Editing Elliptic-curve cryptography (section)

=== Quantum computing attack ===
[[Shor's algorithm]] can be used to break elliptic curve cryptography by computing discrete logarithms on a hypothetical [[Quantum computing|quantum computer]]. The latest quantum resource estimates for breaking a curve with a 256-bit modulus (128-bit security level) are 2330 [[qubits]] and 126 billion [[Toffoli gate]]s.<ref>{{Cite arXiv |eprint=1706.06752 |last1=Roetteler |first1=Martin |title=Quantum resource estimates for computing elliptic curve discrete logarithms |last2=Naehrig |first2=Michael |last3=Svore |first3=Krysta M.|author3-link= Krysta Svore |last4=Lauter |first4=Kristin |class=quant-ph |year=2017 }}</ref> For the binary elliptic curve case, 906 qubits are necessary (to break 128 bits of security).<ref>{{cite journal
 | last1 = Banegas | first1 = Gustavo
 | last2 = Bernstein | first2 = Daniel J.
 | last3 = van Hoof | first3 = Iggy
 | last4 = Lange | first4 = Tanja
 | doi = 10.46586/TCHES.V2021.I1.451-472
 | issue = 1
 | journal = IACR Transactions on Cryptographic Hardware and Embedded Systems
 | pages = 451–472
 | title = Concrete quantum cryptanalysis of binary elliptic curves
 | volume = 2021
 | year = 2021| doi-access = free
 }}</ref> In comparison, using Shor's algorithm to break the [[RSA (cryptosystem)|RSA]] algorithm requires 4098 qubits and 5.2 trillion Toffoli gates for a 2048-bit RSA key, suggesting that ECC is an easier target for quantum computers than RSA. All of these figures vastly exceed any quantum computer that has ever been built, and estimates place the creation of such computers at a decade or more away.{{when|date=May 2025}}{{citation needed|date=September 2020}}<ref>{{Cite web|last=Holmes|first=David|date=September 7, 2021|title=RSA in a "Pre-Post-Quantum" Computing World|url=https://www.f5.com/labs/articles/threat-intelligence/rsa-in-a-pre-post-quantum-computing-world|url-status=live|access-date=March 16, 2021|website=f5|archive-url=https://web.archive.org/web/20200808204717/https://www.f5.com/labs/articles/threat-intelligence/rsa-in-a-pre-post-quantum-computing-world |archive-date=2020-08-08 }}</ref>

[[Supersingular isogeny key exchange|Supersingular Isogeny Diffie–Hellman Key Exchange]] claimed to provide a [[Post-quantum cryptography|post-quantum]] secure form of elliptic curve cryptography by using [[isogenies]] to implement [[Diffie–Hellman]] key exchanges.  This key exchange uses much of the same field arithmetic as existing elliptic curve cryptography and requires computational and transmission overhead similar to many currently used public key systems.<ref>{{cite web|last=De Feo|first=Luca|title=Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies|url=https://eprint.iacr.org/2011/506|work=Cryptology ePrint Archive, Report 2011/506|publisher=IACR|access-date=3 May 2014|author2=Jao, Plut|archive-url=https://web.archive.org/web/20140503190338/http://eprint.iacr.org/2011/506|archive-date=2014-05-03|url-status=dead|year=2011}}</ref> However, new classical attacks undermined the security of this protocol.<ref>{{Cite journal |last=Robert |first=Damien |date=2022 |title=Breaking SIDH in polynomial time |url=https://eprint.iacr.org/2022/1038 |journal=Cryptology ePrint Archive |language=en}}</ref>

In August 2015, the NSA announced that it planned to transition "in the not distant future" to a new cipher suite that is resistant to [[quantum computing|quantum]] attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy."<ref name="nsaquantum">{{cite web|url=https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm|title=Commercial National Security Algorithm Suite|date=19 August 2015|website=www.nsa.gov|url-status=live|archive-url=https://web.archive.org/web/20190604080321/https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm|archive-date=2019-06-04|access-date=2020-01-08}}</ref>