Advanced Algorithms

Advanced Quantum Algorithms
for Cryptography

Beyond Shor's and Grover's, a landscape of quantum algorithms with direct cryptographic relevance continues to emerge. Simon's algorithm undermines symmetric block ciphers. The Hidden Subgroup Problem unifies most known quantum speedups. The HHL linear systems algorithm threatens certain cryptanalytic barriers. And 2024's contested LWE algorithm illustrates how close — and how precarious — the boundary between cryptographic safety and quantum attack can be.

Hidden Subgroup Problem Simon's Algorithm Quantum Walks HHL Algorithm Symmetric Cryptanalysis Emerging LWE Attacks

The Hidden Subgroup Problem: A Unifying Framework

HOW ADVANCED QUANTUM ALGORITHMS RELATE Hidden Subgroup Problem (HSP) Unifying algebraic framework for quantum speedups Abelian HSP — SOLVED QFT gives efficient polynomial-time algorithm Non-Abelian HSP — OPEN No general efficient quantum algorithm known Shor's Algorithm Exponential speedup Breaks RSA · ECC · DH ↳ Abelian HSP instance Simon's Algorithm Exponential speedup (Q2 model) Threatens FX / Even-Mansour ↳ Directly inspired Shor's B–V / Deutsch–Jozsa Earlier abelian instances Conceptual precursors Limited direct crypto impact Dihedral HSP (open) ↔ Shortest Vector Problem If solved → Kyber & Dilithium fall Kuperberg sieve: subexp. only Symmetric HSP (open) ↔ Graph Isomorphism Code-based PQC connections No efficient algorithm known RELATED BUT STRUCTURALLY INDEPENDENT OF HSP Quantum Walks / BHT Polynomial speedup · collision: O(N^1/3) Narrows hash margins; PQC standards intact Mitigated by SHA-3-384 / SHA-512 HHL Algorithm Exponential speedup — conditional on qRAM Subroutine for Simon & ML — not a direct attack Caveats eliminate advantage for most crypto targets
The Hidden Subgroup Problem is the algebraic root from which most major quantum speedups grow. The abelian case is fully solved via the Quantum Fourier Transform — explaining why RSA, ECC, and DH are broken. The non-abelian case remains open: solving the dihedral variant would simultaneously break all lattice-based NIST standards. Quantum walks and HHL sit outside the HSP tree but carry independent cryptographic implications.

What Is the HSP?

The Hidden Subgroup Problem (HSP) is one of the most structurally important problems in quantum computing. Given a group G and a function f : G → S that is constant on each coset of some hidden subgroup H ≤ G and distinct on different cosets, the task is to identify H. Most major quantum speedups can be expressed as instances of this problem.

Abelian HSP — the solved case: For finite abelian groups, Kitaev's algorithm (a generalisation of Shor's approach) solves the HSP efficiently in polynomial time using the Quantum Fourier Transform. Integer factorisation, the discrete logarithm problem, and Simon's period-finding problem are all abelian HSP instances. This is precisely why RSA, Diffie-Hellman, and ECC fall to quantum computers.

Non-abelian HSP — the open frontier: No general efficient quantum algorithm exists for non-abelian groups. Two major open problems reduce to non-abelian HSP instances: graph isomorphism (via the symmetric group Sn) and the Shortest Vector Problem on lattices (via the dihedral group Dn). If an efficient quantum algorithm for the dihedral HSP were found, it would break lattice-based post-quantum cryptosystems including Kyber and Dilithium — currently considered the most likely replacements for RSA.

Why the HSP Boundary Defines Post-Quantum Security

The NIST PQC standardisation process implicitly rests on the belief that the non-abelian HSP is hard for quantum computers. Lattice problems (LWE, SVP, CVP) are reducible to dihedral HSP instances; code-based problems connect to HSP over certain symmetric groups; isogeny-based constructions (before SIKE's classical break) involved related algebraic structures.

Crucially, no structure analogous to the periodicity that the QFT exploits in abelian groups has been found for dihedral or symmetric groups. Researchers have explored Fourier sampling and black-box approaches, but quantum algorithms for these groups remain either subexponential or exponential in time — insufficient to break deployed systems. The dihedral HSP sits at the exact fault line between quantum-broken and quantum-safe cryptography.

Quantum Speedup — Where Each Algorithm Falls

QUANTUM SPEEDUP SPECTRUM — CRYPTOGRAPHIC IMPACT EXPONENTIAL SUBEXPONENTIAL POLYNOMIAL / CUBIC-ROOT QUADRATIC Shor's Algorithm Poly-time factoring & DLP Breaks RSA · ECC · DH Abelian HSP — fully solved ⚠ Existential threat Simon's Algorithm Exponential (Q2 model) Breaks FX / Even-Mansour Model-dependent threat ⚠ Q2 access required Dihedral HSP Kuperberg: 2^O(√log N) Subexp. — not fast enough → Kyber/Dilithium if solved ⚠ Critical open problem HHL Algorithm Exp. — conditional on qRAM Caveats erase advantage Dense inputs → no gain ~ Theoretical for now Quantum Walks / BHT Collision: O(N^1/3) Narrows hash margins SHA-3-384 / SHA-512 fix ~ Manageable Grover's Algorithm √N — quadratic speedup Halves symmetric key security AES-256 / SHA-512 sufficient ✓ Well-understood ← DEMANDS ALGORITHM REPLACEMENT PARAMETER ADJUSTMENT SUFFICIENT →
Algorithms mapped onto a speedup spectrum from exponential (left) to quadratic (right). Position determines urgency of response: algorithms on the left demand primitive replacement; those on the right can be addressed by increasing key or hash sizes. HHL's dashed border signals conditional placement — its speedup only holds under strict constraints rarely met in cryptanalytic practice.

Simon's Algorithm — Exponential Speedup Against Symmetric Ciphers

Period Finding Without the QFT

Simon's algorithm (1994) predates Shor's and inspired it directly. Given a function f : {0,1}n → {0,1}n with a hidden period s (so f(x) = f(x ⊕ s) for all x), the algorithm recovers s with O(n) quantum queries — an exponential improvement over the Ω(2n/2) queries any classical algorithm requires.

Cryptographic impact: Simon's algorithm can break Even-Mansour and FX-construction schemes — the structural foundations underlying several real-world block cipher modes — in the quantum superposition query model (Q2 model). Researchers have shown that the “Grover Meets Simon” algorithm combines both techniques to attack FX constructions with whitened keys, and the subsequent Alg-PolyQ2 algorithm further reduces query complexity.

A subtlety: The Q2 model assumes the adversary can query the cipher in quantum superposition — a physically demanding requirement. In the more conservative Q1 model (classical queries, quantum post-processing), Simon's attacks do not apply. Whether Q2-model attacks are physically realistic against deployed ciphers is an active research and standards debate. NIST's symmetric algorithm selections do account for quantum access considerations.

Algorithm Comparison — Cryptographic Impact

Algorithm Problem Solved Speedup Cryptographic Target Threat Level
Shor's Integer factorisation, DLP (abelian HSP) Exponential RSA, ECC, DH ✗ Existential
Grover's Unstructured search Quadratic AES, SHA (symmetric) ⚠ Manageable
Simon's Hidden period (boolean functions) Exponential FX-construction, Even-Mansour (Q2 model only) ⚠ Model-Dependent
Quantum Walk / BHT Marked element in structured graph Cubic-root (collisions) Hash collision resistance ~ Limited
HHL Linear systems Ax = b Exponential (conditional) Linear algebra cryptanalysis — heavily constrained ~ Theoretical
Dihedral HSP (open) SVP / CVP on lattices Unknown — subexponential if solved Kyber, Dilithium, all LWE-based PQC ✗ Critical if solved

Quantum Walks — Polynomial Advantages in Cryptanalysis

From Random Walks to Quantum Coherence

A quantum walk is the quantum analogue of a classical random walk: rather than a walker moving probabilistically through a graph, the walker exists in a superposition of positions, with probability amplitudes evolving coherently. This interference structure produces faster mixing and hitting times than any classical random walk, yielding polynomial-to-quadratic speedups for search problems over structured spaces.

Collision finding: The BHT algorithm (Brassard, Høyer, Tapp) uses quantum walks to find collisions in a hash function in O(N1/3) time — a cubic-root speedup over the classical birthday bound of O(N1/2). For a 256-bit hash, this reduces effective collision resistance from 2128 classical to approximately 285 quantum queries. This is why NIST recommends SHA-3-384 or SHA-512 for long-term quantum security rather than SHA-256.

Claw finding and discrete log: Quantum walk algorithms also speed up claw-finding problems — instances of the form “find x, y such that f(x) = g(y)” — relevant to attacks on signature schemes. Combined with Grover's oracle construction, quantum walks allow more efficient search over certain structured cryptographic spaces than Grover's alone.

Current limits: Quantum walk speedups are polynomial, not exponential. They narrow security margins but do not break primitives outright. No quantum walk algorithm is known to threaten LWE-based or hash-based post-quantum standards.

The HHL Algorithm — Exponential Speedup with Caveats

Harrow–Hassidim–Lloyd (2009)

The HHL algorithm solves a system of N linear equations Ax = b in poly(log N, κ) time — an exponential speedup over classical methods that require O(N√κ) time, where κ is the condition number of A. The speedup appears dramatic: a trillion-variable system, classically requiring days, could in principle be approached in seconds.

Cryptanalytic relevance: Many attacks on symmetric ciphers involve solving large systems of linear equations over finite fields. Algebraic cryptanalysis (XL algorithm, Gröbner basis methods) generates such systems from cipher structure; if HHL could accelerate these, it would pose a genuine threat to AES and similar constructions. Simon's algorithm also uses quantum linear algebra as a subroutine.

The fine print — why HHL is not yet a cryptographic weapon: HHL's exponential speedup applies only to the quantum output — it returns a quantum state encoding x, not the classical vector x itself. Reading out all N components classically costs O(N) measurements, eliminating the speedup. The matrix A must be sparse and well-conditioned (small κ). Loading classical input data requires quantum RAM (qRAM), which remains a major unresolved hardware challenge. For cryptanalysis, the matrices arising from cipher structure are often dense and poorly conditioned — exactly the cases HHL handles poorly.

Case Study: The 2024 Chen LWE Algorithm — Science in Real Time

CHEN LWE ALGORITHM — APRIL 2024: TEN DAYS THAT TESTED PQC Apr 10 — Paper posted IACR ePrint 2024/555 Claims poly-time LWE solution Days 1–5 — Open review Aaronson blog · NIST forum Global expert scrutiny begins ! Apr 19 — Fatal bug confirmed Wu & Vidick: circular dependency in Step 9 Chen acknowledges — claim withdrawn Outcome — PQC standards safe Kyber & Dilithium unaffected Peer review validated in real-time 10-day open review cycle Sep 2025: Zhang “fix” also challenged
The April 2024 Chen LWE episode compressed months of peer review into ten days of open public scrutiny — and found a fatal flaw before any damage was done. It is the most instructive recent example of how the research community stress-tests the assumptions that post-quantum security rests on. A September 2025 claimed fix by Yifan Zhang was similarly challenged and remains unresolved.

What Chen's Algorithm Attempted and Why It Mattered

On April 10, 2024 — the opening day of the 5th NIST PQC Standardisation Conference — Yilei Chen (Tsinghua University) posted a preprint claiming a polynomial-time quantum algorithm for the Learning with Errors (LWE) problem with certain modulus-to-noise parameters. Using two novel techniques — complex Gaussian functions with imaginary variance in quantum algorithm design, and a windowed Quantum Fourier Transform with complex Gaussian windows — the algorithm claimed to solve GapSVP and SIVP within polynomial approximation factors. No polynomial-time quantum algorithm had previously been known for these problems.

The stakes: A valid polynomial-time quantum algorithm for LWE would have placed Kyber (FIPS 203) and Dilithium (FIPS 204) in a precarious position, potentially vulnerable to a modest further improvement in approximation factor. It would have undermined the foundations on which the entire PQC migration is being built.

The bug: Within ten days, Hongxun Wu and independently Thomas Vidick identified a fundamental error in Step 9 — an operation that assumed knowledge of the value (b*) the algorithm was trying to compute, introducing a circular dependency. Chen acknowledged: “Step 9 of the algorithm contains a bug, which I don't know how to fix.” The claim was withdrawn.

What the Chen episode demonstrates: The LWE case shows (1) how close the research frontier is to cryptographically significant results, (2) how rapidly open peer review can function when stakes are clear, and (3) that post-quantum standards depend on assumptions that are actively being probed — not proven impregnable. Emerging algorithm claims must be evaluated critically and tracked through to formal peer review before informing policy.

Critically Assessing Emerging Quantum Algorithm Claims

🔬

Query vs. Time Complexity

Distinguish oracle query complexity from time complexity. An algorithm can be optimal in queries yet exponential in circuit depth. Simon's algorithm is query-exponentially faster; its time cost depends on the oracle. Speedups often erode when full circuit costs are counted.

📐

Model Assumptions

Identify the query model: Q1 (classical queries) vs Q2 (quantum superposition queries). Simon-type attacks require Q2 access — the adversary must run the cipher on a quantum computer in superposition, a much stronger and physically demanding assumption than standard eavesdropping.

📉

Input/Output Bottlenecks

HHL-type exponential speedups often vanish when the cost of loading classical data (qRAM) and reading out quantum results (O(N) measurements) are included. Verify whether the exponential advantage survives the full end-to-end pipeline — not just the quantum subroutine in isolation.

🧾

Peer Review Status

Preprints on arXiv and IACR ePrint are unreviewed. The Chen LWE algorithm was posted, generated alarm, and had its fatal flaw identified within ten days — all before formal review. Track independent verification by multiple experts before treating any claim as settled.

Resources & Further Reading

Resources

Further Reading

The Dihedral HSP — Why It Matters

The shortest vector problem on lattices — the foundation of Kyber and Dilithium — reduces to HSP over the dihedral group Dn. Kuperberg's sieve achieves subexponential 2O(√log N) time — better than classical, but still too slow to threaten deployed systems. A polynomial-time dihedral HSP algorithm would simultaneously break every lattice-based NIST standard. Monitoring its progress is the single most important research signal for long-term PQC security.

HHL Limitations

Requires: sparse, well-conditioned matrix A; efficient qRAM; quantum output only. Loses speedup when: A is dense, κ is large, or full classical output is needed. Verdict: useful subroutine; not a direct attack on deployed systems under realistic constraints.