Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [quantum-cryptanalysis]

Use this tag on questions about attacks that break cryptographic guarantees / security properties of primitives and protocols and utilize quantum computers as an essential part.

En example of quantum cryptanalysis is the use of Shor's algorithm to attack classical ciphers such as RSA and Elliptic curves or Grover's algorithm to attack symmetric ciphers such as AES. Questions about the number of qubits, gates or order of complexity to break such an algorithm should use this tag.

The tag is for cryptographic constructions that use quantum effects to achieve security. These tags should generally not be used together. Questions that are specific to the algorithms used for quantum cryptanalysis are probably better asked at our sister site, Quantum Computing.

69 questions
62
votes
4 answers

Polynomial-time Quantum Algorithms for Lattice Problems

A new paper, by Yilei Chen, whose title is Quantum Algorithms for Lattice Problems (https://eprint.iacr.org/2024/555) appeared on eprint and it claims to solve hard lattice problems, such as the approximate (gap) shortest vector problem…
Hilder Vitor Lima Pereira
  • 7,476
  • 1
  • 25
  • 45
36
votes
2 answers

Largest integer factored by Shor's algorithm?

I'm studying Shor's quantum factoring algorithm. I was wondering what the largest integer is which they were able to factor with a small quantum computer. Does anybody have an idea about this?
Robbe Motmans
  • 493
  • 1
  • 4
  • 4
32
votes
3 answers

Applicability of IBM's projected 50-qubit quantum computer Q to cryptanalysis?

IBM announced Q, a project for a 50-qubit universal quantum computer, according to the press realease. Here is more PR spin, and the research sub-page. What would be the applicability of that to cryptanalysis?
fgrieu
  • 149,326
  • 13
  • 324
  • 622
25
votes
3 answers

What does the work "An Efficient Quantum Algorithm for Lattice Problems Achieving Subexponential Approximation Factor" mean?

In An Efficient Quantum Algorithm for Lattice Problems Achieving Subexponential Approximation Factor, the author claims they give a polynomial-time quantum algorithm for solving the Bounded Distance Decoding problem with a subexponential…
Eric_Qin
  • 807
  • 7
  • 13
20
votes
1 answer

How does IBM's 53-bit quantum computer compare to classical ones for cryptanalytic tasks?

IBM just announced "a new 53-qubit quantum computer". How does it compare to classical computers, performance-wise, for cryptanalytic tasks? E.g. finding a 48- or 64-bit value whose SHA-256 has a certain value (edit: or factoring the product of two…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
20
votes
3 answers

Quantum Computing Used to Break RSA by "fixing" Schnorr's Recent Factorization Claim?

There is a claim by Chinese researchers making the rounds (Schneier's blog here) that RSA can be broken by Quantum Computers. The paper is on arXiv. Wading through the discussion in Schneier's blog, and distinguishing between noisy qubits and…
kodlu
  • 25,146
  • 2
  • 30
  • 63
16
votes
1 answer

Is this paper's technique for factoring RSA 2048 with noisy qubits realistic?

A paper titled How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits has just come out which proposes a technique to factor RSA keys with moduli up to 2048 bits with a design whose assumptions they stress are realistic. What…
forest
  • 15,626
  • 2
  • 49
  • 103
16
votes
2 answers

New paper claims quantum polylog time attack on AES

It is well known that Grover's algorithm can solve AES in $O(\sqrt{n})$ time, which is why symmetric key length needs to be double to maintain their security level in the face of a quantum adversary. A recent eprint paper claims there exists a…
lamba
  • 1,395
  • 8
  • 18
15
votes
3 answers

Can or can not D-Wave's quantum computers use Shor's and Grover's Algorithm to find encryption keys? Why?

I read that a company called D-Wave Systems has and is manufacturing quantum computers of 128 qubits. Can they or can they not use Shor's and Grover's algorithms for finding RSA-keys? If they can't then why not? And how come it was so hard for the…
user128226
  • 183
  • 1
  • 7
14
votes
0 answers

Space complexity of quantum collision search?

Is there a known way to reduce the space complexity of quantum collision search (PDF) beyond what is offered by the built-in time-space tradeoff, while keeping the time complexity significantly below what is achieved by the classical Pollard's rho…
user991
11
votes
2 answers

Can quantum computers put computer security in jeopardy?

There are many articles about quantum computers describing how powerful they are in computing and that they can solve very complicated equations in a short time. One of the biggest security measures that provide safety for computer security is that…
R1w
  • 1,960
  • 4
  • 23
  • 45
9
votes
3 answers

Can Shor's algorithm factor multi-prime numbers?

I know that Shor's algorithm can factor semi-primes ($N = p \times q \space, \{p, \space q \in \Bbb{P} \space \vert \space p, \space q \gt 0 \} $). Assuming that all prime numbers are so large that it's infeasible to compute with any known classical…
AleksanderCH
  • 6,511
  • 10
  • 31
  • 64
8
votes
0 answers

Time-memory tradeoffs in Shor's algorithm

Can a quantum computer with insufficient qubits to factor an integer of a given size make any progress in factoring it? For example, what if a quantum computer is only one qubit short of what is necessary to attack a specific integer? Is it capable…
forest
  • 15,626
  • 2
  • 49
  • 103
7
votes
0 answers

How many qubits are required to break classical Diffie-Hellman?

There have been comparisons between RSA and ECDH with regards to the number of qubits required to break the algorithm with a specific key size. But how many qubits are required to break "classical" Diffie-Hellman (DH) over a multiplicative (finite,…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
7
votes
0 answers

Noisy Quantum Gates Spoil Shor's Factorization Attack

Update: In Lipton and Regan's blog, Scott Aaranson and Craig Gidney have commented that the results are not unexpected and also not a deal-breaker in that dealing with this type of noise is already part of the way QC is implemented, including the…
kodlu
  • 25,146
  • 2
  • 30
  • 63
1
2 3 4 5