Part 1: Public Key Cryptography
Part 2: Hash functions
Part 3: Integrity Mechanisms
Part 4: Diffie-Hellman
Part 5: Putting It All Together
Part 6: Quantum Attacks and Post-Quantum Cryptography
By the mid-1990s, cryptographers had a working toolkit: RSA, Diffie-Hellman, and elliptic-curve systems for public key cryptography, along with fast symmetric ciphers and secure hash functions. The security of these systems rests on problems that are hard for classical computers. But what happens if computers appear that can solve those problems efficiently?
This is the threat posed by quantum computing. (Note that “quantum cryptography” often refers to quantum key distribution (QKD), which is different. Here we are discussing quantum attacks on today’s classical cryptography.) Quantum devices exploit principles of quantum mechanics, such as superposition and entanglement, to process information in ways that classical machines cannot.
Although today’s quantum computers are small, error-prone, and largely experimental, they pose a potential threat to much of modern public key cryptography.
Why quantum computers could break public key cryptography
Public key cryptosystems like RSA, finite-field Diffie-Hellman, and elliptic-curve cryptography rest on mathematical problems believed intractable for classical computers:
- RSA is based on integer factorization: given a large integer composed of two unknown prime factors, finding those primes is hard classically.
- Discrete logarithm problems (finite field or elliptic curve) are similarly hard: computing \(x\) from \(g^x \bmod p\) (or point multiplication) is believed infeasible when parameters are large.
In 1994, Peter Shor proved a quantum algorithm (Shor’s algorithm) that can solve both integer factorization and discrete logarithms in polynomial time. If a large, error-corrected quantum computer becomes available, these public key systems would be broken.
Grover’s algorithm, also discovered in the 1990s, gives a speed-up for unstructured search (such as brute forcing keys or inverting hash functions). Its effect is more modest: it cuts the time cost by roughly a square root. That means symmetric key sizes must be increased to compensate, but symmetric algorithms remain usable.
Why symmetric algorithms remain strong
Suppose an attacker wants to brute-force an AES key.
- On a classical computer, a 128-bit key means trying \(2^{128}\) possibilities, which is infeasible.
- With Grover’s algorithm on a quantum computer, the search space shrinks to roughly \(\sqrt{2^{128}} = 2^{64}\).
That is still a huge number: about 18 quintillion possibilities. With today’s or foreseeable hardware, \(2^{64}\) operations is out of reach. To be cautious, we use AES-256 instead of AES-128. Grover’s algorithm would reduce its effective strength from \(2^{256}\) to \(2^{128}\), which is still far beyond anything practical.
Quantum computers may force us to double symmetric key lengths, but they do not make symmetric ciphers obsolete.
What quantum hardware can do today, and uncertainty ahead
Quantum computing has made real progress, but practical quantum machines able to break RSA-2048 or large ECC keys do not yet exist ... and don't seem close. The engineering challenges include error rates, coherence time, qubit scaling, and fault tolerance.
In the United States, corporations and labs like IBM, Google, Quantinuum, IonQ, Rigetti, and national labs have built quantum processors with hundreds to just over a thousand qubits. For example, IBM’s “Condor” machine reached 1,121 physical qubits by 2024. Google’s earlier achievement in 2019 was the demonstration of “quantum supremacy” with 53 qubits on specialized tasks (not for the problems of factoring or discrete logs).
China’s USTC has developed photonic quantum devices (Jiuzhang), as well as superconducting devices like Zuchongzhi, demonstrating advances in scale and device physics.
But there is significant uncertainty:
- It is not known whether someone already has, in secret, a large fault-tolerant quantum machine. If they did, they could quietly record encrypted traffic and decrypt it later once keys are compromised.
- Building quantum computers with error correction and enough logical qubits is widely regarded as very difficult. Estimates for breaking RSA-2048 with Shor require hundreds of thousands to a few million physical qubits, with extremely high fidelity and long coherence times, none of which is near practical today.
How cryptography is responding: Post-Quantum Cryptography
Because Shor’s algorithm threatens key systems we rely on now, the cryptographic community has been working toward algorithms that resist quantum attacks. These are called post-quantum cryptographic (PQC) schemes.
PQC aims to replace vulnerable public key algorithms with ones based on hard problems that are believed to be quantum-resistant. These include:
- Lattice-based schemes, such as CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for signatures. These rely on hard problems in very high-dimensional lattices.
- Hash-based signatures, such as SPHINCS+, which rely only on hash functions and trees of hashes. They are simpler in concept, though their signature sizes are large.
- Code-based schemes, such as HQC, which rely on error-correcting codes. Decoding is hard without knowledge of the hidden structure.
In August 2024, NIST finalized its first suite of post-quantum standards:
- ML-KEM (FIPS 203), based on CRYSTALS-Kyber, for key encapsulation (key exchange).
- ML-DSA (FIPS 204), based on CRYSTALS-Dilithium, for digital signatures.
- SLH-DSA (FIPS 205), based on SPHINCS+, as a conservative backup signature algorithm.
In March 2025, NIST also selected HQC as an additional code-based KEM (key encapsulation mechanism) to broaden the diversity of schemes. A compact signature algorithm, FALCON, is moving forward in draft as FN-DSA to eventually standardize later.
What students and engineers should understand now
Even though quantum computers capable of breaking today's public key systems are not confirmed to exist, the threat is real enough that migrating to quantum-resistant algorithms must begin.
- When designing systems today, pick public key libraries and protocols that allow replacing RSA/ECC with PQC schemes without breaking the rest of the architecture.
- Maintain strong symmetric parameters: for example, AES-256, SHA-256/384. These remain safe against quantum search threats (Grover’s algorithm), provided the key length is sufficient.
- For systems with long-lived data (for example, archived encrypted data), assume adversaries may record traffic now and decrypt it later once keys are compromised. To the extent possible, employ PQC early.