Conversation

Notices

1. Embed this notice
   Sc00bz (sc00bz@infosec.exchange)'s status on Saturday, 18-Nov-2023 09:51:31 JST Sc00bz

   in reply to

   • Sophie Schmieg
   • Filippo Valsorda :go:
   • Dan Goodin
   • Ryan Castellucci :nonbinary_flag:

   @filippo @dangoodin @ryanc @sophieschmieg The TL;DR answer: Grover's algorithm breaks a 128 bit key in 2^64 time but needs a circuit size of >2^100.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-Nov-2023 09:51:31 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Sophie Schmieg
     • Filippo Valsorda :go:
     • Dan Goodin

     @sc00bz @filippo @dangoodin @sophieschmieg well, that is certainly a time-memory trade off.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-Nov-2023 09:51:33 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Sophie Schmieg
     • Filippo Valsorda :go:
     • Dan Goodin

     @sophieschmieg @dangoodin @filippo "secure until computers are made of something other than matter and occupy something other than space"

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 18-Nov-2023 09:51:33 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Sophie Schmieg
     • Filippo Valsorda :go:
     • Dan Goodin

     @sophieschmieg @dangoodin @filippo though 128 bit symmetric seems a bit iffy on security margin to me, given that 256 bit isn't that much slower.

   • Embed this notice
     Dan Goodin (dangoodin@infosec.exchange)'s status on Saturday, 18-Nov-2023 09:51:33 JST Dan Goodin

     in reply to

     • Sophie Schmieg
     • Filippo Valsorda :go:
     • Ryan Castellucci :nonbinary_flag:

     @ryanc @sophieschmieg @filippo

     My very foggy and distant recollection is that quantum computing effectively cuts the number of bits in symmetric encryption by half. Am I just dreaming that, or is that right? If so, seems like cutting 128 in half wouldn't be enough entropy. Sorry if I'm completely wrong on all accounts here.

   • Embed this notice
     Filippo Valsorda :go: (filippo@abyssdomain.expert)'s status on Saturday, 18-Nov-2023 09:51:33 JST Filippo Valsorda :go:

     in reply to

     • Sophie Schmieg
     • Dan Goodin
     • Ryan Castellucci :nonbinary_flag:

     @dangoodin @ryanc @sophieschmieg That's a very simplified model, which I initially took as good myself, but it's effectively incorrect. In practice, 128 bits is enough. Not only that, but post-quantum crypto of Category 1 is defined by NIST as "as hard to break as AES-128".

     https://words.filippo.io/dispatches/post-quantum-age/#128-bits-are-enough

   • Embed this notice
     Sophie Schmieg (sophieschmieg@infosec.exchange)'s status on Saturday, 18-Nov-2023 09:51:34 JST Sophie Schmieg

     in reply to

     • Filippo Valsorda :go:
     • Dan Goodin

     @dangoodin @filippo 128 bit is enough, as long as you are not defending against adversaries with access to a Dyson swarm. 256 bit is enough for defense against a Kardashev III civilizations, with room to spare.

   • Embed this notice
     Dan Goodin (dangoodin@infosec.exchange)'s status on Saturday, 18-Nov-2023 09:51:35 JST Dan Goodin

     in reply to

     • Filippo Valsorda :go:

     @filippo

     For those of us following along at home, can you provide a little more context? I am also curious to know if you agree that 128 bits is enough. I always thought 256 was the greed upon number of bits.

   • Embed this notice
     Filippo Valsorda :go: (filippo@abyssdomain.expert)'s status on Saturday, 18-Nov-2023 09:51:37 JST Filippo Valsorda :go:

     Here's the UK Government stating—like NIST did—that 128 bit keys are enough against quantum computers. No need to migrate to 256 "because quantum".

     https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography#section_4