Even without quantum computers, 2^40-target attacks against AES-128 are already a feasible computation today for large-scale attackers. . . . . I agree that the Grover speedup compared to non-quantum searches comes from the number of serial iterations carried out on each processor, and meanwhile this has to fight against the quantum-computation overhead--- which could end up as 2^30 or 2^40; we don't know yet. But this doesn't makes AES-128 a safe option: on the contrary, tolerating AES-128 will end up compromising the confidentiality of some user data.
Agreed. IMHO, there’s no excuse today for using AES with anything but 256-bit keys. One of the talks at Crypto 2025 last week said that none of the Kyber parameters meet their claimed security levels. Details and specifics, please?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
