Key insight

Only two quantum algorithms matter for cryptography. Shor’s completely breaks public-key crypto (RSA, ECC, Diffie–Hellman) by running its “one-way street” efficiently backwards — and a bigger key does not help, so it must be replaced. Grover’s only mildly weakens symmetric encryption (AES) and hashing, and the fix is simply to double the size. Public-key is the casualty; symmetric is barely inconvenienced. That single split drives the entire post-quantum project.

In one sentence

Shor destroys the locks that let strangers agree secrets and prove identity (replace them); Grover just means using bigger keys and hashes for the locks that scramble bulk data (keep them).

Four articles built the ladder: keys, the two encryption families, the quantum machine, and its three strange ideas. Now we point that machine at cryptography — and remarkably, only two recipes matter, each named for its discoverer.

Shor’s algorithm: the total break

In 1994, mathematician Peter Shor found a quantum recipe that solves the exact “one-way street” underneath public-key cryptography. Recall the mailbox: its safety rested entirely on the belief that nobody can take a large number and quickly recover the two primes that were multiplied to make it — a task called factoring.

For a classical computer, factoring a number of the size RSA uses is so slow that all the world’s supercomputers running together for longer than the age of the universe would not finish. Shor’s algorithm arranges the quantum engine — superposition, entanglement, interference — so that the wrong factors cancel and the right ones ring out. The task collapses from “effectively impossible” to “a matter of hours” on a large enough quantum computer.

And it isn’t only RSA. The same hidden mathematical structure (a “periodicity” Shor’s method uncovers) sits underneath elliptic-curve cryptography (ECC) and Diffie–Hellman key exchange too. So one algorithm topples the entire public-key family at once.

What is that “periodicity”? If you keep multiplying a number by itself and take the remainder each time, the results eventually fall into a repeating cycle — and the length of that cycle secretly reveals the factors. Finding the cycle length is hopeless for a classical computer, but it is exactly what a quantum computer’s interference is good at surfacing. That single trick — turning factoring into cycle-finding — is why Shor’s effort grows only polynomially (roughly with the number of digits) rather than exponentially. “Polynomial” is the technical word for efficient: the work rises gently enough that bigger keys can’t outrun it.

Shor breaks the one-way street Multiplying primes is easy forwards. Classically, reversing it takes longer than the universe's age; Shor's algorithm reverses it in hours. two primesp, q big numberN = p × q multiply — easy factor back — classically impossible Shor: hours on a large quantum computer
Shor runs the one-way street backwards. The public key stops protecting the private key — the whole mailbox falls open.

Why a bigger key can’t save RSA

A natural hope: if quantum computers factor today’s numbers, just use much bigger numbers. It doesn’t work. Shor’s method stays efficient as the numbers grow — its effort rises only gently with size, while the security you’d need rises far faster. To outrun a quantum computer you’d need keys so gigantic they’d be unusable, and even then only briefly. This is why the response can’t be “bigger RSA” — it has to be different maths entirely, built on one-way streets Shor can’t reverse. That is precisely what the NIST standards in The New Rulebook provide.

“Total break” means what it says

When a cryptographically-relevant quantum computer exists, RSA, ECC, and Diffie–Hellman provide essentially no protection at all — not “weaker,” but effectively transparent. Every certificate, every TLS handshake, every digital signature that relies on them is exposed. There is no partial credit here, which is why the whole family is being retired rather than tuned.

Grover’s algorithm: the mild dent

In 1996, Lov Grover found a quantum recipe for searching. If you must find one needle in an unsorted haystack of N items, a classical computer may have to check up to N straws. Grover’s algorithm finds it in roughly the square root of N tries.

“Square root” sounds dramatic — and for some tasks it is a real speed-up — but for cryptography it is surprisingly gentle. Attacking symmetric encryption like AES by brute force means searching the haystack of all possible keys. Grover square-roots that effort. The crucial point is what “square-rooting” does to key strength: it effectively halves the number of security bits. A 128-bit key drops to about 64 bits of quantum-effort — uncomfortable; a 256-bit key drops to about 128 bits — still far beyond reach.

Why doubling the size fixes symmetric

So the fix is almost embarrassingly simple: double the key length. Move from AES-128 to AES-256 and the haystack grows so enormously that even Grover’s square-root shortcut lands an attacker right back where they started — comfortably, durably safe. No new algorithm, no new maths; just a bigger, already-standard key.

The same mild logic covers hash functions — the algorithms that produce a fixed “fingerprint” of data (like SHA-256). Grover-style attacks are blunted by using a longer output (e.g. SHA-384/512). Symmetric cryptography and hashing therefore survive the quantum era with only modest, well-understood adjustments.

Grover only halves symmetric strength AES-128 drops to about 64 bits of effort under Grover, but AES-256 drops only to 128 bits, still safe. AES-128 → ~64-bit effort (weak-ish) AES-256 → ~128-bit effort (safe) Grover halves the strength — so just start twice as big.
Grover halves symmetric key strength; doubling the key restores the margin. No replacement needed.

The scorecard: what breaks, what bends

CryptographyQuantum attackEffectFix
RSAShorBrokenReplace (new maths)
Elliptic-curve (ECC/ECDSA/ECDH)ShorBrokenReplace (new maths)
Diffie–HellmanShorBrokenReplace (new maths)
AES (symmetric)GroverMildly weakenedUse AES-256
Hashes (SHA-2/3)GroverMildly weakenedUse longer output

Notice the clean line: everything Shor touches is public-key and must be replaced; everything Grover touches is symmetric or hashing and merely needs bigger sizes. That is the entire quantum threat to cryptography, on one page.

You’ve finished the foundations

Take a breath — you now understand the quantum threat more precisely than most professionals. To recap the whole Foundations ladder:

Everything that follows builds on this one split. The Threat explains why it’s urgent today — the “harvest now, decrypt later” attack — and exactly what falls when public-key falls: certificates, TLS, identity, PKI.

Shor’s algorithm
Quantum method that efficiently factors large numbers and solves related problems — breaks RSA, ECC, Diffie–Hellman.
Grover’s algorithm
Quantum search that roughly square-roots brute-force effort — halves symmetric key strength; fixed by doubling key size.
Factoring
Recovering the prime numbers multiplied to make a given number — RSA’s one-way street.
Hash function
An algorithm producing a fixed-length fingerprint of data (e.g. SHA-256); only mildly affected by quantum.
RSA (Rivest–Shamir–Adleman)
The classic public-key algorithm, named after its inventors; broken by Shor.
ECC (Elliptic-Curve Cryptography)
Public-key crypto built on elliptic curves; smaller keys than RSA, also broken by Shor.
Diffie–Hellman (DH)
The classic public-key key-exchange method; broken by Shor.
AES (Advanced Encryption Standard)
The mainstream symmetric cipher; only halved by Grover, so a bigger key restores safety.

What to carry forward

Next up — The Threat: Harvest now, decrypt later — why an attacker recording your encrypted data today already threatens secrets that must last years. (See the series catalogue for the roadmap.)

Understand it in your own words

Paste into any AI assistant to check yourself:

I just finished the "foundations" of the quantum threat to cryptography.
Quiz me one question at a time, correcting me gently:

1. What does Shor's algorithm do, and which cryptography does it break?
   Why can't I just use a bigger RSA key to escape it?
2. What does Grover's algorithm do? Why is "square-root speed-up" only a
   MILD problem for AES?
3. What's the simple fix that keeps symmetric encryption (AES) and hashes
   safe against Grover?
4. State the clean rule: which whole family must be REPLACED, and which
   just needs BIGGER sizes?
5. Why does this one split drive the entire post-quantum migration?

References & further reading

  1. P. Shor, “Algorithms for Quantum Computation: Discrete Logarithms and Factoring,” 1994 — the algorithm that breaks public-key crypto.
  2. L. Grover, “A Fast Quantum Mechanical Algorithm for Database Search,” 1996 — the quantum search speed-up.
  3. NIST, Post-Quantum Cryptography FAQs — why symmetric crypto only needs larger keys while public-key must be replaced. csrc.nist.gov
  4. NSA, CNSA 2.0 — recommends AES-256 and SHA-384 alongside post-quantum public-key algorithms. nsa.gov/cybersecurity
  5. NIST IR 8547 (draft), Transition to Post-Quantum Cryptography Standards — deprecation timeline for quantum-vulnerable algorithms. csrc.nist.gov