Papers

Topics

Authors

Recent

View all

Assistant

AI Research Assistant

Well-researched responses based on relevant abstracts and paper content.

Custom Instructions Pro

Preferences or requirements that you'd like Emergent Mind to consider when generating responses.

Gemini 2.5 Flash

Gemini 2.5 Flash 65 tok/s

Gemini 2.5 Pro 51 tok/s Pro

GPT-5 Medium 32 tok/s Pro

GPT-5 High 29 tok/s Pro

GPT-4o 80 tok/s Pro

Kimi K2 182 tok/s Pro

GPT OSS 120B 453 tok/s Pro

Claude Sonnet 4.5 34 tok/s Pro

2000 character limit reached

Cryptographically Relevant Quantum Computers

Updated 1 October 2025

Cryptographically relevant quantum computers are devices that combine sufficient qubit counts, high fidelity, and fault-tolerant error correction to execute quantum algorithms like Shor's at scales that can break modern cryptographic schemes.
They present a significant threat to asymmetric cryptography, as algorithms such as Shor’s can factor RSA moduli and solve discrete logarithms underlying RSA, DH, and ECDSA security.
Estimations suggest CRQC deployment between 2027 and 2033, urging urgent adoption of quantum-resistant cryptographic strategies and hybrid security frameworks.

A cryptographically relevant quantum computer is a quantum computing device possessing sufficient scale, fidelity, and error correction capability to run quantum algorithms—especially Shor’s algorithm for factoring and discrete logarithms—on parameters matching those widely used in deployed public-key cryptographic systems. Such a device would have the capability to break asymmetric primitives such as RSA, DH, ECDH, and ECDSA, thereby undermining the confidentiality and integrity guarantees foundational to digital security and authenticity infrastructure (Mattsson et al., 2021, Scholten et al., 29 Jan 2024, Benitez, 29 Sep 2025). The following sections provide a technical overview of the definitions, mathematical foundations, threat landscape, security frameworks, resource costs, and migration implications associated with cryptographically relevant quantum computers (CRQCs).

1. Definition and Mathematical Foundation

A cryptographically relevant quantum computer (CRQC) is defined as a quantum computer that possesses the necessary number of physical and logical qubits, gate fidelity, and error correction overhead to reliably execute quantum algorithms that compromise the security of contemporary cryptographic schemes at practical key sizes (Mattsson et al., 2021, Scholten et al., 29 Jan 2024, Benitez, 29 Sep 2025). The core quantum algorithms of concern are:

Shor’s algorithm, which factors an integer $N = pq$ and computes discrete logarithms in polynomial time:

$N = p \times q \implies \text{find } p, q,\quad \text{in time } \operatorname{poly}(\log N)$

Grover’s algorithm, which accelerates brute-force search over a space of size $N$ to $O(\sqrt{N})$ queries.

The transition to quantum relevance occurs when the system can factor RSA moduli (1024–3072 bits) or break ECDLP on curves used in practice (secp256k1, P-256, etc.) with high probability within a time window meaningful for adversarial operations (hours to weeks) (Benitez, 29 Sep 2025, Scholten et al., 29 Jan 2024).

A CRQC is characterized not just by logical circuit width and depth, but also by its capacity for scalable fault-tolerant quantum error correction, which is required to suppress logical error rates below the threshold set by the number of algorithmic “error opportunities”: for an algorithm using $q$ logical qubits and circuit depth $d$ , the tolerated logical error per operation $p_{L}$ must satisfy:

$p_L \lesssim (q \cdot d)^{-1}$

where typical $q$ and $d$ for cryptographic attacks are in the thousands and billions, respectively (Scholten et al., 29 Jan 2024).

2. Quantum Threat Landscape: Asymmetric and Symmetric Primitives

The existential threat posed by CRQCs to current cryptographic systems is twofold (Benitez, 29 Sep 2025, 1804.00200, AlRaimi et al., 2021):

Asymmetric Cryptography Vulnerability: Shor’s algorithm breaks RSA, DH, ECDH, and ECDSA by efficiently factoring large integers and solving discrete logarithms over finite fields and elliptic curves.
- Mathematical illustration:
$g^x \equiv y \mod p \implies \text{find } x \text{ (efficient with Shor’s)}$ - Adversaries gain both retrospective confidentiality—decrypting stored ciphertexts collected under “Harvest Now, Decrypt Later” (HNDL) attacks—and the ability to forge digital signatures.
Symmetric Cryptography Degradation: Grover’s algorithm reduces the effective security of $n$ $n$ -bit block ciphers and hash functions to $n/2$ $n /2$ bits (quadratic speedup), implying that AES-128 offers only 64 bits of quantum security (Kaplan et al., 2015).
- The cost of a quantum brute-force attack on symmetric primitives is:
$T_Q \approx \left\lfloor\frac{\pi}{4} \sqrt{N}\right\rfloor$ - Symmetric primitives are therefore mitigated by doubling key or digest sizes (e.g., AES-256, SHA-384/512).

3. Security Proofs and Quantum-Friendly Reductions

The adaptation of classical security arguments to the quantum adversarial setting is nontrivial due to unique quantum properties, notably no-cloning and the impossibility of certain rewinding techniques. A general framework to “lift” classical security reductions is provided in (Song, 2014), which distinguishes between:

Game-preserving reductions: Where the adversarial class and oracle structure are unchanged. A reduction $(G^{(B)}, T, G^{(A)})$ is quantum-friendly if it is straight-line, value-dominating, and (class, class)-respectful.
Game-updating reductions: Required when adversaries have superposition access to oracles (e.g., in the Quantum Random Oracle Model). Here, an interpreter is introduced to relate quantum adversaries to their classical counterparts, with effectiveness scaling by a parameter $\beta \cdot \beta'$ .

Key implication: Signature schemes such as Merkle hash-trees and the XMSS-like BDH11 variant are shown to retain provable security against quantum adversaries provided the underlying one-way functions and hash functions are quantum-secure:

$\Pr[\text{Forge}] \leq p(n) \cdot \epsilon_f$

Quantum-friendly reductions provide a blueprint for certifying the quantum security of classical schemes by formalizing the conditions under which proof techniques “survive” quantization.

4. Resource Estimates and Timelines for CRQC Deployment

Achieving cryptographically relevant attacks requires quantum hardware significantly beyond the NISQ era in terms of logical qubits, error rates, and circuit volume. Recent benchmark studies (Gheorghiu et al., 2019, Dallaire-Demers et al., 19 Aug 2025, Scholten et al., 29 Jan 2024) compute the required resources for Shor’s algorithm to break typical cryptosystems:

Target Problem	Logical Qubits	Depth	Physical Qubits (Surface Code)	Estimated Timeline*
RSA-2048 factoring	$>4000$	$10^{12}$	$10^7$ – $10^8$	2027–2033
ECC (secp256k1) ECDLP	$\sim 3000$	$>10^{10}$	$10^5$ – $10^7$	2027–2033

*Assuming physical gate error rates around $10^{-3}$ to $10^{-4}$ , aggressive qubit connectivity and distillation throughput, and advances in fault-tolerant architectures (Dallaire-Demers et al., 19 Aug 2025).

Early “challenge ladders” that scale ECDLP or factoring problems from small to full size (by lowering field size in the case of ECDLP) provide critical experimental benchmarks (Dallaire-Demers et al., 19 Aug 2025).

Approximate quantum methods (variational algorithms, error mitigation, circuit knitting) do not lower the asymptotic resource requirements for cryptanalysis, so CRQC timelines remain dominated by error-corrected quantum computation (Scholten et al., 29 Jan 2024).

5. Cross-Domain Inventory and Practical Exposures

A comprehensive survey of digital ecosystems reveals ubiquitous dependence on quantum-vulnerable asymmetric primitives (Benitez, 29 Sep 2025):

Domain	Example Protocols/Systems	Quantum Algorithms Threatening
Network transport	TLS, SSH, IPsec	Shor, Grover
PKI, certificate chains	X.509, DNSSEC, S/MIME, GPG	Shor
Payment/blockchain	ECDSA (e.g., Bitcoin, ETH)	Shor
IoT, embedded, automotive	V2X, boot, firmware signing	Shor, Grover

Shor’s algorithm allows signature forgery and ciphertext decryption, destroying both authenticity and confidentiality. Grover’s algorithm also moderately affects MACs, ciphers, and hash-based proofs.

The “Harvest Now, Decrypt Later” (HNDL) risk is especially acute: adversaries may record encrypted communications now for future decryption once CRQC is available (Mattsson et al., 2021).

6. Migration Strategies: Quantum-Resistant Cryptography

In anticipation of CRQC deployment, coordinated migration to quantum-resistant (post-quantum) cryptography is essential (Mattsson et al., 2021, Scholten et al., 29 Jan 2024, 1804.00200). Key elements:

Quantum-Resistant Primitives: Lattice-based (e.g., Kyber, Dilithium), code-based, hash-based, and multivariate schemes are being standardized by NIST and international bodies. These rely on computational problems for which no efficient quantum algorithms are known.
Symmetric-Key Adjustments: Key and digest sizes are increased (e.g., AES-256, SHA-384/512) to maintain an adequate quantum security margin.
Protocol Integration: Hybrid modes, in which classical and post-quantum primitives are combined, allow for a gradual transition.
Lifecycle Inventory: Systematic audits are required to locate and schedule the replacement of quantum-vulnerable components, particularly in infrastructure with long update cycles (e.g., firmware, critical infrastructure, payment systems) (Benitez, 29 Sep 2025).

Migration speed is dictated by the cryptographic agility of existing systems, availability of standardized PQC libraries, and the time window before successful large-scale quantum attacks become feasible.

7. End-to-End Security and New Quantum-Resistant Designs

Developing cryptosystems with provable security in the presence of quantum adversaries requires adapting both design and analysis (Song, 2014, Alagic et al., 2016). Methods include:

Quantum encryption schemes for quantum data (qSKE, qPKE) constructed from quantum-secure one-way functions and trapdoor permutations, with formal security definitions (indistinguishability, semantic security) and proofs that mirror and extend classical results.
Post-Quantum Signatures such as those built from hash-trees and their efficient variants (e.g., Merkle, XMSS/BDH11), justified via “quantum-friendly” reductions.
Quantum-aware protocol analysis, including frameworks to systematically lift classical security reductions to the quantum setting, incorporating superposition oracle models and black-box separations.

Quantum-resistant cryptography is thus predicated on provable security against QPT adversaries, formal lifting of classical reduction-based proofs, and post-quantum hard mathematical problems. The ongoing standardization and deployment of such primitives are central to defending critical infrastructure ahead of CRQC deployment.

In conclusion, cryptographically relevant quantum computers are poised to invalidate current public-key security models, disrupt digital authentication, and compromise historical confidentiality unless post-quantum cryptographic migration is successfully completed before their practical realization. Coordinated research in quantum algorithm resource estimation, the design of quantum-friendly reductions, comprehensive dependency inventories, and large-scale deployment of PQC is essential to the long-term security of information systems in the quantum era.