Is using AES-256 with a key of less than 256 bits of entropy still quantum-resistant?

Question

Encrypting with AES-256 is widely claimed to be post-quantum secure.

But let's take a case where you use an initial key that has less than 256 bits of real entropy. In this example, let's work with a 128-bit key that has 128 bits of real entropy. We stretch it with something commonly used, like PBKDF2 with 120,000 iterations. We use the 256-bit result as the encryption key for AES-256 to encrypt some secret.

Is the the secret still secure against brute force attacks by a quantum computer, the kind can halve (or worse) the effective security of a symmetric cipher using Grover's algorithm? (Edited to add:) We assume the attacker knows the specifics of the above scheme, but not they length of the entropy or the initial key.

Answer 1

Currently, the quantum attacks work on the block cipher itself. The Grover's search algorithm reduces the complexity of 256-bit key into 128-bit since it has complexity $\mathcal{O}(\sqrt{n})$ and in the case of 256-bit $\mathcal{O}(\sqrt{2^{256}}) = \mathcal{O}(2^{128})$

Since you have started with 128-bit entropy, theoretically, the quantum attacker to block cipher itself with a 256-bit key will not benefit from Grover's algorithm since Grover's algorithm will search 256-bit. Keep in mind that 256-bit space is infeasible for the quantum.

What if in an unforeseeable future, someone builds a quantum circuit for the PBKDF2 + AES combination that is the search for the 128-bit input to PBKDF2 and uses the output for the AES-256 key and perform Grover's kind of attack?

This can be done by extending the AES-256 Grover Search with a 128-Q-bit PBKDF2 Quantum circuit. Since the input is 128-bit, the search will be $\mathcal{O}(2^{64})$ to find the ciphertext.

The attacker, always, will use the weakest point!.