openssh unix dev - Oct 2024 - Post quantum encryption question

Have people given thought to the private key encryption methods in light of
potential quantum attacks? While the recent paper about breaking 50bit RSA
doesn't pose a threat I've been thinking about future harvest now,
decrypt
later attacks against CC20 and AES. Are there post quantum ciphers that can
effectively replace these available or in development? Is the threat still
too far off to be a serious concern?

Just curious about people's thoughts from a practical and dev perspective.

Chris

> Have people given thought to the private key encryption methods in
light of potential quantum attacks?

The current consensus is that quantum attacks are largely ineffective
against modern ciphers (including AES).  Once upon a time, it was
thought that symmetric key sizes would need to be doubled (i.e.: 256-
bit AES would have the equivalent strength of 128-bit), but further
studies suggested this not to be true.  Instead, it seems that a 128-
bit AES key would just have a couple bits of security knocked off.

Sorry, I don't have any references off-hand about this, but I'm sure
someone can chime in with some...

  - Joe

On Thu, 24 Oct 2024, Chris Rapier wrote:
> Have people given thought to the private key encryption methods in light of
> potential quantum attacks? While the recent paper about breaking 50bit RSA
> doesn't pose a threat I've been thinking about future harvest now,
decrypt
> later attacks against CC20 and AES. Are there post quantum ciphers that can
> effectively replace these available or in development? Is the threat still
> too far off to be a serious concern?
Grover's search algorithm gives a cryptographically-relevant quantum
computer a quadratic speedup. This effectively halves the strength,
as expessed in bits, of symmetric ciphers and (I think) hash algorithms.

I.e. AES-256 would be "as strong" as AES-128, and AES-128 would be
reduced to 64-bit equivalent strength. The latter sounds pretty scary
but AIUI the attacker would need to perform close to 2^64 quantum
computations to break AES and that's still a huge expenditure.

There's no analogous store-now-decrypt-later situation for signature
schemes in SSH. The closest concern is long-lived signing keys that
would be troublesome to rotate before a QC becomes available. There's
not many of these in the SSH ecosystem, but examples could include
hardware security devices (smartcards, tokens, TPMs, HSMs) and, to
a lesser extent, CA keys.

-d

Disclaimer: I'm neither a cryptographer nor a quantum physicist.