7

So I am looking for the most secure method of symmetric key cryptography for long term messaging use between two users. I have heard that most symmetric key algorithms are not absolutely compromised by quantum computers, but rather weakened.

I have read that AES 256 is in fact the weakest, followed by AES 128, and AES 192 being the strongest.

Let us imagine that today quantum computers exist with "good" capacity to break cryptography.

Is AES still the best symmetric key solution as of right now? If not which is? If so then which AES key space is the strongest?

These are many questions which remain unanswered or lack good discussion as there isn't much in regards to post quantum security concerns.

Ievgeni
  • 2,653
  • 1
  • 13
  • 35
Nick
  • 106
  • 5

3 Answers3

14

AES-256 is still considered the strongest (and is considered secure) as related key attacks are not particular to analysis with quantum computers.

Related key attacks could happen when AES is used within a construction such as a hash function, where the output of one round is used as a key for the next round.

As far as we know now, quantum computing won't have as much as an impact on most symmetric algorithms as it does on asymmetric cryptography (that usually relies on specific mathematical problems that can be solved using quantum computers).

As mentioned, the best generic attack on symmetric ciphers, Grover's attack, about halves the key strength. But you need a lot of qbits to create the attack. Of course, there may be new attacks found that are particular to a specific block cipher, but as far as we can see now, most constructs seems pretty secure against quantum computers. That means that a 256 bit key will still deliver 128 bits of security against analysis using quantum crypt-analysis.

That means that there seems little reason to double the 256 bit key strength, as 128 bits of security are considered plenty against any attack that require such kind of order of operations.

If you require 256 bits security with quantum computers (why?) you could consider Threefish-512 - an algorithm actually designed to deliver that kind of security.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
-3

Given that the link to the Kudelski analysis does not work anymore, please find an updated link here.

Hopefully, that addresses your concerns about the answer's legitimacy. To be more precise, regarding the OP's question, using currently standardized key sizes, AES is most secure with 256-bit keys and the suggested modifications to its key schedule. The suggestion is to use HKDF or CSHAKE as a way to make related key attacks impossible, therefore allowing key sizes >= 256 safely, while keeping backward compatibility with the Rijndael core loop. Squeamish Ossifrage (what a beautiful name by the way!) were themselves slightly mistaken in their reading of the paper. The reference implementation is GPL, by the way.

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Stiepan
  • 1
-6

Regarding using AES in the most secure way possible against quantum computers AND related key attacks (while keeping hardware compatibility with existing CPU cryptographic optimizations), I would suggest you to read https://eprint.iacr.org/2019/553 (Towards post-quantum symmetric cryptography).

At the time of the question we hadn't yet written a formal paper about it, and it is by searching the Internet for our paper that I found this question.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Stiepan
  • 1