On Friday 06 May 2016 10:34:37 Zoogtfyz wrote: > > the larger key size helps w.r.t. quantum computers. > > If quantum computers are currently on the level of breaking AES-128, > then they are on the level of breaking any asymmetric cryptography > (RSA, DHE or ECDHE key exchange) we are using - which makes support > for AES-256 moot.
That's not correct. Grover's algorithm requires you to perform 2^(n/2) operations to break symmetric crypto, and it uses n qbits to do that. To break aes-128 you need quantum computer with 128 qbits, and 2^64 operations. To break AES-256 you need 256 qbits and 2^128 operations. To break RSA you need quantum computer which can do Shor's algorithm, which requires n*3/2 qbits and around (log n)^2 operations. So for 2048 bit RSA you need 3072 qbit QC and about 83 operations. In other words, quantum computer that breaks AES-128 can't even scratch RSA. Quantum computer that breaks AES-256 doesn't make it possible to actually recover plaintext, and it still don't break currently used RSA. > Moving away from AES-256 will put even more > pressure on the crypto community to come up with a solution as > opposed to the *relative* complacency we are seeing now. I don't think we are in the position to demand crypto community to do anything in particular... -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto