Solving Quantum Cryptography

TL;DR

Shor’s algorithm threatens RSA because it can factor prime products by exploiting periodicity, undermining the one-way function RSA depends on.

Briefing Cornell Notes

Briefing

Quantum computers don’t yet threaten everyday encryption—but they’re on track to. The core risk comes from Shor’s algorithm, which can factor large numbers far faster than any known classical method. Since widely used public-key systems rely on the difficulty of factoring products of primes, a sufficiently powerful, fault-tolerant quantum computer would be able to recover secret keys that protect email, online purchases, and logins.

For now, the threat is mostly theoretical in practice. Current quantum hardware remains limited to under 100 qubits, and no system has factored numbers larger than 21 using Shor’s algorithm. Still, the trajectory matters: once quantum machines reach the scale needed for prime factoring at real-world key sizes—thousands of qubits and strong fault tolerance—RSA-style security would fail. That’s why the push for “post-quantum cryptography” has moved from academic discussion to standards work.

The transcript breaks down why prime factoring is uniquely vulnerable. Factoring can be framed as a one-way function: multiplying primes is easy, reversing the process is hard. Classical computers brute-force factors using methods like trial division, but Shor’s algorithm exploits a hidden mathematical structure called “periodicity.” By using quantum superposition and interference, the algorithm amplifies information about the period of a modular arithmetic sequence. Once that period is extracted, the original prime factors can be determined.

Quantum parallelism doesn’t magically hand over the correct factors directly—measurement yields only one outcome. Instead, Shor’s method encodes the relevant periodic structure into the quantum states and then uses interference to suppress incorrect periods while boosting the correct one. That period-finding step is the exploitable quality that turns factoring from an intractable problem into one that scales much more favorably on a quantum computer.

Post-quantum cryptography aims to replace RSA with encryption schemes built on different hard problems—ones that lack known quantum shortcuts like periodicity. A major effort is a NIST competition run by the National Institute for Standards and Technology, narrowing nearly 70 submissions down to 7 finalists and alternates announced in June, with expectations to select one or two quantum-resistant standards in 2022. One finalist is the McEliece cryptosystem, which bases security on the difficulty of decoding errors in large coded messages. It uses large matrix transformations and intentionally added errors so that, without the secret key, reversing the process is computationally infeasible.

Other finalists include lattice-based systems such as NTRU, CRYSTALS-KYBER, and SABER, which rely on problems like the shortest vector problem. These are attractive because they avoid the periodicity weakness, but they raise practical concerns—especially public key sizes and the need to prove robustness against both classical and quantum attacks.

Even post-quantum cryptography isn’t a guarantee. New algorithms—whether classical or quantum—could eventually undermine today’s assumptions. Still, the transcript frames the situation as a race: quantum computers are likely to arrive, quantum key distribution depends on a quantum internet that may not be ready, and post-quantum schemes may be the most realistic bridge to keep digital security intact.

Cornell Notes

Quantum computers threaten today’s public-key encryption because Shor’s algorithm can factor prime products using period-finding, a structure RSA depends on. That capability would collapse the security of systems like RSA once quantum machines have enough qubits and fault tolerance, even though current devices are far from that scale (under 100 qubits; factoring beyond 21 hasn’t happened). Post-quantum cryptography responds by switching to one-way functions without known quantum exploitable properties such as periodicity. NIST’s competition has narrowed candidates to a small set of finalists, including McEliece (error-decoding hardness) and lattice-based schemes like NTRU, CRYSTALS-KYBER, and SABER (shortest vector-type hardness). The main open question is not just quantum resistance, but whether future breakthroughs—classical or quantum—could still crack these assumptions.

Why does RSA-style encryption become vulnerable if a quantum computer can run Shor’s algorithm?

RSA relies on the fact that multiplying primes is easy while factoring the resulting product is hard. Shor’s algorithm uses quantum period-finding to factor numbers quickly, turning that “one-way function” into a reversible one. Once factoring is efficient, attackers can recover the prime factors that act as the secret key material, breaking the encryption and signatures built on that structure.

What is the “periodicity” trick at the heart of Shor’s algorithm?

Shor’s method reduces factoring to finding the period of a modular arithmetic sequence. For example, powers of 2 modulo 5 produce a repeating pattern (2, 4, 3, 1, …) with a period of 4. The algorithm’s quantum steps encode information about these repeating moduli and then use interference to suppress incorrect periods while boosting the correct one; measuring the boosted period enables factor recovery.

Why doesn’t quantum superposition automatically guarantee the correct factors when measured?

Measurement collapses the quantum state to a single outcome, so a naive “try all factors at once” approach wouldn’t help. Shor’s advantage comes from engineering interference so that the probability distribution is shaped: incorrect periods interfere destructively and the correct period is amplified. The algorithm then extracts the period from measurement and uses it to compute factors.

How does the McEliece cryptosystem avoid the specific weakness that breaks RSA?

McEliece is built around the difficulty of decoding errors in large coded messages rather than around prime factoring. It encodes messages into large matrices, applies reversible key-based scrambling, and then adds errors. Without the secret matrices, removing the added errors becomes computationally infeasible, and there’s no periodicity structure like the one Shor exploits.

Why are lattice-based candidates (NTRU, CRYSTALS-KYBER, SABER) both promising and challenging?

They aim for quantum resistance by relying on hard lattice problems such as the shortest vector problem, for which no fast classical or quantum algorithm is known at large scales. The challenge is practicality: security typically requires large public keys because the underlying lattices must be large, and the transcript notes that public key size could cause slowdowns in real network protocols.

What does NIST’s post-quantum process try to accomplish, and what uncertainty remains?

NIST’s competition narrows many proposals to a small set of finalists and then selects one or two standards expected around 2022. The uncertainty remains that “quantum-resistant” doesn’t mean “unbreakable forever”—new classical or quantum algorithms could eventually solve the assumed hard problems. The goal is to migrate before quantum capabilities reach the point where current standards fail.

Review Questions

How does Shor’s algorithm convert factoring into a period-finding problem, and why is that structure essential?
Compare the security assumptions behind McEliece and lattice-based schemes: what hard problem does each rely on?
What practical constraints (e.g., key sizes) could slow adoption of post-quantum cryptography even if the math is secure?

Key Points

1
Shor’s algorithm threatens RSA because it can factor prime products by exploiting periodicity, undermining the one-way function RSA depends on.
2
Current quantum hardware is still too small to factor numbers beyond 21 using Shor’s algorithm, but future fault-tolerant machines with thousands of qubits would change the security landscape.
3
Post-quantum cryptography focuses on replacing prime factoring with different one-way functions that lack known quantum exploitable shortcuts like periodicity.
4
NIST’s post-quantum cryptography competition has narrowed nearly 70 submissions to 7 finalists and alternates announced in June, with standards selection expected around 2022.
5
McEliece bases security on the hardness of decoding errors in large coded messages using matrix transformations, avoiding RSA’s periodicity vulnerability.
6
Lattice-based candidates such as NTRU, CRYSTALS-KYBER, and SABER rely on hard lattice problems (e.g., shortest vector-type difficulty) but face practical issues like large public keys.
7
Even post-quantum schemes aren’t guaranteed to remain secure indefinitely; future breakthroughs could still find faster attacks.

Highlights

Shor’s algorithm doesn’t just “try all possibilities”—it uses interference to boost the correct period of a modular sequence, then derives prime factors from that period.

RSA’s security hinges on factoring being hard; once factoring becomes efficient on a fault-tolerant quantum computer, RSA-style encryption and signatures would fail.

McEliece avoids RSA’s weakness by turning the problem into error-decoding in large matrix-based codes, where reversing the added errors without the key is computationally infeasible.

Lattice-based schemes may be quantum-resistant, but their large public keys could strain existing network protocols and slow transactions.

NIST’s post-quantum standards effort is essentially a migration plan: replace vulnerable cryptography before quantum capabilities catch up.

Topics

Post-Quantum Cryptography
Shor’s Algorithm
RSA Factoring
McEliece Cryptosystem
Lattice-Based Cryptography

Mentioned

Peter Shor
Ron Rivest
Adi Shamir
Leonard Adleman
Leonhard Euler
Robert McEliece
RSA
NIST
NTRU
KYBER
SABER