An Economic Model for Quantum Key-Recovery Attacks against Ideal Ciphers

TL;DR

This paper models the economic risks of quantum key-recovery attacks on ideal ciphers, predicting that 128-bit keys remain secure against such attacks even with future quantum computing advancements.

Contribution

It introduces a quantum cipher circuit year metric to evaluate attack costs and models attacker incentives considering the time value of information.

Findings

128-bit keys remain secure against quantum attacks in most scenarios

The quantum cipher circuit year helps quantify attack feasibility

Future quantum advances may not compromise current symmetric key security

Abstract

It has been established that quantum algorithms can solve several key cryptographic problems more efficiently than classical computers. As progress continues in the field of quantum computing it is important to understand the risks they pose to deployed cryptographic systems. Here we focus on one of these risks - quantum key-recovery attacks against ideal ciphers. Specifically, we seek to model the risk posed by an economically motivated quantum attacker who will choose to run a quantum key-recovery attack against an ideal cipher if the cost to recover the secret key is less than the value of the information at the time when the key-recovery attack is complete. In our analysis we introduce the concept of a quantum cipher circuit year to measure the cost of a quantum attack. This concept can be used to model the inherent tradeoff between the total time to run a quantum key recovery attack and the total work required to run said attack. Our model incorporates the time value of the encrypted information to predict whether any time/work tradeoff results in a key-recovery attack with positive utility for the attacker. We make these predictions under various projections of advances in quantum computing. We use these predictions to make recommendations for the future use and deployment of symmetric key ciphers to secure information against these quantum key-recovery attacks. We argue that, even with optimistic predictions for advances in quantum computing, 128 bit keys (as used in common cipher implementations like AES-128) provide adequate security against quantum attacks in almost all use cases.