Post‑Quantum Cryptography: Threats, Algorithms & Migration

Name: Post Quantum Cryptography - Computerphile
Uploaded: 2026-04-02T13:42:53.196821+00:00
Duration: 13 min 26 s
Channel: Computerphile
Description: Summary and key takeaways on Post Quantum Cryptography - Computerphile: Summary & Key Takeaways, covering The Quantum Threat Quantum computers that can break

Computerphile

Apr 02, 2026

•

13 min video

•

2 min read

YouTube video ID: _MoRcYLN-7U

Source: YouTube video by Computerphile — Watch original video

PDF

Quantum computers that can break today’s encryption do not exist yet. The largest error‑corrected machines hover around 50 qubits, and estimates place a truly powerful device many decades away. Even so, the “harvest now, decrypt later” approach encourages attackers to capture encrypted traffic today and store it for future decryption once quantum hardware matures. This forward‑looking threat motivates the search for quantum‑resistant security long before the hardware arrives.

Algorithmic Impacts

Grover’s algorithm gives a quadratic speedup for unstructured search, effectively halving the bit‑security of symmetric keys. Under Grover, AES‑128 drops to an effective 2^64 security level, while AES‑256 retains about 2^128. The simple fix is to adopt larger symmetric keys, such as AES‑256, to preserve a comfortable margin.

Shor’s algorithm, by contrast, solves integer factorization and discrete logarithms in polynomial time. A successful run would dismantle RSA, Diffie‑Hellman, and elliptic‑curve cryptography. Estimates suggest roughly 4,000 qubits are needed for Shor to break a typical RSA key, a far cry from today’s 50‑qubit machines but a clear target for future development.

Transitioning to Post‑Quantum

Since 2016, NIST has run a competition to standardize quantum‑resistant algorithms. The process has already eliminated vulnerable candidates; for example, the SIKE (Super‑singular Isogeny Key Exchange) scheme was broken in 2022. Modern TLS implementations now often employ hybrid key exchanges, pairing a classic elliptic‑curve method like X25519 with a post‑quantum scheme such as Kyber (ML‑KEM 768). This dual approach lets existing infrastructure continue to work while adding a lattice‑based layer that relies on the hardness of finding the nearest point in a high‑dimensional grid.

Hash‑based signature schemes also earn a place in the post‑quantum toolbox because they depend only on the one‑way nature of hash functions, a property that remains solid against quantum attacks. Together, lattice‑based key encapsulation and hash‑based signatures form a practical migration path for securing data well into the quantum era.

Sponsor Note

The conversation is brought to you by Jane Street, a trading firm that supports research into future‑proof cryptography. Their involvement underscores the industry‑wide recognition that preparing for quantum threats is not a speculative exercise but a prudent risk‑management strategy.

Takeaways

Current quantum computers top out at about 50 error‑corrected qubits, keeping them far from the capability needed to break modern encryption.
Grover's algorithm halves symmetric key security, making AES‑128 equivalent to 2^64 bits, while AES‑256 still offers roughly 2^128 bits of protection.
Shor's algorithm would compromise RSA and elliptic‑curve cryptography, and estimates place the required qubit count around 4,000.
NIST's post‑quantum standardization effort, started in 2016, has already discarded vulnerable candidates like SIKE and promotes lattice‑based schemes such as Kyber.
Hybrid TLS key exchanges that combine classic elliptic‑curve methods with post‑quantum algorithms provide a practical bridge toward quantum‑resistant security.

Frequently Asked Questions

What does the "harvest now, decrypt later" strategy involve?

It involves intercepting and storing encrypted communications today with the intention of decrypting them in the future once quantum computers become powerful enough to break current encryption. The approach assumes attackers can retain data long enough for quantum breakthroughs to occur.

How many qubits are estimated to be needed for Shor's algorithm to break RSA?

Rough estimates put the requirement at about 4,000 qubits for Shor's algorithm to factor an RSA key successfully. This figure contrasts sharply with today's largest error‑corrected machines, which contain roughly 50 qubits.

Who is Computerphile on YouTube?

Computerphile is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.

Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.

Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.

Introduction To Quantum Computing Book Recommended

Provides a foundational understanding of quantum mechanics and qubit behavior, which helps clarify why quantum computers threaten current encryption methods.

Amazon →

Applied Cryptography Textbook For Computer Scientists

Explains the mathematical principles behind RSA, ECC, and hash functions, providing the necessary context to understand how Shor's and Grover's algorithms break them.

Amazon →

Understanding Post-Quantum Cryptography Guide

Covers the transition to lattice-based and hash-based schemes, offering a deeper dive into the NIST standardization process mentioned in the podcast.

Amazon →

Hardware Security Key For Two-Factor Authentication

Physical security keys provide an additional layer of protection that remains relevant even as cryptographic standards evolve to become quantum-resistant.

Amazon →

Links may be affiliate links. We only include resources that are genuinely relevant to the topic.

Summarize another video

Full Transcript YouTube

It's time to panic, Sean. We need to
implement postquantum.
>> Postquantum.
>> Postquantum algorithms, right? We should
all panic, right?
>> This has nothing to do with the mailbox.
This is
>> We shouldn't panic. We could talk about
postquantum today, right? Postquantum is
algorithms that are robust to quantum
attack, right? So, we have a bunch of
cryptography that that underpins most of
what we do, for example, online or on
any computer system really. And a lot of
this is quite vulnerable to specific
attacks if a quantum computer was
invented that was big enough, right? And
such a computer doesn't exist today. But
we can't rule out that it wouldn't in
the future. And so the question is when
do we panic and how much do we panic?
As of recording this video, there's lots
of companies working on quantum
computers, right? We've done some videos
on quantum before. The biggest quantum
computers are somewhere around 50
cubits, right? Like and and this is
error corrected cubits. So cubits that
have some resistance to to the sort of
noise of the system. Um
Shaw's algorithm, right, which is um the
algorithm that factors large integers
and can solve discrete logarithms as
well, right? the kind of like the the
gold standard for algorithms on a
quantum computer to break an RSA key
would need somewhere around 4,000
cubits, right? So, it's safe to say we
are not there, right? There's a question
as to whether we will ever be there,
right? Or if we are going to be what the
time scale is, right? Conservatively the
well, no, actually even ambitiously the
time scale is in the order of decades, I
think, right? But you know, we may be
here in 30 years with me very gray
explaining to you and you've got a bit
old so you're shaking the camera around
>> even more.
>> Yeah. And say, you know, we're still 30
years off this quantum thing. What a
waste of time that was. Right. I don't
know. That's what's so interesting about
it. So postquantum is not about, oh no,
there's a there's a quantum computer.
It's there's a small chance of a quantum
computer. Can we make some informed
decisions about this? There are two
quantum algorithms that we could just
briefly mention, right? There's Grover's
algorithm and Grover's algorithm takes a
search problem and square roots the
runtime. Suppose you're trying to break
an AS key and your AES key is 128 bits.
So on a classical computer, you would do
2 to the 128 operations to brute force
that you would guess a key. Does it
work? No. Guess a key. Does it work? No.
Right? And you just keep going. This is
very very slow. Grovers square roots
this. Right? So the actual search base
would be 2 to the 64. Now 2 to the 64 is
kind of within reach, right? So that's
getting a little bit uncomfortable if
such a quantum computer can be invented.
Now for as it's not a huge problem,
right? So AS has a 256 bit key variant,
right? A longer key. If we're at 2 to
256, then Grover's brings this down to 2
to 128, which is not breakable, right?
On a quantum or a classical computer. So
it's problem solved. So Grover's
algorithm only has a marginal effect
right on our ability to do um to secure
systems. The bigger problem is Shaw
right? So Shaw's algorithm factors
integers in polomial time. Suppose you
have a large number n and that I'm
telling you that n is p times by q. So
this is fundamental to the rsa
algorithm. If you don't know what p and
q are on a classical computer, it's very
very slow to determine what they are.
You basically have to guess. There's a
number field C that makes it a bit
faster. It's not fast, right? And so a
2,000 bit or a 4,000 bit RSA key is
currently secure. Suppose there was an
algorithm that could tell you what P and
Q were rapidly. Then you can start
spoofing certificates. You can start uh
hijacking people's internet sessions.
you can start decryting any data that
was secured using one of these keys or
discrete logarithm problems and elliptic
curve problems like the diffy helman key
exchange that we talked about before
right so that's a much much bigger
problem right if such a quantum computer
was invented this would be trivially
broken and we would need to do something
about that to be absolutely clear such a
computer doesn't exist right I I remain
skeptical as to whether we will see one
in 20 or 30 years but I'm not in charge
right and to be fair there's not a big
chance that my house will set on fire
but I still buy house insurance just in
case it does right there is an argument
that says we should be considering this
because of this sort of future proofing
there's a concept that's often talked
about called harvest now decrypt later
and this is the idea that if you were
let's say a government right and you
wanted to break all the encryption of
other governments to find out what they
were up to right you can't do that
because we can't factor this number but
if a quantum computer exists we could so
what we'll do is we'll sniff if all of
the traffic store on a big disc and then
in 20 years when a computer is invented
that can do it, we break everything.
Right? So we're we're not by by coming
up with schemes that are trying to be
robust to these quantum attacks, we are
not saying because they exist. We're
saying that because there's a small but
notable chance they might exist in 20 or
30 years. And so why wouldn't we replace
with an algorithm that at that time will
shrug and go don't care. Right? So
that's what we have to do. Postquantum
cryptography doesn't mean we are now
postquantum. Right? It means we're
preparing for a world in which we might
be postquantum in the future.
>> What uses 20-year-old information, I
suppose.
>> Yeah. So I mean that's a good question.
In my case, pretty useless, right? So
you know I go on Amazon, I buy something
with my credit card details, right?
those details are long expired by the
time my my passport number, anything
that's sort of private to me has long
expired before any of these things could
realistically break it. Right? But kind
of government strategy documents or
military secrets or interesting
experiments at Roswell in eight weather
aliens. I don't really have 30-year-old
secrets, but some people might and those
people should probably think about this.
As it happens, they are thinking about
this. governments are coming up with
these timelines for transitioning to
postquantum algorithms.
Um, and so without realizing, most of us
are probably using them already, right?
If you go on TLS now, if you go on on
the web, if you go to Google for
example, you will be using a hybrid key
exchange that combines elliptic curves
and a new algorithm called Kyber, which
is a latisbased scheme that does a key
transport, right? Or key encapsulation.
NIST, the National Institute for Stands
and Technologies in the United States,
has really been driving this forward.
They started this competition in 2016
and since then we've had various rounds
where different algorithms have been
submitted. They've all been tested and
we now have some winners in inverted
commas which are starting to be ratified
as standards. It's not been smooth
sailing for all of the algorithms,
right? This is true of most of these
competitions. So for example, there was
a potential key exchange mechanism
called super singular isogyny key
exchange or psych. This was broken
horribly in 2022. It could have been the
one we use and then someone went
actually it has a huge vulnerability,
right? So we don't know, right? Some of
these algorithms, they're very very new.
They're untested. We cannot be sure yet.
And so we have to be very careful to
roll these things out. these algorithms
that are susceptible all seem to rely on
some kind of factoring.
>> Factoring or discrete logarithms.
>> Where do you go to avoid that?
>> Yeah. So there are a couple That's a
good question. That's that's that's
precisely what we've been working on
since 2016. Right. So there are a few
dominant stat ways of doing cryptography
that we think are resilient to both
classical and quantum algorithms. Right?
Um bearing in mind and this is this
cannot you know be repeated enough a
quantum computer is not simply a fast
regular computer right it has a
completely different set of algorithms
many of which are not helpful for
certain problems right so for example
shores is good for integer factorization
if you wanted to use it to brute force
as it doesn't work it's not it's not the
right algorithm right it just doesn't
apply we're really trying to come up
with algorithms that are resistant to
these specific quantum attacks rather
than just the general concept of a very
fast computer right which is a issue.
Um, so there are a couple of there are
latises. Maybe we can do a a video that
goes into more detail on latises, right?
But a latis is a grid of uniform points
like this. And I'll just give you an
example of something that's hard on a
lattice, right? If this is the origin
down here, and I give you a point over
here, I want you to tell me what the
nearest latice point is. This is
extremely easy because it's it's this
one, right? Or it's this one. But you
can't see the lattice. And the latice
has a thousand dimensions. So I didn't
try and draw it. The problem of the
shortest vector in a latis or the
closest point in a latis. These kind of
problems. There's another related
problem called learning of errors. These
are what underpin some of the new
postquantum schemes. And it's not
because this is better than elliptic
curves or it's better than RSA. It's
because we do not think that latises
yield to a particular algorithm on on
quantum. Now someone might come up with
such an algorithm but they haven't done
yet. There's another one based on hash
functions. So we spent quite a lot of
time talking about hash functions,
right? And there are signature schemes.
So signature schemes for certificates
that you could come up with that use the
one-way property of hash functions. So
the idea is that you publish a bunch of
hashes and then when it comes time to
sign and reveal your secret information,
you show you reveal the original message
that you hashed, right? As proof that it
was you. Okay, that's a gross
oversimplification, right? For those
people who actually wrote this
algorithm, these hashbased algorithms
are also felt to be robust to quantum.
Right? We already talked about grovers.
If you use a 256 or a 512 bit hash,
you're out of reach of this unstructured
search. Anything based on hashes is
going to be fine. We also know that
hashes are robust to classical
computers. These are not magic
algorithms. They're just algorithms
where we don't currently know of a
quantum or a classical algorithm that
could beat them, right? And so they're
likely to still be standing in 30 years
time. Now the timeline is actually quite
ambitious, right? The idea is that we're
we're getting we're moving away from
elliptic curves and we're moving away
from Diffy Helman key exchange and
equivalents within the next kind of 5
years, right? So you know, all of those
nice videos I've done on on computer
file are going to be completely
deprecated, which is, you know, well,
I'll live with it. I don't develop
quantum computers, right? I don't write
algorithms for quantum computers. I'm
not hugely interested in the time scale
of a quantum computer, but the kind of
way that this kind of conceivable but
unlikely threat interacts with how we
make decisions today is very interesting
to me. Right? And actually another thing
that's really interesting is that we
don't know for sure there isn't a
quantum algorithm. We don't know for
sure there isn't a classical algorithm
that can beat latises. And so in some
sense maybe we don't fully trust latises
either. So actually modern TLS will use
something like X25519
M L KM
768
as its key exchange mechanism. Right.
And I'm surprised I managed to wheel
that off. Right. This here I'm get to
change my pen. This is an elliptic curve
key exchange. Normal key exchange that
we've all been doing for the last 5 10
years. Right. This is postquantum. This
is Kyber, right? A Latis problem using
learning with errors. And we are not
convinced that in in 20 or 30 years this
was going to stand up to a quantum
computer. We don't know either way on
this one, right? We think it probably
will, but we don't know. So use both. We
do two key exchanges at the same time.
One using a normal algorithm, one using
a postquantum algorithm. We append the
results together and we derive our
secret key from that. Right? So this all
gets turned into a key, right? which can
be used for our internet key exchange.
If you go on Google now using a modern
browser, you look at your security tab,
this is what you will see almost
certainly, right? So, it's already being
rolled out. So, anyone that goes, "Wow,
quantum computers don't exist." Well, or
at this scale, that's true, but we're
already using algorithms that hopefully
won't break when they do.
>> A really quick message about a really
fun puzzle devised by Jane Street, our
channel sponsor. Jane Street, as you
know, are a leading international
trading firm and have a huge interest in
things like neural network models to
drive their trading strategies. The
puzzle here, available free on their
website, has been created by their
machine learning team and involved
shuffling all 96 of its layers. You've
got to kind of put it all back together
like a jigsaw. Now, I'm not going to
lie, I was pretty stumped by it, but
I'll include some links below so you can
give it a go and maybe send in your
answers. Last time I checked, fewer than
a hundred people had cracked it. And if
this sort of thing is your cup of tea,
you should also check out some of the
open rolls and programs at Jane Street
for people just like you. I was at their
New York offices just recently. And
well, it really looks like a dream place
to work.
That is a nice little piece of art.
Nice.