineone avatar Crypto
ru flag
swineone

As mentioned in a comment, 256-bit quantum security is overkill. Even AES-128 is unlikely to be broken by a quantum computer, as discussed here. Briefly: Grover's algorithm is the best possible; it doesn't parallelize efficiently; and it's unlikely that quantum computers will reach similar clock speeds as classical computers.

But assume you're really paranoid and want 256-bit quantum security anyway, so you'll need 512-bit classical security. You could either design a new 512-bit symmetric cipher, or use a composition of 256-bit symmetric ciphers. A similar situation had to be considered a few decades ago, when DES was standardized but AES didn't exist yet, and it became clear that 56 bits was within reach of motivated attackers, as concretely demonstrated by the EFF DES Cracker and distributed.net.

It turns out that, somewhat counterintuitively, double-DES does not have $2 \times 56 = 112$-bit security, but rather 57-bit security due to a very simple meet-in-the-middle attack. To achieve 112-bit security, triple-DES was required, and indeed was used in practice.

So, if you really want 512-bit classical security, you'd have to use triple-AES. In principle you could use only 2 different keys (although still using 3 chained encryption/decryption operations), but there exist attacks on that scenario, so for the truly paranoid, you'll have to use 3 different keys. Thus, a total of 768 bits of key material to achieve 512-bit classical security and 256-bit quantum security.

+ 10
Oscar Smith avatar
bd flag
Oscar Smith
I'm pretty sure double AES is enough for 256 bits of quantum security. The double DES meet in the middle attack isn't practical for an attack against AES 256 since it would require roughly 2^256 bits of storage while the best estimates for the world's hard drive capacity is a bit hard to pin down, but almost certainly under 2^100 bits.
0
Reply
swineone avatar
ru flag
swineone
By that logic, and given the arguments about Grover's algorithm, 256-bit single AES is effectively unbreakable, so whether to use double or triple AES is a moot point. If someone is that worried about a quantum attack to 256-bit AES, the extra 50% execution time to go from double to triple AES is certainly warranted.
1
Reply
Flan1335 avatar
tc flag
Flan1335
How secure is quadruple AES?
0
Reply
swineone avatar
ru flag
swineone
@Flan1335 I'll answer if you give me one reasonable argument for going beyond 512-bit classical security.
0
Reply
Flan1335 avatar
tc flag
Flan1335
Bruce schneier found classical attack method https://www.schneier.com/blog/archives/2011/08/new_attack_on_a_1.html to reduce the security with classical computers, can quantum computers borrow that attack method? If it's possible with quantum computers, it may need several AES keys.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Generally you cannot just take a solution using classical computing, magically apply a quantum computer to any subtask and then have quantum supremacy. You'd have to prove the combined solution to be a break. As the biclique attacks hardly speed up anything by itself it's unlikely that any attack will be more efficient than Grover (and even if it would, it would probably not constitute a practical attack). But without any other input it's like saying "hey, there could be another attack" and while that's true, it seems more likely in this case that there isn't...
0
Reply
Flan1335 avatar
tc flag
Flan1335
https://www.ambit.inc/pdf/KyberDrive.pdf This research says: "Kyber-1024 is known to have 254 bits of classical security and 230 bits of quantum security (coreSVP hardness)." So Kyber1024 is much more secure than 256-bit AES for quantum computers, where 256-bit AES has at most 128-bit security for quantum computers.
0
Reply
swineone avatar
ru flag
swineone
@Flan1335 usually there's some structure to the plaintext. Maybe it's ASCII characters only, or there's some kind of header/magic number. That way you can filter the decryptions that resulted in the expected structure, throwing away the majority of invalid keys. With a few plaintexts and some structure, it should be possible to narrow it down to a single valid key.
0
Reply
swineone avatar
ru flag
swineone
@Flan1335 looks like you have a lot of questions that are unrelated to the original question. You should ask new questions instead of polluting the comments section of an unrelated one.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Please only ask for clarifications. Asking additional questions in comments is not allowed and there is certainly no onus on the answerer to also answer additional questions.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.