Editing Quantum computing (section)

=== Post-quantum cryptography ===
{{Main|Post-quantum cryptography}}

A notable application of quantum computation is for [[cryptanalysis|attacks]] on cryptographic systems that are currently in use. [[Integer factorization]], which underpins the security of [[public key cryptography|public key cryptographic]] systems, is believed to be computationally infeasible with an ordinary computer for large integers if they are the product of few [[prime number]]s (e.g., products of two 300-digit primes).<ref>{{cite journal |last=Lenstra |first=Arjen K. |url=http://sage.math.washington.edu/edu/124/misc/arjen_lenstra_factoring.pdf |title=Integer Factoring |journal=Designs, Codes and Cryptography |volume=19 |pages=101–128 |year=2000 |doi=10.1023/A:1008397921377 |issue=2/3 |s2cid=9816153 |url-status=dead |archive-url=https://web.archive.org/web/20150410234239/http://sage.math.washington.edu/edu/124/misc/arjen_lenstra_factoring.pdf |archive-date=10 April 2015 }}</ref> By comparison, a quantum computer could solve this problem exponentially faster using Shor's algorithm to find its factors.{{sfn|Nielsen|Chuang|2010|p=216}} This ability would allow a quantum computer to break many of the [[cryptography|cryptographic]] systems in use today, in the sense that there would be a [[polynomial time]] (in the number of digits of the integer) algorithm for solving the problem. In particular, most of the popular [[Asymmetric Algorithms|public key ciphers]] are based on the difficulty of factoring integers or the [[discrete logarithm]] problem, both of which can be solved by Shor's algorithm. In particular, the [[RSA (algorithm)|RSA]], [[Diffie–Hellman]], and [[elliptic curve Diffie–Hellman]] algorithms could be broken. These are used to protect secure Web pages, encrypted email, and many other types of data. Breaking these would have significant ramifications for electronic privacy and security.

Identifying cryptographic systems that may be secure against quantum algorithms is an actively researched topic under the field of ''post-quantum cryptography''.<ref name="pqcrypto_survey">{{cite book |doi=10.1007/978-3-540-88702-7_1 |chapter=Introduction to post-quantum cryptography |title=Post-Quantum Cryptography |year=2009 |last1=Bernstein |first1=Daniel J. |pages=1–14 |isbn=978-3-540-88701-0 |place=Berlin, Heidelberg |publisher=Springer|s2cid=61401925 }}</ref><ref>See also [http://pqcrypto.org/ pqcrypto.org], a bibliography maintained by Daniel J. Bernstein and [[Tanja Lange]] on cryptography not known to be broken by quantum computing.</ref> Some public-key algorithms are based on problems other than the integer factorization and discrete logarithm problems to which Shor's algorithm applies, like the [[McEliece cryptosystem]] based on a problem in [[coding theory]].<ref name="pqcrypto_survey" /><ref>{{cite journal |last1=McEliece |first1=R. J. |title=A Public-Key Cryptosystem Based On Algebraic Coding Theory |journal=DSNPR |date=January 1978 |volume=44 |pages=114–116 |url=http://ipnpr.jpl.nasa.gov/progress_report2/42-44/44N.PDF |bibcode=1978DSNPR..44..114M}}</ref> [[Lattice-based cryptography|Lattice-based cryptosystems]] are also not known to be broken by quantum computers, and finding a polynomial time algorithm for solving the [[dihedral group|dihedral]] [[hidden subgroup problem]], which would break many lattice based cryptosystems, is a well-studied open problem.<ref>{{cite journal |last1=Kobayashi |first1=H. |last2=Gall |first2=F. L. |year=2006 |title=Dihedral Hidden Subgroup Problem: A Survey |journal=Information and Media Technologies |volume=1 |issue=1 |pages=178–185 |doi=10.2197/ipsjdc.1.470 |doi-access=free}}</ref> It has been proven that applying Grover's algorithm to break a [[Symmetric-key algorithm|symmetric (secret key) algorithm]] by brute force requires time equal to roughly 2<sup>''n''/2</sup> invocations of the underlying cryptographic algorithm, compared with roughly 2<sup>''n''</sup> in the classical case,<ref name=bennett_1997>{{cite journal |last1=Bennett |first1=Charles H. |last2=Bernstein |first2=Ethan |last3=Brassard |first3=Gilles |last4=Vazirani |first4=Umesh |title=Strengths and Weaknesses of Quantum Computing |journal=SIAM Journal on Computing |date=October 1997 |volume=26 |issue=5 |pages=1510–1523 |doi=10.1137/s0097539796300933 |arxiv=quant-ph/9701001 |bibcode=1997quant.ph..1001B |s2cid=13403194 }}</ref> meaning that symmetric key lengths are effectively halved: AES-256 would have the same security against an attack using Grover's algorithm that AES-128 has against classical brute-force search (see ''[[Key size#Effect of quantum computing attacks on key strength|Key size]]'').