Quantum computer threats to modern cryptography

Question

I am having a university assignment that requires me to study on the threats that quantum computer poses to modern cryptography.

At the moment, I know that modern symmetric encryption will reduce their key size strength in half through Grover's algorithm. It can also break existing standardized RSA, Curve448 and Curve25519 (Not Grover's algorithm).

Can I have the papers or some layman's reference link to those kinds of attacks? Other than the listed attacks, is there any other threats that quantum computer poses to modern cryptography?

Answer 1

Shor's Algorithm for factoring: Threatens all cryptosystems based on using a cyclic group. This is a high level and high impact risk because the improvement Shor gives is exponential (for Discrete Logs) and super polynomial (for factoring).

The systems at risk include RSA, Diffie-Hellman, Elliptic Curve based systems, all these are public key (asymmetric) systems. The main thrust of NISTs post quantum cryptography (PQC) standards development is towards replacing these algorithms. Here is a high level description from the NIST project. Here is a page from IBM. Dan Bernstein and Tanja Lange have a book on PQC linked from here.

Note that lattice based, multivariate polynomial based, and code based asymmetric key systems are not currently believed to be vulnerable to any Quantum attack. However, one proposed post quantum safe algorithm (Rainbow) fell victim to a classical attack recently during the standardization process.

Grover's Quantum Search Algorithm: This is a threat to symmetric cryptosystems because it can be applied to any brute force searching method. The threat here is only polynomial in order (effective halving of the keylength representing brute force search complexity). Here is a question with answers on this topic.

Quantum Randomness Generation and Testing: There are proposals for both, though I haven't seen any instances of classical random number generators (if well-designed and robust against classical attacks) being subjected to a quantum attack which made a difference to their security.

Big Caveat: We are currently nowhere near building a functioning quantum computer that can threaten these systems, but the store and break later kind of attack is a real threat into the future, depending on how long you want your encrypted secrets to survive. Here is a question whose answer dispels some confusion about this. The question was asked in response to this announcement by IBM which specified 400 physical qubits in their Osprey quantum computer, and was mistaken to be logical qubits. In summary we need to use logical qubits not physical qubits to measure security.