2
$\begingroup$

Experts suggested 3DES when AES wasn't developed yet, since meet-in-the-middle attack, they suggested triple DES. Grover's algorithm, a quantum algorithm, weakens symmetric encryptions, how about triple ChaCha20? Does triple ChaCha20 have 256-bit security against quantum computers?

Improve this question
$\endgroup$
4
  • 4
    $\begingroup$ Note that the inner structure of ChaCha20 can be used as a PRF, but don't forget that ChaCha20 is basically a stream cipher. So technically you'd first have to define triple ChaCha20. $\endgroup$
    – Maarten Bodewes
    Commented Apr 17, 2023 at 12:12
  • $\begingroup$ I define triple ChaCha20 as that: For n-bit data, encrypt all n bits, and then go back to the 1st bit then encrypt those n bits again with another key, and so on. After every encryption process, go back to the 1st bit then do the next encryption process with another key. Since ChaCha20 is different to AES: With ChaCha20, encrypting plaintext twice with the same key results in plaintext, it requires 3 different keys. $\endgroup$
    – Flan1335
    Commented Apr 18, 2023 at 8:30
  • $\begingroup$ What do you mean "PRF"? $\endgroup$
    – Flan1335
    Commented Apr 18, 2023 at 8:35
  • 1
    $\begingroup$ @Flan1335 Regarding the PRF: Maarten probably means this en.wikipedia.org/wiki/Pseudorandom_function_family (PRF) as noted in en.wikipedia.org/wiki/Salsa20 "Both ciphers are built on a pseudorandom function based on add-rotate-XOR (ARX) operations — 32-bit addition, bitwise addition (XOR) and rotation operations." In other words, the keystream generating function can be considered a pseudorandom function keyed by the symmetric key. This (naturally, otherwise the cipher would be insecure) means that the generated key is pseudorandom (indistinguishable from a truly random key). $\endgroup$
    – honzaik
    Commented Apr 18, 2023 at 8:48

1 Answer 1

Reset to default
3
$\begingroup$

First of all, we don't need 256 bit security. 128 bit security is fine; $2^{128}$ operations is already infeasible, especially when we're talking about security against quantum-cryptanalysis where the operations are more expensive than with a regular computer. Grover's algorithm is also known to be very resource intensive, requiring the emulation of the target algorithm using qubits.

Furthermore, while it is nice to have a bit of a margin when it comes to classical attacks, it's not likely that Grover's algorithm will be enhanced so that fewer qubits are required. Grover has been shown to be optimal for the "bruteforce" attempt against a cipher / key, so the number of logical qubits will at least remain the same. It is yet unclear how many qubits will be required for error conditions, so the number of required physical qubits is still unknown. That doesn't matter much as it won't alter the logical number of operation or qubits required.

DES is a block cipher, and triple DES consists of encryption, decryption and then encryption again of the block cipher. The mode of operation for the block cipher (e.g. CBC) is then performed on that stacked construction. ChaCha20 however is a stream cipher, not a block cipher, so you'd have to define what triple ChaCha20 would be like. ChaCha20 contains a PRF internally, and I guess that PRF can be tripled, but that's messing with the internal definition of the cipher.

That all said, quantum cryptanalysis is generally search, I'd say that yes, triple ChaCha20 would provide at least 256 bit security. However, as indicated, that's not required in any situation; defining or using triple-ChaCha20 would not make a system more secure in practice. Maybe triple AES-128 would make some sense if all you have is accelerated AES for that particular key size (I've seen some embedded processors that have those kind of limitations). Even AES-128 would be pretty hard to break though.

Improve this answer
$\endgroup$
3
  • $\begingroup$ OK, too many upvotes on my comments, took a leap and converted it to an answer. $\endgroup$
    – Maarten Bodewes
    Commented Apr 18, 2023 at 22:30
  • 1
    $\begingroup$ Note that another method would be to simply use multiple encryption and XOR the generated key streams and plaintext together. $\endgroup$
    – Maarten Bodewes
    Commented Apr 19, 2023 at 12:25
  • $\begingroup$ I define triple ChaCha20 as that: For n-bit data, encrypt all n bits, and then go back to the 1st bit then encrypt those n bits again with another key, and so on. After every encryption process, go back to the 1st bit then do the next encryption process with another key. Since ChaCha20 is different to AES: With ChaCha20, encrypting plaintext twice with the same key results in plaintext, it requires 3 different keys. $\endgroup$
    – Flan1335
    Commented Apr 21, 2023 at 8:22

Not the answer you're looking for? Browse other questions tagged or ask your own question.