quantum computing and symmetric algotithms
Robert J. Hansen
rjh at sixdemonbag.org
Tue May 5 00:31:18 CEST 2026
> I was under the impression that for any generic symmetric cipher, Grover's
> algorithm would halve the strength in bit, for example a 128 bit key would
> be as weak against Quantum computers as a current 64 bit key
> against normal computers.
This is only approximately true. It's more of a rule of thumb than a
final answer. AES-128 is currently believed safe against Grover's. See
the conclusion (section 6) in this excellent paper:
https://csrc.nist.gov/csrc/media/Events/2024/fifth-pqc-standardization-conference/documents/papers/on-practical-cost-of-grover.pdf
More information about the Gnupg-users
mailing list