| ▲ | Cider9986 2 hours ago | |
Would post-quantum encryption also be harder for regular computers to crack? | ||
| ▲ | kibwen 38 minutes ago | parent | next [-] | |
This is precisely the uncertainty that the commenter above was referring to when they mentioned complexity classes like BQP. We don't necessarily know the precise relationship between quantum complexity classes and their classical counterparts. | ||
| ▲ | some_furry an hour ago | parent | prev [-] | |
The international standardization effort that led to ML-KEM and ML-DSA focused both on classical attacks (regular computers) and quantum attacks. There were 5 levels being considered for each submission. Level 1 - at least as difficult to attack as AES-128 (block cipher) Level 2 - at least as difficult to attack as SHA-256 (hash function) Level 3 - at least as difficult to attack as AES-192 (block cipher) Level 4 - at least as difficult to attack as SHA-384 (hash function) Level 5 - at least as difficult to attack as AES-256 (block cipher) The security of attacking an N-bit block cipher is morally congruent to a birthday collision against a {2N}-bit hash function. With some caveats: https://soatok.blog/2024/07/01/blowing-out-the-candles-on-th... ML-DSA-44 (smallest parameter set) targets Level 2 for signatures. ML-KEM-768 targets Level 3 for KEMs. | ||