6
$\begingroup$

We know that Grover's algorithm can speed up cracking symmetric keys. Basically the keyspace is halved. This means we have to use at least a 256-bit key (to get 128-bit security).

I heard somewhere it also has an effect on the block size (so we should use 256-bit blocks instead of 128)!

Is that true?

Improve this question
$\endgroup$
5
  • 3
    $\begingroup$ 1) I don't see that paper mentioning Rijndael with 256 bit blocks at all. It talks about AES with 128 bit blocks. AES-256 has a 256 bit key and 128 bit blocks. 2) Summarizing the paper as "AES-256 is not secure" is highly misleading. Related key attacks are irrelevant for pretty much every protocol that uses AES. 3) "Grover [...] cracking symmetric keys 2x faster" That's wrong too. A 2x speedup would be completely harmless. Grover halves the effective key-length, which is an exponential speedup. $\endgroup$
    – CodesInChaos
    Commented Jan 4, 2013 at 9:29
  • $\begingroup$ @CodesInChaos so AES 264 don't have that problem ? (the main question is about protocol now not key size) $\endgroup$
    – mary
    Commented Jan 4, 2013 at 13:57
  • 1
    $\begingroup$ What do you mean by "protocol size"? $\endgroup$
    – CodesInChaos
    Commented Jan 4, 2013 at 18:34
  • 3
    $\begingroup$ Mary. I edited the title to use "block size" instead of "protocol size". Please check that this is actually what you mean, otherwise please edit your question again to clarify it. $\endgroup$
    – Paŭlo Ebermann
    Commented Jan 4, 2013 at 19:15
  • $\begingroup$ @mary I think it is time you should accept a few answers, read the FAQ if you don't know how or when. $\endgroup$
    – Maarten Bodewes
    Commented Jan 5, 2013 at 18:15

1 Answer 1

Reset to default
5
$\begingroup$

It depends on the application. If you are using the block cipher as a hash function or for a MAC (say in CBC-MAC fashion), then it very well could create problems. Preimage attacks would be much easier than they should.

For normal encryption, however, there wouldn't be a problem since the key is not known to the attacker. As evidence of this, consider Triple DES which has a 64 bit block size yet is still sufficiently secure for use today (though I wouldn't recommend it in newer designs).

Improve this answer
$\endgroup$
1
  • 3
    $\begingroup$ I believe 3DES (or any cipher with a 64-bit block size) in CTR, CFB or OFB mode can be distinguished from a random stream after a few dozen gigabytes of output. Not a problem for most applications, though. $\endgroup$
    – Thomas
    Commented Jan 5, 2013 at 1:34

Not the answer you're looking for? Browse other questions tagged or ask your own question.