Quantum Computers Are Not a Threat to 128-Bit Symmetric Keys

Original Article ↗ Hacker News Discussion ↗

Symmetric Crypto, Hashes, and Grover’s Algorithm

  • Some objected to calling hash-based constructions “symmetric keys”; others replied that hashes are symmetric primitives and Grover’s applies similarly (e.g., HMAC, HKDF).
  • Clarification: the discussion is about symmetric-style security levels, not just block ciphers.

Quantum Threat to AES-128 and Practicality of Attacks

  • Multiple comments stress Grover’s attack is theoretically relevant but wildly impractical.
  • Estimates cited: even optimistic assumptions require enormous numbers of logical qubits and parallel quantum circuits to attack AES‑128, far beyond plausible hardware.
  • Parallelizing Grover is costly: to speed up by N you need about N² processors, quickly eroding the quadratic advantage.
  • Comparison: brute-forcing 128-bit keys classically would need 20–30+ more orders of magnitude of compute; physically unrealistic.
  • Some note that doubling AES key sizes is mostly “comfort blanket”; AES‑128 is already beyond realistic quantum brute force.

WPA3, Forward Secrecy, and Quantum

  • One thread criticizes WPA3 for using ECDH (quantum‑breakable) and causing future e‑waste in IoT.
  • Others counter: WPA3 replaced PBKDF for key establishment, still uses AES, and primarily fixed real issues like lack of forward secrecy and open‑Wi‑Fi encryption.
  • Debate over whether protecting traffic on public Wi‑Fi matters when most application traffic is already under TLS and AP operators may be untrusted anyway.

Key Rotation, Forward Secrecy, and “Harvest‑Now, Decrypt‑Later”

  • Some propose aggressive asymmetric key rotation (e.g., JWT signing keys every minutes) as quantum mitigation.
  • Others argue this doesn’t help symmetric encryption, and does not protect recorded ciphertext: store‑now‑decrypt‑later remains a threat if the underlying primitives fall.
  • Rotation can limit damage from key compromise in real time but does not replace post‑quantum algorithms.

Asymmetric Crypto, Key Sizes, and PQC

  • Several comments reiterate: making RSA/ECC keys much larger doesn’t fix quantum threats; Shor’s algorithm scales too well.
  • Larger classical key sizes do still slow quantum attacks somewhat (linear/cubic factors), but the speedup remains exponential.
  • For signatures and key exchange, commenters recommend moving to or hybridizing with post‑quantum schemes (e.g., ML‑KEM, SNTRUP), while keeping AES‑128/256 for bulk encryption.

Quantum Timelines, Hype, and Uncertainty

  • Some report a recent “vibe shift” that cryptographically relevant quantum computers within ~5–15 years are now viewed as plausible; others remain very skeptical and compare the hype to past overblown tech claims.
  • Several emphasize that once error‑corrected, large‑scale qubits become feasible, capability could jump quickly due to error correction thresholds, making small demonstrations (like factoring 15) poor progress metrics.
  • Cryptographers are portrayed as planning conservatively: even a low (>1%) probability by 2030 justifies starting PQ migration now, given slow standards and deployment.

Other Notes

  • One-time pads are mentioned as perfectly secure but impractical at scale.
  • There is mild concern that AI might discover improved classical attacks on AES or ChaCha, though this is speculative.
  • Some argue that when hardware makes AES‑256 effectively “free” (e.g., disk encryption with AES‑NI), using larger keys is harmless extra margin.