|Name||Function||Pre-quantum security level||Post-quantum security level|
Security levels shown are against the best pre-quantum and post-quantum attacks known. Security level b means that the best attacks use approximately 2b operations. This optimization ignores parallelization requirements; see text for discussion of the impact of such requirements. For hash functions, ‘security’ in this table refers to pre-image security.
|AES-1288||Symmetric encryption||128||64 (Grover)|
|AES-2568||Symmetric encryption||256||128 (Grover)|
|Salsa2058||Symmetric encryption||256||128 (Grover)|
|GMAC59||MAC||128||128 (no impact)|
|Poly130560||MAC||128||128 (no impact)|
|SHA-25661||Hash function||256||128 (Grover)|
|SHA3-25662||Hash function||256||128 (Grover)|
|DH-307242||Key exchange||128||Broken (Shor)|
|DSA-307263, 64||Signature||128||Broken (Shor)|
|256-bit ECDH4, 5, 6||Key exchange||128||Broken (Shor)|
|256-bit ECDSA66, 67||Signature||128||Broken (Shor)|
Department of Computer Science, University of Illinois at Chicago, Chicago, Illinois 60607-7045, USA
- Daniel J. Bernstein
Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, 5612 AZ Eindhoven, The Netherlands
- Tanja Lange
D.J.B. and T.L. jointly inventoried the space of cryptographic systems, selected specific systems and quantum algorithms to cover, decided on the organization, and wrote text. No new experiments were performed.
Competing financial interests
The authors declare no competing financial interests.
Publisher's note: Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.