← All posts
Quantum Series #2
Quantum Series #2

Quantum Computing and Cryptography: What Breaks, What Survives, What Comes Next

Published · 11 min read

Quantum computers don't break all of cryptography. They break specific math problems. Understanding which is the difference between panic and preparation.

The Thesis

Shor's algorithm kills factoring and discrete logarithms. RSA, ECC, DSA, and Diffie-Hellman are dead against a cryptographically relevant quantum computer.

Grover's algorithm weakens symmetric cryptography. AES-256 and SHA-256 become roughly AES-128 and SHA-128 in effective security. They survive with larger keys.

Quantum mechanics enables new primitives. Quantum Key Distribution provides information-theoretic security that no computer can break.

The deadline is fault-tolerance plus data-at-rest lifetime. If you need data confidential for 20 years and quantum computers arrive in 15, you must migrate now.

Shor's Algorithm: The Breaker of Public Keys

In 1994, Peter Shor showed that a quantum computer could factor integers and compute discrete logs in polynomial time: $O((\log N)^3)$ gate operations. Classical algorithms take sub-exponential time: $O(e^{(\log N)^{1/3}})$ for the General Number Field Sieve.

What Breaks

  • RSA - Based on integer factorization
  • ECC - Elliptic Curve Discrete Log Problem
  • DH & ECDH - Diffie-Hellman Key Exchange
  • DSA & ECDSA - Digital Signature Algorithm

Anything relying on factoring or discrete logs is vulnerable to Shor.

Why It Works

Shor reduces factoring $N = pq$ to finding the period $r$ of $a^x \bmod N$. Quantum Phase Estimation finds $r$ exponentially faster than classical methods.

Once you have $r$, compute $\gcd(a^{r/2} \pm 1, N)$ to recover factors. This is pure number theory, but the quantum speedup happens in the period finding.

Demo: Shor's Algorithm Factoring RSA-15 End-to-End

Here's a complete Qiskit implementation factoring $N = 15$ using $a = 7$. This is the "Hello World" of quantum cryptanalysis. We find the period $r$ of $7^x \bmod 15$, then classically derive factors $3$ and $5$. 

from qiskit import QuantumCircuit, QuantumRegister, ClassicalRegister, transpile
from qiskit.circuit.library import QFT
from qiskit_aer import AerSimulator
from math import gcd
import numpy as np

"""
Shor's Algorithm: Factor N = 15 using base a = 7
Goal: Find period r such that a^r ≡ 1 mod N
Then factors = gcd(a^(r/2) ± 1, N) if r is even and a^(r/2) ≠ -1 mod N
"""

N = 15
a = 7

# Step 1: Classical pre-checks
assert gcd(a, N) == 1, "a must be coprime to N"
print(f"Factoring N={N} with base a={a}")

# Step 2: Determine register sizes
# Counting register: n qubits, where 2^n >= N^2 for good success probability
# For N=15, n=4 gives 2^4=16 >= 15, but 8 is safer. We'll use 8.
n_count = 8  # counting qubits for QFT phase estimation
n_target = 4  # ceil(log2(N)) = 4 qubits to represent 0..14

q_count = QuantumRegister(n_count, 'count')
q_target = QuantumRegister(n_target, 'target')
c_out = ClassicalRegister(n_count, 'out')
qc = QuantumCircuit(q_count, q_target, c_out)

# Step 3: Initialize superposition on counting register
# |0> -> H^n -> (|0> + |1>)^n / sqrt(2^n)
# This creates equal superposition over all 2^n basis states
qc.h(q_count)
qc.barrier()

# Step 4: Initialize target register to |1>
# We need |1> so that U|y> = |a*y mod N>
qc.x(q_target[0])
qc.barrier()

# Step 5: Controlled Modular Exponentiation U: |x>|y> -> |x>|a^x * y mod N>
# This is the expensive part. We implement U^(2^j) controlled by count[j]
# For N=15, a=7: powers cycle 7,4,13,1 every 4. So period r=4
# We manually build controlled multiplications for 7, 7^2=4, 7^4=1, 7^8=1

def c_amod15(qc, control, target, a_pow):
    """
    Controlled multiplication by a_pow mod 15.
    Hardcoded for N=15. Real implementation needs generic modular multipliers.
    """
    if a_pow == 7:
        # |x> -> |7x mod 15>
        qc.swap(target[2], target[3], control=control)
        qc.swap(target[1], target[2], control=control)
        qc.swap(target[0], target[1], control=control)
    elif a_pow == 4:  # 7^2 mod 15
        qc.swap(target[1], target[3], control=control)
        qc.swap(target[0], target[2], control=control)
    elif a_pow == 13:  # 7^3 mod 15
        qc.swap(target[0], target[3], control=control)
        qc.swap(target[1], target[3], control=control)
        qc.swap(target[2], target[3], control=control)
    # a_pow == 1 is identity, do nothing

# Apply controlled-U^(2^j) for j = 0..n_count-1
for j in range(n_count):
    power = pow(a, 2**j, N)  # a^(2^j) mod N
    c_amod15(qc, q_count[j], q_target, power)

qc.barrier()

# Step 6: Inverse Quantum Fourier Transform on counting register
# QFT extracts the phase, which encodes s/r where s is random
qc.append(QFT(n_count, inverse=True), q_count)
qc.barrier()

# Step 7: Measure counting register
qc.measure(q_count, c_out)

# Step 8: Simulate
simulator = AerSimulator()
compiled = transpile(qc, simulator)
result = simulator.run(compiled, shots=1024).result()
counts = result.get_counts()

print(f"Measurement results: {counts}")

# Step 9: Classical post-processing - extract period r
# Most frequent measurement m estimates s/r where m/(2^n) ≈ s/r
measured = int(max(counts, key=counts.get), 2)
print(f"Most frequent measurement: {measured}")

# Find r using continued fractions: measured / 2^n = s/r
from fractions import Fraction
frac = Fraction(measured, 2**n_count).limit_denominator(N)
s, r = frac.numerator, frac.denominator
print(f"Estimated s={s}, r={r}")

# Step 10: Check if we got a useful r
if r % 2 == 0:
    cand1 = gcd(pow(a, r//2) - 1, N)
    cand2 = gcd(pow(a, r//2) + 1, N)
    factors = [f for f in [cand1, cand2] if 1 < f < N]
    if factors:
        print(f"Success! Factors of {N}: {factors}")
    else:
        print(f"r={r} failed: a^(r/2) ≡ -1 mod N. Retry with different a.")
else:
    print(f"r={r} is odd. Retry with different a.")

# Expected output: r=4, factors [3, 5]

Reality Check: From N=15 to RSA-2048

Factoring 15 takes 12 qubits and runs on a laptop simulator. RSA-2048 requires fundamentally different hardware.

N = 15
~12 physical qubits
No error correction
Milliseconds
RSA-2048
~10,000 logical qubits
~20M physical qubits
Hours to days

The gap is error correction. Each logical qubit needs ~1,000-10,000 physical qubits to suppress errors below Shor's threshold. We are at ~1,000 noisy physical qubits today.

Grover's Algorithm: The Quadratic Speedup

Lov Grover's 1996 algorithm searches an unsorted database of $N$ items in $O(\sqrt{N})$ operations instead of $O(N)$. For cryptography, this means brute-force key search gets a quadratic speedup.

Primitive Key/Hash Size Classical Security Quantum Security Verdict
AES-128 128 bits $2^{128}$ $2^{64}$ Weak
AES-256 256 bits $2^{256}$ $2^{128}$ Survives
SHA-256 256 bits $2^{128}$ collision $2^{85}$ collision Survives
SHA-3-512 512 bits $2^{256}$ collision $2^{171}$ collision Strong

Impact on symmetric crypto: Double your key length and you're fine. AES-256 remains secure for decades even post-quantum. The real threat is to asymmetric primitives where we exchange those keys.

Post-Quantum Cryptography: What Comes Next

NIST completed its first PQC standardization round in 2024. These algorithms run on classical computers but rely on math problems even quantum computers can't solve efficiently.

NIST Standards 2024

ML-KEM (CRYSTALS-Kyber)
Module Learning With Errors

Key encapsulation for TLS, VPNs. Replaces ECDH. Public keys ~800B-1.5KB.

ML-DSA (CRYSTALS-Dilithium)
Module Lattice Signatures

Primary signature scheme. Replaces ECDSA/RSA. Signatures ~2-4KB.

SLH-DSA (SPHINCS+)
Stateless Hash-Based

Conservative backup. Large signatures ~8-50KB but minimal assumptions.

Hard Problems for Quantum

Lattices: Find shortest vector in high-dimensional lattice. No known quantum speedup beyond polynomial.
Codes: Decode random linear code. Best quantum attacks still exponential.
Isogenies: Find path between elliptic curves. SIKE was broken, but CSIDH survives with caution.
Multivariate: Solve system of quadratic equations. Quantum gives at most modest speedup.
Hash-based: Relies only on collision resistance. Grover gives quadratic speedup, so use SHA-512.

Key insight: Shor breaks algorithms based on abelian hidden subgroup problems: factoring and discrete log. PQC algorithms are built on problems believed to be outside this class. No proof exists, but decades of cryptanalysis have failed to find quantum attacks.

Harvest Now, Decrypt Later (HNDL)

The most urgent threat isn't future key exchange. It's encrypted data intercepted today and stored until quantum computers exist. If your data must stay secret for $X$ years, and quantum computers arrive in $Y$ years, you need to migrate if $X > Y$.

Mosca's Theorem

$$X + Y > Z$$
If secrecy lifetime + migration time > time to quantum, you have a problem
X: Secrecy Lifetime
How long must data stay secret?
Y: Migration Time
How long to upgrade all systems?
Z: Quantum Time
Years until CRQC exists

Who should worry now: Governments, healthcare (HIPAA 50+ years), financial services, infrastructure operators, anyone with trade secrets or PII that needs >10 year confidentiality.

Who can wait: Ephemeral TLS sessions for cat videos, short-lived API tokens, data with <5 year value window. But remember: key exchange today protects data tomorrow.

BB84 & Quantum Key Distribution

Quantum mechanics doesn't just threaten crypto. It enables new primitives. BB84, invented by Bennett and Brassard in 1984, lets two parties create a shared secret with security guaranteed by physics, not math.

How BB84 Works

  1. 1 Alice sends photons in random bases: rectilinear $+$ or diagonal $\times$, encoding 0 or 1.
  2. 2 Bob measures each photon in a random basis. If he picks wrong, he gets a random result.
  3. 3 Alice and Bob publicly compare bases, keep only bits where they matched. ~50% remain.
  4. 4 They sacrifice some bits to check error rate. High errors = eavesdropper detected.
  5. 5 Remaining bits are distilled into a secret key via privacy amplification.

Advantages

  • • Information-theoretic security: secure even against unbounded computation
  • • Eavesdropping detection: no-cloning theorem guarantees Eve disturbs the channel
  • • Future-proof: security doesn't depend on unproven hardness assumptions

Limitations

  • • Distance: ~100-500km over fiber without quantum repeaters
  • • Key rate: kbps to Mbps, much slower than classical
  • • Authentication: needs pre-shared secret or PQC signatures
  • • Cost: specialized hardware, not Internet-scale yet

Practical take: QKD is real and deployed for high-security links. But for most organizations, PQC algorithms running on classical infrastructure are the pragmatic path. Use QKD for crown jewels, PQC for everything else.

Migration Guide: Crypto Agility

Don't rip-and-replace. Build crypto agility: the ability to swap algorithms without rewriting applications. NIST and NSA recommend hybrid modes during transition.

1 Inventory

Catalog all uses of RSA, ECC, DH, DSA. Scan codebases, configs, certificates, hardware tokens. You can't fix what you don't know exists. Pay attention to embedded devices and long-lived systems.

2 Prioritize

Order by data sensitivity and lifespan. Long-term archives, identity PKI, firmware signing, and VPNs go first. Ephemeral web TLS can wait. Code signing is critical: once compromised, attackers can push malicious updates.

3 Hybrid Deployment

Run classical + PQC in parallel: X25519 + ML-KEM-768. If either is broken, you're still safe. TLS 1.3 supports this via extensions. Most browsers and CloudFlare already support hybrid key exchange experimentally.

4 Test & Monitor

PQC keys and signatures are larger. Dilithium signatures are 2-4KB vs 64B for ECDSA. This impacts network protocols, databases, and bandwidth. Test performance. Monitor for interop issues with legacy clients.

5 Cutover

Once hybrids are stable, drop the classical component. For PKI, issue new root certs with ML-DSA and plan cross-signing. NSA's CNSA 2.0 mandates PQC for NSS by 2030-2035. Commercial sectors will follow.

Common Myths

Myth: "Quantum breaks all encryption"

Reality: Quantum breaks specific number theory problems. AES-256, SHA-3, and properly sized symmetric primitives survive. The threat is to public-key crypto, not all crypto. Symmetric and hash-based schemes just need larger parameters.

Myth: "We have 30+ years, no rush"

Reality: HNDL means the threat starts now for long-lived data. IBM, Google, and others predict fault-tolerant machines in 10-15 years. Migration takes 5-10 years for large orgs. If your data needs 20-year secrecy, you're already late.

Myth: "PQC is untested, wait for QKD"

Reality: PQC has 20+ years of cryptanalysis. NIST ran a 6-year competition with global experts trying to break candidates. QKD needs physical infrastructure and doesn't scale to the Internet. PQC is the practical path forward.

Myth: "Quantum computers will be cloud-only, so I'm safe"

Reality: If anyone builds a CRQC, they can attack all captured ciphertexts. You don't control whether adversaries get access. Nation-states and well-funded groups will have priority. The attack is offline against historical data.

The Path Forward

Quantum computing and cryptography are not enemies. Quantum breaks factoring and discrete log, but enables new primitives like QKD. Post-quantum cryptography gives us classical algorithms safe against quantum attacks.

The transition is already underway. NIST has standards. Cloud providers offer hybrid TLS. OpenSSL 3.2+ ships PQC. The code is written. What remains is deployment.

Start your inventory today. Deploy hybrids this year. Cut over before 2035. Your future self, reading ciphertexts captured today, will thank you.

Quantum Series #2 Next: Quantum Error Correction →