3

Will a 128 bit block have some security implication in post-quantum cryptography?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Tom
  • 49
  • 1

1 Answers1

6

Does the block size of a symmetric cipher impact the security of the cipher itself?

Yes, absolutely. A small block size limits the amount of data that can be encrypted with a given key, and some block modes are more badly affected by this than others. Additionally, some cryptographic attacks against weak ciphers can be made more practical against a block cipher with a small block size, such as the slide attack, which becomes very difficult to implement when the block sizes are large.

The classical issues with small block sizes are well documented, and other questions on this site on that topic have been answered. Generally, a small block size opens up a can of cryptographic worms regardless of whether or not your adversary is quantum-capable. A 32-bit block size is silly. A 64-bit block size is worrying and can be insecure in certain situations. A 128-bit block size is okay. A 256-bit block size is better. A 512-bit block size is generally excessive. This holds true, quantum or not.

Will a 128 bit block have some security implication in post-quantum cryptography?

No, a small block size will not generally be affected by quantum computers. The quantum algorithm that would be responsible is Grover's algorithm, which is a search algorithm. All the attacks against block ciphers that rely on a small block size are limited by the amount of ciphertext the attacker has, not by the number of operations an attacker is able to perform. Sweet32, slide attacks, etc. depend on nothing more than being able to collect a lot of ciphertext that has been encrypted under a single key. Once sufficient data has been collected, the number of computations required to break the guarantees of the cipher are not great enough to benefit substantially from Grover's algorithm.

It's important to note, however, that a block cipher used for authentication, e.g. with CBC-MAC, is more vulnerable against a cryptanalytic quantum computer. The reason for this is that a small block size results in a small authentication tag size, and Grover's algorithm can be used to brute force the small tag with more ease. The same is true if the block cipher is used as the core of a hash function, which would result in smaller digests that are easier for a quantum computer to attack.

forest
  • 15,626
  • 2
  • 49
  • 103