Quantum Computing & Cryptanalysis

How Quantum Algorithms Threaten Classical Cryptosystems

Shor's Algorithm and Public-Key Cryptography

RSA's security rests on the computational intractability of factoring the product of two large primes. The best known classical algorithm — the General Number Field Sieve — runs in sub-exponential time L_n[⅓, 1.923], making RSA-2048 infeasible to break with any foreseeable classical hardware. Shor's algorithm (1994) exploits quantum parallelism and the Quantum Fourier Transform to solve the period-finding problem in O((log N)³) time, reducing integer factorisation from sub-exponential to polynomial complexity.

The same algorithmic framework breaks the discrete logarithm problem (DLP), which underpins Diffie-Hellman key exchange and all elliptic curve cryptography (ECC). Since both factoring and DLP are instances of the Hidden Subgroup Problem over abelian groups, Shor's algorithm dispatches them with equal efficiency. A sufficiently large, fault-tolerant quantum computer would render RSA, DSA, ECDSA, ECDH, and EdDSA simultaneously and completely insecure.

Resource estimates: Early analyses estimated millions of physical qubits to break RSA-2048. A March 2025 paper by Bluvstein et al. demonstrated that advances in high-rate quantum error-correcting codes reduce this to as few as ~13,000 reconfigurable atomic qubits, with a runtime of days to weeks for RSA-2048 and potentially just days for ECC P-256 with ~12,000 qubits.

Grover's Algorithm and Symmetric Cryptography

Grover's algorithm (1996) provides a quadratic speedup for unstructured search: finding a marked item among N candidates in O(√N) queries instead of O(N). Applied to cryptographic key search, it effectively halves the security level of any symmetric cipher or hash function.

Practical impact: AES-128 drops to ~64-bit effective security — well within reach of a quantum adversary. AES-256 retains ~128 bits of effective security, which remains computationally infeasible. SHA-256 retains ~128-bit preimage resistance. The mitigation is straightforward: double key and hash lengths. No symmetric primitive is fundamentally broken.

Theoretical ceiling: Bennett, Bernstein, Brassard, and Vazirani proved that Grover's quadratic speedup is optimal — no quantum algorithm can do better for unstructured search. This means symmetric cryptography faces a bounded, well-characterised quantum threat, unlike the existential threat to asymmetric systems.

Shor's Algorithm — Conceptual Pipeline

From Factoring to Period Finding

Step 1 — Classical reduction: Factoring N is reduced to finding the period r of the function f(x) = a^x mod N for a randomly chosen a coprime to N. If r is even and a^r/2 ≢ −1 (mod N), then gcd(a^r/2 ± 1, N) yields non-trivial factors.

Step 2 — Quantum period finding: Prepare a superposition over all x in {0, …, 2²ⁿ−1}, compute f(x) into an ancilla register, then apply the Quantum Fourier Transform (QFT) to the input register. Measurement yields a value close to a multiple of 2²ⁿ/r, from which r is extracted via the continued fractions algorithm.

Step 3 — Classical post-processing: Given r, compute gcd(a^r/2 ± 1, N) classically. If the result is trivial, repeat with a different random a. The probability of success per iteration is at least 1 − 1/2^k−1 where k is the number of distinct prime factors of N — typically succeeding in one or two attempts.

Key insight: The quantum advantage comes entirely from Step 2. Classically, period finding for f(x) = a^x mod N requires evaluating an exponential number of values. The QFT extracts the period from a quantum superposition of all function values simultaneously — this is the exponential speedup.

Cryptographic Vulnerabilities Exposed by Quantum Computation

Cryptosystem	Hard Problem	Quantum Attack	Complexity	Status
RSA	Integer factorisation	Shor's → period finding via QFT	O((log N)³)	✗ Broken
Diffie-Hellman	Discrete logarithm (DLP)	Shor's → DLP variant	O((log p)³)	✗ Broken
ECDSA / ECDH / EdDSA	Elliptic curve DLP	Shor's → ECDLP variant	O((log n)³)	✗ Broken
DSA	Discrete logarithm	Shor's → DLP variant	O((log p)³)	✗ Broken
AES-128	Key search (brute force)	Grover's → √N speedup	O(2⁶⁴)	⚠ Weakened
AES-256	Key search (brute force)	Grover's → √N speedup	O(2¹²⁸)	✓ Adequate
SHA-256	Preimage resistance	Grover's → √N speedup	O(2¹²⁸)	✓ Adequate
SHA-3-256	Preimage resistance	Grover's → √N speedup	O(2¹²⁸)	✓ Adequate

The Quantum Fourier Transform

Quantum Fourier Transform circuit — Hadamard and controlled-rotation gates acting on n qubits

A QFT circuit on n qubits applies Hadamard gates and progressively finer controlled-phase rotations (R_k = diag(1, e^2πi/2ᵏ)) to each qubit, followed by a swap reversal of qubit order. This maps computational basis states to their Fourier-dual representation, enabling efficient extraction of periodicities — the core mechanism behind Shor's exponential speedup over classical factoring. Source: Wikipedia — "Quantum Fourier transform"

Classical vs Quantum Approaches to Cryptanalysis

Aspect	Classical Cryptanalysis	Quantum Cryptanalysis
Factoring (RSA-2048)	GNFS — sub-exponential; estimated 10²⁴+ operations; infeasible	Shor's — O(n³) gate complexity; feasible with ~13k–1M physical qubits
Discrete log (DH-2048)	Index calculus — sub-exponential; comparable to factoring	Shor's DLP variant — polynomial time; same qubit requirements
ECDLP (P-256)	Pollard's rho — O(2¹²⁸); infeasible	Shor's ECDLP variant — polynomial; ~12k atomic qubits, days
AES-128 key search	Brute force — O(2¹²⁸); infeasible	Grover's — O(2⁶⁴); potentially feasible but hardware-intensive
SHA-256 preimage	Brute force — O(2²⁵⁶); infeasible	Grover's — O(2¹²⁸); infeasible (adequate security margin)
Nature of speedup	Algebraic/structural exploitation (e.g., lattice sieving, index calculus)	Shor's: exponential; Grover's: quadratic (provably optimal)
Hardware requirement	Classical CPUs/GPUs/ASICs; mature fabrication	Fault-tolerant quantum processor; error correction overhead
Current feasibility	Fully operational at all relevant scales	Largest Shor's factorisation to date: 21 (2012); cryptographic scale years away

Quantum Cryptanalytic Techniques

🔑

Shor's Algorithm

Factors integers and computes discrete logarithms in polynomial time by reducing both problems to quantum period finding via the QFT. Completely breaks RSA, DSA, DH, and all standard elliptic curve schemes. Published by Peter Shor in 1994; demonstrated on 15 (IBM, 2001) and 21 (photonic, 2012).

🔍

Grover's Algorithm

Provides optimal O(√N) quantum search for unstructured problems. Halves effective key length of symmetric ciphers and hash functions. Provably optimal — no quantum algorithm can search faster. Mitigation: double key sizes (AES-256, SHA-512).

📐

Hidden Subgroup Problem

The mathematical generalisation underlying Shor's algorithm. Efficient quantum solutions exist for HSP over abelian groups (covering factoring and DLP). HSP over non-abelian groups — relevant to lattice and graph isomorphism problems — remains open, which is one reason lattice-based PQC is considered quantum-resistant.

⚡

Emerging Approaches

The JVG algorithm (2026) claims to offload more computation classically, potentially requiring only ~5,000 qubits to break RSA-2048. Quantum walks, variational quantum eigensolvers, and hybrid classical-quantum methods are active areas of cryptanalytic research — the threat surface continues to expand.

Qubit Estimates for Cryptographically Relevant Attacks

How Close Is the Threat?

The practical timeline for quantum cryptanalysis depends on three factors: qubit count, error rates, and gate speeds. As error correction improves, the physical qubit requirements drop rapidly — five orders of magnitude over two decades of research.

RSA-2048

~13,000 atomic qubits

Days to weeks runtime (Bluvstein et al., 2025); down from ~1M qubits with surface codes

ECC P-256

~12,000 atomic qubits

Potentially days with 26,000 qubits; smaller key → lower quantum complexity than RSA

AES-128 (GROVER)

2⁶⁴ quantum operations

Theoretically feasible but requires serial depth; NIST MAXDEPTH constraints limit parallelism

AES-256 (GROVER)

2¹²⁸ quantum operations

Remains computationally infeasible even for quantum adversaries — adequate security margin

Exponential vs Quadratic: The critical distinction in quantum cryptanalysis. Shor's algorithm provides an exponential speedup — it doesn't just make attacks faster, it makes previously impossible attacks trivially easy. Grover's algorithm provides a quadratic speedup — it makes attacks faster but not categorically different. This is why asymmetric cryptography must be replaced entirely, while symmetric cryptography need only increase key sizes.

Quantum Cryptanalysis Timeline

Year	Milestone	Significance
1994	Shor's algorithm published	Polynomial-time factoring and DLP on quantum computer — theoretical end of RSA/ECC
1996	Grover's algorithm published	Optimal quadratic speedup for unstructured search — symmetric keys effectively halved
2001	IBM factors 15 with 7-qubit NMR	First physical demonstration of Shor's algorithm; proof of concept only
2012	21 factored with photonic qubits	Largest integer factored by Shor's; still far from cryptographic relevance
2019	Google achieves quantum supremacy	53-qubit Sycamore; random circuit sampling — not cryptanalytic but hardware milestone
2024	NIST publishes PQC standards	FIPS 203/204/205 — migration from quantum-vulnerable algorithms begins formally
2025	~10k qubit estimate for Shor's	Bluvstein et al. show cryptographic-scale Shor's possible with ~13k reconfigurable atomic qubits
2026	Google Quantum AI: ECDLP-256 in <500k physical qubits	~20× reduction in physical qubits for breaking ECC; responsible disclosure via zero-knowledge proof; 2029 PQC migration timeline announced

Quantum Computing &Cryptanalysis

Shor's Algorithm and Public-Key Cryptography

Grover's Algorithm and Symmetric Cryptography

From Factoring to Period Finding

Shor's Algorithm

Grover's Algorithm

Hidden Subgroup Problem

Emerging Approaches

How Close Is the Threat?

Quantum Computing &
Cryptanalysis