The quantum threat to both symmetric and asymmetric cryptography is that a secret key is brute forced by a quantum computer. But, how this is achieved by quantum computers is different.

The attack on a symmetric key pair is the same as that performed by the computers of today, in that the quantum computer will search and try every key option. However, Grover’s algorithm showed that quantum computers will do this much quicker. Therefore, one way to counter this threat is to increase the time a quantum computer needs to search, so that data can remain secure as long as necessary. For this, a quantum-safe solution already exists and has a standard (the AES block-cipher with 256-bit keys) that organisations can move to.

In terms of protection, AES-256 will likely provide the same protection against a quantum computer as AES-128 does against a traditional computer. This is because AES-256 has 2²⁵⁶different key options and Grover’s algorithm gives a quantum computer a quadratic speedup. Therefore, the quantum computer will try every key in the square root of the time it would take a classical computer to, showing that the protection offered is 2^256/2 = 2¹²⁸.

However, it is not yet clear if it will ever be possible to implement Grover’s algorithm. Therefore, moving symmetric cryptography to the AES-256 standard should offer adequate protection against any feasible current or future attacks.

For an asymmetric key pair, it has been shown that a general-purpose quantum computer (known as a Cryptographically Relevant Quantum Computer or CRQC), will be able to solve the mathematics that link the public and private key in current asymmetric schemes. As yet no quantum-safe mathematical replacement has been standardised, but this is a huge area of research, especially for NIST which started the process to standardise quantum-safe algorithms in 2016. It estimates the first round of quantum-safe candidates will be published by 2022.

The reason it is believed that a CRQC will be able to solve the mathematics used to define the public/private key relationship is because of algorithms like Shor’s. It showed that two of the mathematical problems widely used in today’s public/private key relationships (the factoring of integers and discrete logarithm problems) can be easily solved. Therefore, the long-term goal of quantum-safe asymmetric cryptography research is to find a mathematical problem too hard for even a quantum computer to solve on which the public and private key’s relationship can be constructed. Many candidate quantum-safe algorithms based on new mathematical problems have been put forward in the last few years. However, so far it is believed that it is unlikely that one single ubiquitous quantum-safe public key algorithm will be found. Therefore, once organisations like NIST provide updated standards, the National Cyber Security Centre (NCSC) has stated it will recommend specific algorithms for representative use cases.