A Cryptography Engineer’s Perspective on Quantum Computing Timelines

marcos-morar43: > 128-bit encryption is in severe danger. “Severe danger” is quite a stretch. Grover’s algorithm is not very parallelizable [1]. It can reduce the search space of a 128-bit key to 2^64, but it can’t search that 2^64 key space as efficiently as classical attacks would. There is still some risk, of course, and long-term fixed keys like those used for disk encryption should absolutely be 256-bits as a result, but it is very possible that QRCs are not able to meaningfully threaten symmetric cryptography. This is why all PQC efforts are currently focused on asymmetric cryptography. [1] https://quantumcomputing.stackexchange.com/a/5806 (has more citations to specific papers about this too)