HN
Today

Quantum Computers Are Not a Threat to 128-Bit Symmetric Keys

This technical deep dive dispels the widely held belief that quantum computers will "halve" the security of 128-bit symmetric keys, like AES-128. The author meticulously explains why Grover's algorithm doesn't parallelize effectively enough to pose a practical threat, backed by strong expert consensus from NIST and BSI. It forcefully argues against unnecessary symmetric key changes, emphasizing that focusing efforts on the truly vulnerable asymmetric cryptography transition is paramount.

23
Score
4
Comments
#9
Highest Rank
16h
on Front Page
First Seen
Apr 20, 7:00 PM
Last Seen
Apr 21, 10:00 AM
Rank Over Time
131411151411991011161725222221

The Lowdown

The article rigorously debunks the widespread misconception that quantum computers will "halve" the security of 128-bit symmetric keys, such as AES-128, requiring a move to 256-bit keys for equivalent post-quantum security. It asserts that this belief stems from a misunderstanding of how Grover's algorithm, the primary quantum threat to symmetric cryptography, operates and scales in practice.

  • Grover's Algorithm Explained: While Grover's offers a theoretical quadratic speedup for searching unstructured databases, its practical application to symmetric key brute force is far more complex.
  • Parallelization Pitfalls: Unlike classical brute-force attacks, parallelizing Grover's algorithm significantly diminishes its quantum advantage. Each instance requires a serial execution, and splitting the search space dilutes the speedup, increasing total work.
  • Impractical Resource Requirements: Quantitative analysis shows that breaking AES-128 with Grover's would demand an astronomical 140 trillion quantum circuits, each with 724 logical qubits, operating continuously for a decade. This makes it orders of magnitude (2^78.5) more expensive than breaking 256-bit elliptic curves with Shor's algorithm.
  • Unified Expert Stance: Both the U.S. National Institute of Standards and Technology (NIST) and the German Federal Office for Information Security (BSI) explicitly concur. NIST uses AES-128 as a benchmark for post-quantum security and highlights the MAXDEPTH concept that limits Grover's practicality. BSI's recommendations also confirm AES-128, AES-192, and AES-256 as secure.
  • Strategic Resource Allocation: The author argues against "switching anyway just to be safe" for symmetric keys. Such unnecessary transitions introduce costly churn, complexity, and divert crucial resources from the genuinely urgent task of replacing quantum-vulnerable asymmetric cryptography.
  • CNSA 2.0 Context: Even compliance regimes like CNSA 2.0, which mandate a 256-bit "security level," implicitly acknowledge Grover's limitations by accepting AES-256 (not a non-existent AES-512), affirming that a 2x key length isn't needed.

In conclusion, the article provides a strong, data-backed argument that 128-bit symmetric keys are robust against known quantum computing threats, urging the cybersecurity community to concentrate its post-quantum efforts where they are truly needed: on asymmetric cryptography.

The Gossip

WPA3's Quantum Quagmire

The discussion quickly turned to the practical implications for WPA3. A commenter expressed concern that WPA3's reliance on ECDH for key exchange, which is vulnerable to quantum attacks, could lead to massive e-waste. The author clarified that hash algorithms are indeed symmetric primitives within this context, while another commenter pointed out that AES remains the underlying block cipher in WPA3, implying that the symmetric encryption itself is not the quantum vulnerability. The nuance here is the distinction between quantum-vulnerable key *exchange* (ECDH) and the robust symmetric *encryption* (AES).