Do backups get pruned over time? Is there an expiration? I don't think folks want old lost-key backups sitting around forever for quantum to catch up, right?
replies(1):
"On the other hand, symmetric algorithms such as AES are believed to be immune to Shor. In most cases, the best-known quantum key recovery attack uses Grover’s algorithm which provides a generic square-root speed-up over classical exhaustion in terms of the number of queries to the symmetric algorithm. In other words, Grover would recover the 256-bit key for AES-256 with around 2^128 quantum queries to AES compared to around 2^256 classical queries for exhaustion. "
- https://csrc.nist.gov/csrc/media/Events/2024/fifth-pqc-stand...
</pedantry>
the paper itself concludes "the practical security impact of Grover with existing techniques on plausible near-term quantum hardware is limited."