Modern encryption rests on a foundation of computational assumptions: that certain mathematical problems are so difficult to solve that no practical attack is feasible within any meaningful timeframe. For decades, those assumptions held. The mathematical structures underlying RSA, elliptic curve cryptography, and Diffie-Hellman key exchange were treated as effectively impenetrable by any computer that could realistically be built. Quantum algorithms have decisively changed that calculus.
Two quantum algorithms in particular, Shor’s algorithm for solving factoring and discrete logarithm problems and Grover’s algorithm for accelerating search across solution spaces, threaten the cryptographic systems that protect the vast majority of enterprise data, communications, and digital infrastructure today. Understanding how each algorithm works, what it threatens, and how significantly it changes the cryptographic landscape is essential for organizations building a response to the quantum computing era.
The quantum algorithms threatening current encryption that security architects must plan for are not hypothetical future threats. They are mathematically established capabilities that will become practically executable as quantum hardware scales. The strategic decisions enterprises make about cryptographic migration in the next several years will determine whether they are prepared when that scale is reached.
The Two Algorithms Every Security Team Needs to Understand
Shor’s algorithm and Grover’s algorithm are often discussed together because both are quantum algorithms with cryptographic implications. However, they operate on entirely different principles, threaten different categories of cryptography, and demand different organizational responses.
Shor’s algorithm, published in 1994 by Peter Shor while at Bell Labs, solves the prime factorization problem and the discrete logarithm problem in polynomial time. These problems are the mathematical foundations of RSA encryption, elliptic curve cryptography, and Diffie-Hellman key exchange. On a classical computer, these problems scale exponentially with the size of the numbers involved, making them computationally infeasible for sufficiently large key sizes. Shor’s algorithm eliminates this scaling advantage, reducing what would require millions of years of classical computation to a task achievable in hours on a sufficiently capable quantum machine.
Grover’s algorithm, published in 1996 by Lov Grover, also at Bell Labs, addresses a different problem: searching through an unsorted list of possibilities to find the one that satisfies a given condition. On a classical computer, this search requires on average half the total number of possibilities. Grover’s algorithm reduces this to approximately the square root of the total number of possibilities, a quadratic rather than exponential speedup. Applied to symmetric encryption key search, Grover’s algorithm halves the effective security of any key by its bit length.
The distinction between these two types of speedup matters enormously. An exponential speedup completely breaks the affected cryptographic systems. A quadratic speedup weakens them, but the weakness is addressable through longer key lengths without replacing the underlying algorithms.
How Shor’s Algorithm Undermines Asymmetric Cryptography
The specific mechanism by which Shor’s algorithm breaks RSA encryption begins with converting the factoring problem into a period-finding problem. Given a large integer N to factor, Shor’s algorithm selects a random integer and uses quantum superposition to compute the period of a specific mathematical function involving that integer and N. The periodic structure of this function can be determined exponentially faster on a quantum computer than on a classical machine, and once the period is known, the prime factors of N can be extracted through classical mathematical techniques.
The result is an algorithm that scales polynomially rather than exponentially with the size of the number being factored. For RSA-2048, the dominant key size in contemporary enterprise deployments, researchers have estimated that a quantum computer with approximately 20 million error-corrected logical qubits could factor the key in roughly eight hours. Current quantum systems operate at a small fraction of this scale, but hardware capabilities have been advancing at a pace that has consistently surprised experts.
Shor’s algorithm also applies to elliptic curve cryptography through the elliptic curve discrete logarithm problem, and to Diffie-Hellman key exchange through the classical discrete logarithm problem. This means the threat is not limited to RSA but extends to essentially all of the public-key cryptographic infrastructure that secures web traffic through TLS, authenticates identities through digital certificates, establishes VPN connections, and protects API communications across enterprise environments.
Research into Shor’s algorithm has not been static since its original publication. As analyzed in Quanta Magazine’s examination of quantum factoring algorithm advances, a new variant developed by NYU computer scientist Oded Regev in 2023 improves the relationship between the size of the number being factored and the number of quantum operations required, reducing the quantum circuit complexity of the algorithm in a fundamentally new way. Subsequent work by Vaikuntanathan and Ragavan preserved this speedup while returning the qubit requirements to the linear scaling of Shor’s original algorithm. The message for security planners is clear: algorithmic improvements to quantum factoring are continuing to emerge, and the timeline assumptions used in migration planning should account for the possibility of further advances.
How Grover’s Algorithm Affects Symmetric Encryption
Grover’s algorithm’s impact on symmetric encryption is more nuanced than Shor’s impact on asymmetric cryptography, but it remains significant for enterprise security planning. The algorithm applies to any problem that can be framed as searching for an input that satisfies a given condition, including the problem of finding the key that correctly decrypts a known ciphertext.
For AES-128, the most widely deployed symmetric encryption standard, Grover’s algorithm reduces the effective security from 128 bits to approximately 64 bits. This is accomplished by reducing the number of candidate keys that need to be evaluated from 2 to the power of 128 to approximately 2 to the power of 64, a reduction of roughly one quadrillion fold. While 64 bits of security remains beyond current practical attack capabilities, it falls below the threshold that cryptographic standards bodies consider adequate for long-term security requirements.
For AES-256, Grover’s algorithm reduces effective security from 256 bits to approximately 128 bits, which remains at or above the conventional threshold for long-term security. This makes AES-256 the recommended standard for any data requiring protection across the quantum computing era.
The response to Grover’s algorithm is therefore direct and achievable without replacing underlying algorithms: migrate from AES-128 to AES-256 for data that requires long-term confidentiality, and ensure that hash functions use output lengths of at least 256 bits. These are configuration-level changes in most modern implementations and do not carry the architectural complexity of the asymmetric migration required to address Shor’s algorithm.
The Systemic Threat to Enterprise Infrastructure
The combined impact of Shor’s and Grover’s algorithms on enterprise cryptographic infrastructure is not a future risk that can be deferred until quantum hardware reaches a relevant scale. It is an active strategic concern driven by the harvest now, decrypt later threat, in which adversaries are already capturing encrypted enterprise communications for future decryption once quantum capabilities mature.
Every organization that transmits data whose confidentiality must be maintained for more than a decade is already exposed. Intelligence communications, healthcare records, financial transaction histories, intellectual property, and legal documents are all categories of data that may still be sensitive when quantum decryption becomes viable. For these data categories, the cryptographic protection applied today determines whether future exposure is possible.
The systemic nature of the threat also reflects how deeply Shor’s algorithm-vulnerable cryptography is embedded in enterprise infrastructure. TLS connections securing web and API traffic, certificate authorities validating identity across the enterprise, VPN infrastructure connecting distributed sites, code signing protecting software distribution pipelines, and email encryption protecting sensitive communications all rely on asymmetric cryptographic mechanisms that Shor’s algorithm threatens.
The response to this systemic exposure requires a systemic program, beginning with a comprehensive cryptographic inventory that maps every system and protocol using asymmetric cryptography, continuing through risk-based prioritization of migration efforts, and culminating in a sustained deployment of post-quantum cryptographic algorithms across the enterprise environment.
The Post-Quantum Response: Lattice-Based Cryptography and NIST Standards
The cryptographic community’s response to Shor’s algorithm has been the development of post-quantum cryptographic algorithms built on mathematical problems for which no quantum algorithm provides an exponential speedup. The most successful and widely standardized approach is lattice-based cryptography.
Research into Shor’s algorithm has not been static since its original publication. The algorithm continues to be optimized and its hardware requirements refined. Keeping pace with these developments is essential for enterprise security planners whose migration timelines must account for the possibility that the qubit thresholds required to run Shor’s algorithm at scale could be lower than current estimates suggest. As covered in Dark Reading’s analysis of NIST post-quantum standards enterprise migration, the NIST finalization of ML-KEM, ML-DSA, and SLH-DSA in August 2024 now gives enterprises a definitive set of approved post-quantum algorithms to deploy, with experts urging organizations to begin migration immediately rather than waiting for further timeline clarity.
In August 2024, NIST finalized its first post-quantum cryptography standards: ML-KEM (FIPS 203) based on the CRYSTALS-Kyber lattice framework for key encapsulation and encryption, and ML-DSA (FIPS 204) based on CRYSTALS-Dilithium for digital signatures, along with the hash-based signature scheme SLH-DSA (FIPS 205). These algorithms are designed to run on existing conventional hardware and integrate with existing networking protocols, making them deployable without specialized quantum infrastructure.
Cryptographic Agility as a Strategic Imperative
One of the most important lessons from the history of post-quantum cryptography standardization is that even algorithms believed to be secure can be broken by advances that were not anticipated at the time of their design. During the NIST evaluation process, several candidate algorithms were broken — not by quantum computers, but by classical mathematical attacks. The SIKE algorithm, once considered a promising candidate, was cracked in minutes using a standard laptop.
This history reinforces that preparing for quantum algorithms is not simply a matter of deploying NIST-approved post-quantum algorithms and considering the problem solved. It requires building cryptographic agility into systems architecture, meaning the organizational and technical capacity to update cryptographic algorithms without rebuilding the systems that depend on them. Organizations that develop this agility will be better positioned to respond to future discoveries, whether those discoveries involve advances in quantum hardware, new classical cryptanalytic techniques, or entirely new algorithmic approaches.
Cryptographic agility is therefore both a technical design principle for new systems and a governance priority that requires sustained executive attention. Migration to post-quantum cryptography is not a single project with a completion date. It is the beginning of an ongoing discipline of maintaining quantum resilience as the threat landscape, the hardware capabilities, and the cryptographic standards themselves continue to evolve.
Frequently Asked Questions
Do Shor’s and Grover’s algorithms require different responses from enterprise security teams?
Yes, and the responses differ significantly in complexity. Shor’s algorithm threatens asymmetric cryptographic systems including RSA, elliptic curve cryptography, and Diffie-Hellman key exchange, requiring replacement of these algorithms with post-quantum alternatives such as the NIST-standardized ML-KEM and ML-DSA. This is a complex, multi-year migration involving every system that uses public-key cryptography. Grover’s algorithm threatens symmetric encryption through a quadratic speedup of key search, but this is addressed by increasing key lengths from 128 bits to 256 bits within existing standardized algorithms like AES. The symmetric response is simpler and should be prioritized as an immediate action item while the more complex asymmetric migration is planned and executed.
How does the harvest now, decrypt later threat change the urgency of quantum migration planning?
The harvest now, decrypt later strategy means that the effective deadline for protecting sensitive data is not when quantum computers become capable of breaking encryption, but now. Adversaries who capture encrypted communications today and store them for future decryption can expose data that is currently protected by asymmetric cryptography if they eventually gain access to quantum computing capabilities. For organizations holding data whose confidentiality must extend beyond the estimated timeline for cryptographically relevant quantum computers, the migration to quantum-resistant cryptography for that data should be treated as an immediate priority rather than a medium-term planning item.
What should enterprise security teams do first when beginning their quantum migration planning?
The foundational first step is a comprehensive cryptographic inventory documenting every system, application, protocol, and integration that uses cryptographic functions, with specific attention to identifying all uses of RSA, elliptic curve cryptography, Diffie-Hellman key exchange, and AES-128. This inventory provides the factual basis for risk-based prioritization of migration efforts. Without it, enterprises cannot identify their highest-exposure systems, evaluate vendor readiness, or develop a realistic migration roadmap. The inventory should be treated as an ongoing operational discipline rather than a one-time project, since cryptographic assets change with every new system deployed, application updated, or vendor relationship established.
