up:: Breaking Today’s Cryptography MOC
Quantum-Vulnerable Algorithm
A quantum-vulnerable algorithm is any cryptographic algorithm that a large enough quantum computer can break or meaningfully weaken. The category splits cleanly in two: public-key algorithms, which a quantum computer running Shor’s algorithm destroys completely, and symmetric algorithms and hash functions, which Grover’s algorithm only dents, and which mostly survive with a larger key. Knowing which of your cryptography sits on which side of that line is the whole starting point of a migration, because the two halves need completely different responses.
The short version:
- Public-key cryptography is the catastrophe. RSA, Diffie-Hellman, ECDH, ECDSA, and Ed25519 all rest on math (factoring and discrete logarithms) that Shor’s algorithm solves efficiently. A capable quantum computer ends them.
- Symmetric cryptography mostly survives. Grover’s algorithm halves the effective strength of ciphers like AES and hash functions like SHA-256. The fix is a longer key, not a new algorithm. AES-256 stays safe; AES-128 is the one to move.
- The vulnerable public-key algorithms get replaced with post-quantum standards. The dented symmetric ones get upsized.
That asymmetry is why the transition is overwhelmingly a public-key migration, and why “quantum breaks all encryption” is the wrong headline. It shatters one half and merely trims the other.
Which algorithms does Shor’s algorithm break?
Shor’s algorithm efficiently solves the two hard math problems that every widely deployed public-key algorithm depends on: integer factorization and the discrete logarithm problem (including its elliptic-curve form). Once a quantum computer can run it at real key sizes, these don’t get weaker, they stop working:
- RSA rests on the difficulty of factoring a large number. Shor’s factors it. Broken for both encryption and signatures.
- Diffie-Hellman and its ephemeral form rest on the finite-field discrete logarithm. Broken.
- ECDH, ECDSA, and Ed25519 rest on the elliptic-curve discrete logarithm. Broken. Elliptic-curve algorithms actually fall to a smaller quantum computer than RSA of comparable classical strength, so they’re not the safer choice here.
Because these do both of cryptography’s public-key jobs, key establishment and digital signatures, breaking them takes down both. Key exchange fails (a confidentiality problem) and signatures fail (a trust problem), which is why the transition needs replacements on both fronts.
Which algorithms does Grover’s algorithm only weaken?
Grover’s algorithm speeds up brute-force search, but only quadratically, which means it roughly halves the effective security of a symmetric algorithm rather than breaking it. That’s a manageable problem you solve by using a bigger key or a longer hash:
- AES: Grover cuts effective strength in half, so AES-128 drops to about 64 bits of effective security (too low for comfort) while AES-256 drops to about 128 bits (still comfortably safe). The response is to standardize on AES-256.
- Hash functions (SHA-256, SHA-2, SHA-3): quantum search chips at preimage resistance, so NIST guidance points to longer digests like SHA-384 for the highest assurance, but SHA-256 remains useful and isn’t structurally broken. Collision resistance, which matters most for signatures, isn’t meaningfully threatened by known quantum attacks in practice.
Two caveats keep this honest. The neat “just double the key” story holds for the bulk symmetric layer; some older or non-standard symmetric constructions have narrower quantum margins and deserve their own look. And even a quantum-safe symmetric layer gives you nothing if the keys protecting it were exchanged using a broken public-key algorithm, which is the usual real-world exposure.
What replaces each quantum-vulnerable algorithm?
| Algorithm | Quantum attack | Verdict | Replace with |
|---|---|---|---|
| RSA (encryption / key transport) | Shor’s | Broken | ML-KEM |
| RSA (signatures) | Shor’s | Broken | ML-DSA / SLH-DSA |
| DH / DHE | Shor’s | Broken | ML-KEM |
| ECDH / X25519 | Shor’s | Broken | ML-KEM |
| ECDSA / Ed25519 | Shor’s | Broken | ML-DSA / SLH-DSA |
| AES-128 | Grover’s | Weakened | AES-256 |
| AES-256 | Grover’s | Safe | Keep |
| SHA-256 | Grover’s | Mostly safe | Keep, or SHA-384 for high assurance |
| SHA-3 | Grover’s | Mostly safe | Keep |
The pattern in the table is the whole point: everything in the “broken” rows is public-key and gets replaced with a new post-quantum standard, while everything in the “weakened” or “safe” rows is symmetric and gets upsized or kept. NIST’s own transition guidance (NIST IR 8547) treats the quantum-vulnerable public-key algorithms as slated for deprecation and disallowance on a published schedule, while the symmetric primitives carry forward at appropriate key sizes.
Why is this classification the start of every migration?
The first useful thing any team can do is sort its cryptography into these buckets, because the answer determines the work. A cryptographic inventory that flags each instance as quantum-broken public-key, weakened symmetric, or already safe turns a vague fear into a concrete queue. From there, the risk models take over: Mosca’s theorem tells you how soon each broken instance has to move, HNDL and Non-HNDL tell you what kind of failure it creates, and blast radius tells you how much it would take down. The classification here is what those models are classifying.
Everything here is the map, given freely. When your team needs its own cryptography sorted, sized, and sequenced, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.