Quantum Computing, LUKS Cryptography, and Qubes

Is LUKS encryption cryptography for Qubes able to withstand quantum computing?

If a journalist in a repressive country (with access to quantum computers) uses Qubes with a 50 character length complex randomized full disk encrypted LUKS password, and the journalist’s computer was seized, could a quantum computer be used to break LUKS encryption quickly?

(I know the benefits of amnesiac OSes and benefits of Qubes and am not asking for information comparing them.)

If you take “Qubes” out of your question, you can ask this in a more appropriate channel, like the LUKS tracker, since this has nothing to do (specifically) with Qubes OS, and you probably don’t want to receive uninformed answers or best guesses.


Short answer: Yes, in theory. It’s mainly asymmetric encryption that’s at risk to quantum computing (due to Shor’s algorithm). By contrast, the biggest potential impact of quantum computing on a symmetric cipher like AES would be to halve the time it takes to brute a given key length (due to Grover’s algorithm), e.g., being able to brute force AES-256 in half the time, or the time it would take to brute force AES-128 with classical computers. However, with a sufficiently strong key, even brute forcing AES-128 with classical computers (or AES-256 with quantum computers) would take thousands or millions of years under ideal conditions (e.g., devoting every computer on earth to the task, then building more computers in space and on other planets and moons, and building Dyson spheres to power it all). Therefore, at least AES-256 (which we use in LUKS for Qubes) is quantum-resistant, and perhaps some shorter key lengths might be too. In this case (and in most cases), the weak link in cryptography lies in the implementation, not the math. Of course, if there turns out to be a fatal zero-day vulnerability in LUKS, then even though AES itself is theoretically quantum-resistant, the specific version of LUKS containing the vulnerability may not even be able to withstand classical computers, hence why the answer is, “Yes, in theory.”


Wouldn’t it reduce the time by a factor of 2^128, if it’s the same time as 128-bit, and half the time of a 256-bit key would be the same as a 255-bit key?

1 Like

IANAC, but according to these, no: