The quantum threat, and the math that defends against it
Why a quantum computer breaks today's public-key cryptography, why lattice schemes survive it, and how QuantumSafe implements both sides. Every algorithm below is runnable in this repo.
1. The threat model
Public-key cryptography rests on problems that are hard for classical computers: integer factorization (RSA) and the discrete logarithm (Diffie-Hellman, elliptic curves). Two quantum algorithms change the picture:
- Shor's algorithm solves factoring and discrete-log in polynomial time — it breaks RSA, DH, and ECC outright, at any key size.
- Grover's algorithm gives a quadratic speedup for unstructured search, halving the effective strength of symmetric keys and hash preimages — it weakens but does not break them.
"Harvest now, decrypt later": an adversary can record encrypted traffic today and decrypt it once a cryptographically-relevant quantum computer exists. For data that must stay secret for years, the threat is effectively present now — which is why migration is a present-day engineering problem, not a future one.
2. Shor's algorithm (breaks RSA / ECC)
Shor reduces factoring N = p·q to order-finding: the period
r of f(x) = aˣ mod N. Quantum phase estimation over a
modular-exponentiation operator, followed by an inverse Quantum Fourier Transform, yields a
measurement of s/r; continued fractions recover r. If r
is even and a^(r/2) ≢ −1 (mod N), then gcd(a^(r/2) ± 1, N) are
non-trivial factors. With p and q the RSA private exponent
d ≡ e⁻¹ (mod φ(N)) follows immediately.
Run it: python quantum/shor.py — factors N=15 and reconstructs an RSA key.
· python quantum/resources.py — qubit/depth/gate cost vs. RSA-2048 estimates.
3. Grover's algorithm (weakens AES / hashes)
Grover finds a marked item in an unstructured space of size N in
≈ (π/4)√N iterations via amplitude amplification (an oracle reflection plus a
diffuser). For a k-bit key, brute force drops from 2^k to
~2^(k/2) — effective strength is halved. The fix is to double sizes:
AES-128 → AES-256, SHA-256 → SHA-384/512. AES-256 still
needs ~2^128 Grover iterations, which remains infeasible.
Run it: python quantum/grover.py
4. Learning With Errors — the post-quantum foundation
Lattice schemes base security on the Learning With Errors (LWE) problem:
given A and b = A·s + e (mod q) with a small error e,
recover the secret s. This is provably as hard as worst-case lattice problems.
Crucially, LWE has no periodic / hidden-subgroup structure for Shor to
exploit, so the best known quantum attacks offer only modest speedups — it stays hard.
Run it: python pqc/lwe_kem.py — a full quantum-safe key exchange.
· python pqc/benchmark.py — sizes & latency vs. RSA / ML-KEM.
5. CRYSTALS-Kyber / ML-KEM and the NIST standards
ML-KEM (the standardized form of CRYSTALS-Kyber) is a Module-LWE
key-encapsulation mechanism: it adds ring structure for efficiency (fast NTT-based
multiplication) and a Fujisaki-Okamoto transform for chosen-ciphertext security. QuantumSafe's
pqc/ module implements the underlying LWE construction to demonstrate the math.
In 2024 NIST finalized the first post-quantum standards:
- FIPS 203 — ML-KEM (key establishment), based on CRYSTALS-Kyber.
- FIPS 204 — ML-DSA (signatures), based on CRYSTALS-Dilithium.
- FIPS 205 — SLH-DSA (hash-based signatures), based on SPHINCS+.
References
- P. Shor, "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer," SIAM J. Computing, 1997.
- L. Grover, "A fast quantum mechanical algorithm for database search," STOC 1996.
- O. Regev, "On lattices, learning with errors, random linear codes, and cryptography," J. ACM, 2009.
- Bos et al., "CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM," IEEE EuroS&P 2018.
- C. Gidney, M. Ekerå, "How to factor 2048-bit RSA integers in 8 hours using 20 million noisy qubits," Quantum, 2021.
- NIST FIPS 203 / 204 / 205, Post-Quantum Cryptography Standards, 2024.