AES-128 is quantum safe (more or less). 64 bit security in the classical domain ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		adgjlsfhk1 72 days ago \| parent \| context \| favorite \| on: Willow quantum chip demonstrates verifiable quantu... AES-128 is quantum safe (more or less). 64 bit security in the classical domain isn't safe because you can parallelize across 2^20 computers trivially. Grover gives you 2^64 AES operations on a quantum coputer (probably ~2^70 gates or so before error correction or ~2^90 after error correction) that can't be parallelized efficiently. AES-128 is secure for the next century (but you might as well switch to aes-256 because why not)

msm_ 72 days ago [–]

Is AES-256 more quantum resistant? It still has 16byte block size, so intuitively it should be equally vulnerable to Grover.

adgjlsfhk1 72 days ago | [–]

Grover's algorithm is sqrt(N) wrt domain size and the key is part of the domain of the function.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact