Is AES-256 Quantum Resistant?

By Lane Wagner

With quantum computers getting more powerful every year, many worry about the safety of modern encryption standards. As quantum computers improve in performance and the number of qubits used for calculations increase, current crypto systems are under more threat of attack.

What will break?

Many asymmetric encryption algorithms have been mathematically proven to be broken by quantum computers using Shor’s algorithm. Shor’s algorithm solves the problem:

Given an integer N, find its prime factors.

Because algorithms like RSA rely heavily on the fact that normal computers can’t find prime factors quickly, they have remained secure for years. With quantum computers breaking that assumption, it may be time to find new standards.

Examples of encryption that Shor’s algorithm can break include:

Symmetric Encryption

Symmetric encryption, or more specifically AES-256, is believed to be quantum resistant. That means that quantum computers are not expected to be able to reduce the attack time enough to be effective if the key sizes are large enough.

Symmetric Cats

Grover’s algorithm can reduce the brute force attack time to its square root. So for AES-128 the attack time is reduced to 2^64 (not very secure), while AES-256 is reduced to 2^128 which is still considered extremely secure.

Qvault uses 256-bit keys and AES-256-GCM for all encryption which gives us reason to believe our users are protected against quantum attacks at least in the short term.

It is important to remember that even 256-bit keys derived from passwords actually can have less than 256-bits of entropy because an attacker could try deriving keys from likely passwords vs trying random 256-bit numbers.

For example, instead of randomly trying

  1. azpV4CYbAwQUP4BaJJJNDBxEUkghMF8x2Sd4Q7ihD04=
  2. mtOXPNln432smP3pd3rVLw9rpGGkVsiqRhUFLXy/KBw=
  3. ..

An attacker would try:

  1. password123 –> 75K3eLr+dx6JJFuJ7LwIpEpOFmwGZZkRiB84PURz6U8=
  2. password1234 –> uclQZA4bN0DpisuT5mnGV2b2Zw3RYJupH/QQUrpIxvM=

For this reason Qvault will soon offer optional physical cards which when used in conjunction with a password will give our users quantum resistant security for the foreseeable future.

If you are implementing AES in a crypto system in 2019 you should favor AES-256 over AES-128 for the quantum resistance that it offers.

Further Reading

Featured image credit:

Follow us on medium!

Comments 7

    1. Post
  1. Not sure I like the “password” example in the description, only because passphrases should use a 1-way hash with a salt. Similarly, AES should use a unique random IV for every encrypted value/stream

    1. Post

      Hey Michael, I didn’t go into all the details in the article, but I was trying to explain that passwords are converted into 256 bit keys before ciphering. This is, as you stated, is done through a hash function and the use of a salt. Qvault for example uses the scrypt hash and a random salt. Our AES implementation also uses a unique IV for each encryption. I left out those details because the focus was on quantum computing for this article but hopefully these comments help some people!

  2. Does your website have a contact page? I’m having trouble locating it but, I’d
    like to shoot you an e-mail. I’ve got some suggestions for your blog you might be interested
    in hearing. Either way, great site and I look forward to seeing
    it improve over time.

    1. Post

      It doesn’t, it just has a couple links at the bottom of the page right now. We should probably add some soon though… I’ll email you personally for now.

Leave a Reply

Your email address will not be published. Required fields are marked *