The cr.yp.to microblog: 2022.08.07 05:59:14

2022.08.07 05:59:14 (1556127805145882624) from Daniel J. Bernstein, replying to "Ben (@bytesofben)" (1556125490615705600):

Typical choices of 256-bit ciphers are fine; no threats on the horizon. (If you put your key on a quantum laptop and encrypt quantum data then it's likely broken, so don't do that.) 256 is overkill (looks like each qubit op will cost roughly 2^40 bit ops) but also very low cost.

Context

2022.08.04 16:37:52 (1555201358357270528) from "Nick Sullivan (@grittygrease)":

Thread. Big announcement from Cloudflare today: we have opened our post-quantum cryptography alpha. We now support Kyber, a post-quantum key agreement in Cloudflare’s reverse proxy product and we want you to help test it with us.
[media]

2022.08.07 05:29:31 (1556120326005592064) from Daniel J. Bernstein:

It's great to see the progress on rolling out post-quantum crypto, assuming big quantum computers are coming. The _risks_ of Kyber problems (patents, attacks) aren't a reason to incur the _definite failure_ of doing nothing. But the bleeding-edge Kyber-512 option is a bad idea. https://twitter.com/grittygrease/status/1555201358357270528

2022.08.07 05:50:03 (1556125490615705600) from "Ben (@bytesofben)":

Sorry if this is a dumb question, but what’s your thoughts on quantum for symmetric algorithms? Does it simply require a doubling of the key and block size?