While presently AES-CBC encryption works well, it is not far away when quantum computers would be able to crack the encryption. Quantum computing is already available through clouds to the general public and malicious actors are already storing data to be cracked in the upcoming years. NIST has announced 4 quantum resistant algorithms that can be used in place of existing encryption algorithms. See https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms.
Considering the future risk, it is best to start implementing a quantum resistant encryption algorithm like Kyber.
You are right, the NIST initiative linked by @0xcrypto is to standardize quantum-resistant public-key cryptographic algorithms (i.e., asymmetric cryptography). AES256 is currently quantum resistant, and will remain so until quantum computers become at least an order-of-magnitude more powerful than the current cutting-edge technology in quantum computing.
Question was well answered. Just to add a little from my googling
The table shows how much Quantum computer reduce effective key lengths for a common asymmetric public key cryptography algorithm (RSA) and for a common symmetric cryptography algorithm (AES).
The effective symmetric key length is reduced by a factor of 1/2 (i.e. one half)
The effective asymmetric key length is raised to a factor between (1/2) and (1/3) square root or cube root.
I think I remember hearing someone sayd the reduction in effetive symmetric key length is linear while the reduction in effective asymmetric key length is exponential or logartihmic or some other mathematical sounding thing…
Obviously I do not have understanding of how it works and everything I got to know was from section 2 “Why is Grover’s Algorithm important” which is kinda readable.
While presently there’s no need to change algorithms, keeping an eye on future developments is important in my opinion.
Yes, as shown the 256 bit symmetric AES encryption key length looks like 128 bits of entropy to a quantum computer using Grover’s algorithm. It is a significant reduction, just nowhere as much as the asymmetric RSA where the 15,360 bit key would look like a measly 31 bits of entropy to a quantum computer using Shor’s algorithm. So the asymmetric encryption used in things like like logging into the server will be in jeopardy earlier, and the symmetric encryption used directly on the vault will be safe a lot longer. But if you think today’s vault might still be sensitive in a few decades, then don’t leave your encrypted backups laying around in public anywhere (not that anyone does that anwyay)
