LUKS Encryption Stands Firm Against Quantum Attacks

At a 2024 post-quantum cryptography conference hosted by NIST, researchers from the UK National Cyber Security Centre published new estimates of what it would actually cost to run a quantum attack against AES encryption - moving beyond theoretical math to model real hardware constraints. The work is archived by NIST.

The core result: a quantum computer running Grover's algorithm - the leading quantum attack against encryption keys - would still need roughly 2^128 operations to crack AES-256. Classical brute force would require 2^256. That's a real reduction, but 2^128 remains an astronomically large number.

More importantly, the researchers show that actually running such an attack on real quantum hardware would require enormous resources - far beyond anything plausible in the near future. This leads to their conclusion that Grover's algorithm poses a limited practical threat to AES on near-term quantum hardware, and that post-quantum security efforts should focus first on public-key encryption instead.

For Linux users relying on full-disk encryption through LUKS, these findings clarify why AES-256 remains a sound choice - and why the passphrase and how it is processed are often the more important factors.

The Quantum Computing Threat to Cryptography

Quantum computers threaten different types of encryption in very different ways - and that distinction matters a lot for how urgently action is warranted.

Shor's algorithm can break the mathematics behind most public-key encryption (like RSA and elliptic-curve cryptography) efficiently once a large enough quantum computer exists. This is the threat that has the security community moving quickly to develop replacements.

Grover's algorithm is the main quantum threat to symmetric encryption like AES. Rather than breaking the algorithm outright, it speeds up brute-force key searches - but only by taking a square root of the work required. So AES-256 effectively behaves like a 128-bit key against a quantum attacker rather than a 256-bit one. That's a meaningful reduction, but 128 bits of security is still considered very strong.

This square-root speedup applies uniformly to any brute-force search, including guessing passphrases - which is why overall system design matters as much as key length.

LUKS and dm-crypt: Defaults That Matter

Linux Unified Key Setup (LUKS) is the standard format for encrypted disks on Linux. It handles the encryption metadata and key management, while the actual encryption is performed by the kernel's dm-crypt subsystem. A good overview of how this works in practice is available on the ArchWiki.

By default, most modern Linux distributions use AES in XTS mode with a 512-bit key. Internally, that 512-bit key is split into two independent 256-bit AES keys - so it's operating at full AES-256 strength, not AES-128.

LUKS2, the current default format since cryptsetup 2.1, improves on the older LUKS1 format mainly in how it derives encryption keys from a passphrase. It uses configurable key derivation functions - algorithms that deliberately take time and memory to run - making it expensive for an attacker to guess a passphrase repeatedly.

The most common choice is Argon2, which can be tuned to require significant RAM and processing time per guess. The parameters are stored alongside each keyslot, letting administrators balance security against how long it takes to unlock the disk.

In practice, the security of a LUKS-encrypted disk depends on three things together: the strength of AES-256-XTS, the quality of the passphrase or keyfile, and the cost of the key derivation function. No single one of these carries the whole burden.

Grover's Algorithm in Hardware Terms

In theory, Grover's algorithm needs roughly 2^(k/2) steps to find a k-bit key. But running those steps on a real quantum computer is far harder than the abstract math suggests.

The NCSC researchers modelled the attack concretely: they designed a quantum circuit that implements AES-256 and counted the logical qubits and gate operations required. Just one evaluation of AES-256 inside a Grover step needs around 4,036 logical qubits and a circuit depth of 1,025 steps - already far beyond current quantum hardware.

They then factored in real constraints: how deep a quantum circuit can run before errors accumulate, how fast quantum gates operate, and how many parallel machines would be needed to compensate for depth limits. The results are striking. Depending on the assumptions, a complete Grover attack on AES-256 would take anywhere from years to hundreds of thousands of years on a single machine - and splitting the work across many machines multiplies the total hardware required enormously.

The researchers break the overhead into rough estimates: about 31 bits of extra cost from implementing AES in a quantum circuit; 8 to 32 bits from the need to parallelize; and 6 to 10 bits from error correction. This means even the weaker AES-128 would cost far more than a naive estimate of 2^64 operations - and AES-256 inherits an even larger margin on top of that.

Passphrases and Key Derivation as Practical Weak Points

Grover's algorithm doesn't care whether it's searching encryption keys or human-chosen passwords - it speeds up any brute-force search equally. So a short or common disk passphrase may be a more attractive target for a quantum attacker than the 256-bit volume key buried in the LUKS header.

LUKS2 addresses this with Argon2, which requires significant RAM and hundreds of milliseconds of computation for every guess. This limits how fast an attacker can try passwords, whether they're using conventional hardware or a future quantum machine.

Administrators can tune these settings through cryptsetup - a common target is an unlock time of around one to two seconds, which keeps the disk usable while making large-scale guessing campaigns prohibitively slow.

For the highest security, keyfiles generated from a random source remove human memory from the equation entirely. A truly random keyfile puts the search space well beyond what Grover's algorithm could explore given realistic hardware constraints.

Why Post-Quantum Efforts Focus Elsewhere

The NCSC presentation recommends prioritizing the replacement of public-key algorithms - not symmetric encryption like AES. This reflects a straightforward risk assessment: Shor's algorithm poses a clear and near-term threat to RSA and elliptic-curve cryptography, while Grover's algorithm, given real hardware constraints, poses a much more distant threat to AES-256.

In that framing, LUKS disk encryption with AES-256-XTS is a relatively stable component of a security stack - provided implementations use full-length keys, don't weaken parameters for performance, and maintain good passphrase hygiene.

Symmetric standards may still evolve as quantum hardware matures. But the 2024 NCSC estimates put the scale of hardware required for a real Grover attack on AES-256 - thousands of logical qubits, enormous numbers of physical qubits, years of continuous computation - far beyond current or near-future projections.

Conclusion

Based on the available evidence, LUKS disk encryption configured with AES-256-XTS, a LUKS2 header, and a memory-hard key derivation function is reasonably quantum-resistant in practice for the foreseeable future - even if it doesn't meet the formal definition of "post-quantum" that applies to new public-key standards.

For organizations thinking about long-term data protection, the more pressing tasks are: auditing where LUKS-protected volumes are in use, making sure passphrases and keyfiles are high quality, and planning to replace vulnerable public-key protocols. The AES-256-XTS layer underneath can be treated as a strong - though not unconditional - foundation.

Sources

• Sarah D.; Peter C. "On the Practical Cost of Grover for AES Key Recovery." UK National Cyber Security Centre, 2024.
• Arch Linux Community. "dm-crypt/Device encryption." ArchWiki, 2024.