The Quantum Threat Model for Cryptography

Open your UPI app and send ₹100 to a friend. A few seconds pass, the notification pings on both phones, and the transaction is done. Behind that tap, thousands of cryptographic operations fired: your bank's server verified an elliptic-curve signature on your authentication; the NPCI switch verified another on the routing message; the recipient bank verified a third. None of those signatures would work without one assumption: that factoring a 2048-bit integer, or computing a discrete logarithm on a 256-bit elliptic curve, is beyond any computer anyone will build in your lifetime.

Shor's algorithm (chapters 74–77) breaks exactly that assumption. On a fault-tolerant quantum computer large enough to run Shor at cryptographic key sizes, RSA, Diffie-Hellman, and ECC collapse in polynomial time. The hardware does not exist yet. The algorithm does.

This chapter draws the map that a Chief Information Security Officer at the State Bank of India, a policy analyst at MeitY, or a curious 15-year-old in Lucknow needs. Which cryptographic primitives does the quantum threat actually kill? Which ones does it merely scratch? How close is Q-day, really? And why is every major Indian cryptographic system already on a migration calendar, even though no quantum computer has yet factored a number larger than 21?

The landscape — what breaks, what bends, what stands

Cryptography today rests on three pillars, and the quantum threat hits them unevenly. The first job is to name them and put each in its quantum-vulnerability box.

Go through them one at a time.

Public-key cryptography. Its security rests on specific algebraic problems — factor an integer, compute a discrete logarithm, find an isogeny between elliptic curves — that nobody knows how to solve classically in polynomial time. Shor's algorithm solves factoring and discrete logarithm in polynomial time quantumly. Every public-key primitive built on those two problems dies together, not separately. RSA (factoring), Diffie-Hellman (discrete log mod p), ECDH and ECDSA (discrete log on an elliptic curve) — one circuit, one algorithm, all of them fall. This is the heart of the threat. You cannot "strengthen" RSA by going to 4096-bit keys and hope for the best: Shor runs in time polynomial in n = \log_2 N, so doubling n merely multiplies the quantum runtime by a constant, not an astronomical factor. The only fix is to replace the primitive with something Shor cannot touch.

Symmetric-key cryptography. AES, ChaCha20, and their siblings do not have a period-finding structure that Shor can exploit. The best quantum attack is Grover's algorithm (chapter 113), which searches an unstructured space of N candidates in O(\sqrt{N}) steps instead of O(N). For AES with a k-bit key, the classical brute-force cost is 2^k and the quantum cost is roughly 2^{k/2}. So the effective key length halves. AES-256, which gives 256 bits of classical security, gives 128 bits of quantum security — still comfortably out of reach. AES-128, which gives 128 bits of classical security, gives 64 bits of quantum security — borderline, and considered unsafe for long-term secrets in the post-quantum world. The fix is one-line: use AES-256 everywhere, retire AES-128.

Hash functions. Hashes serve two roles: pre-image resistance (given h, hard to find m with \text{hash}(m) = h) and collision resistance (hard to find m_1 \ne m_2 with the same hash). Grover halves pre-image resistance; the Brassard-Høyer-Tapp algorithm halves collision resistance further, taking the birthday-bound 2^{n/2} down to 2^{n/3}. So SHA-256, whose classical collision resistance is 2^{128}, has quantum collision resistance of roughly 2^{85} — awkward but not catastrophic. The standard post-quantum recommendation: use SHA-384 (collision resistance 2^{128} quantumly) or SHA-512 for new designs, keep SHA-256 for short-lived contexts.

Why Shor is qualitatively different. Shor does not merely speed up key search; it exploits the algebraic structure of modular exponentiation. Modular exponentiation a^x \bmod N is periodic in x with period equal to the multiplicative order of a modulo N, and that period is exactly what lets you factor N. The quantum Fourier transform is optimally suited to extracting periods from superpositions. There is no periodic structure in AES or SHA that a similar attack could latch onto. That is why symmetric primitives only bleed the Grover square-root loss, not a polynomial-time annihilation.

Harvest-now, decrypt-later — the real threat timeline

Read carefully: an adversary does not need a working quantum computer today for the quantum threat to matter today.

Every HTTPS connection you make, every encrypted message, every signed document — if an adversary with enough network access (a state intelligence agency, a submarine-cable tap) records the ciphertext and stores it, they can sit on it. And the day a Shor-capable machine comes online — 2035, 2040, 2045, whenever — they can go back through their archive and decrypt everything in one pass. This is called harvest-now, decrypt-later, and it is the single most important reason cryptographic migration must begin now.

The uncomfortable truth is that a well-funded adversary is almost certainly already doing this. Storage is cheap: a few petabytes is enough to hold years of selectively-tapped TLS traffic from a target country's diplomatic channels. Waiting is free. The adversary does not need to know how they will eventually decrypt; they only need to know that somebody will eventually build the machine, and that Shor is a published algorithm that does the job.

The obvious defence — "use longer keys" — does not work. Shor's runtime is polynomial in n. Going from 2048-bit RSA to 4096-bit RSA roughly triples the quantum attack time, not squares it. The classical attacker bought you 2^{50} extra work; the quantum attacker bought himself 3\times more hours of runtime. The asymmetry that kept RSA safe for forty-seven years evaporates.

Mosca's heuristic — when must migration begin?

In 2015, the cryptographer Michele Mosca published a short paper [1] with the cleanest framework in the whole field. It compresses the migration question into three numbers.

• Let X = the number of years your data must remain confidential. For UPI transaction logs with tax implications: \approx 10. For medical records: \approx 30. For Aadhaar biometrics: a lifetime, \approx 70.
• Let Y = the number of years until a cryptographically relevant quantum computer exists. This is the hard one to estimate. The NIST-calibrated working consensus is 15 \le Y \le 30 from 2026; pessimists say Y \to \infty; optimists say Y \approx 10.
• Let Z = the number of years it will take your organisation to migrate to post-quantum cryptography. For a small firm: \approx 3. For Aadhaar-scale infrastructure touching tens of thousands of endpoints: \approx 10.

Mosca's rule:

Why the rule has that shape: Y is the calendar time you have until the threat is operational. Z of that budget is spent migrating, so real protection starts at year Z. After migration, your freshly-encrypted data is protected, but anything harvested in the first Z years of this interval has only Y - Z years of protection left — less than the X years you need. Unless Y - Z \ge X, i.e. X + Z \le Y, you lose.

The heuristic is brutal because it works backwards from the data's secrecy requirement, not from today's confidence level.

Worked example — running Mosca on Aadhaar

Mosca's rule is not a vague warning; it is a calculation you can do with a pen.

Why symmetric crypto is only scratched

Grover's algorithm is worth a second look, because its effect on symmetric primitives is routinely mis-stated in the popular press. The statement "Grover breaks AES" is wrong in the same way "Shor breaks AES" is wrong.

Grover's algorithm (chapter 113) solves the unstructured search problem. Given a black-box function f: \{0,1\}^k \to \{0, 1\} that is zero except at one unknown input x^\star, Grover finds x^\star in O(2^{k/2}) queries instead of the classical O(2^k). Applied to a cipher like AES, the black box is "check whether this candidate key decrypts the ciphertext correctly." The search space is the set of all k-bit keys.

So AES-k with classical brute-force cost 2^k has quantum brute-force cost roughly 2^{k/2}. The effective key length is halved.

Post-quantum cryptography — the replacement menu

If Shor kills RSA, DH, and ECC, what replaces them? A research programme called post-quantum cryptography (PQC) has been building alternatives since the early 2000s, based on hard problems that (as far as anyone knows) admit no quantum speedup beyond Grover.

NIST ran an eight-year standardisation competition from 2016 to 2024, receiving 69 candidates and winnowing them through four rounds. The surviving standards, finalised in August 2024, are four algorithms that now form the PQC spine of the internet.

• CRYSTALS-Kyber (FIPS 203 / ML-KEM) — a key encapsulation mechanism built on Module Learning-With-Errors (Module-LWE). Replaces ECDH and RSA-KEM. Kyber-768 is the default parameter choice for 128-bit quantum security.
• CRYSTALS-Dilithium (FIPS 204 / ML-DSA) — a digital signature scheme built on Module-LWE and Module-Short-Integer-Solution. Replaces ECDSA and RSA-PSS.
• FALCON (FIPS 206, in finalisation) — a digital signature scheme built on NTRU lattices. Smaller signatures than Dilithium, more complex to implement safely.
• SPHINCS+ (FIPS 205 / SLH-DSA) — a hash-based signature scheme. The most conservative option: security reduces to the underlying hash function alone, no unproven lattice assumptions. Larger signatures, slower signing; a natural backup in case lattice assumptions fall.

Why two signature primitives: Dilithium is the default, but lattice cryptography is younger than hash-based cryptography, and it is not inconceivable that a future classical attack breaks lattice schemes. SPHINCS+ is held in reserve precisely because hash-based cryptography rests only on the generic hardness of the underlying hash — a much older and better-studied assumption.

The lattice family is the workhorse. Lattices are high-dimensional periodic structures, and the problems that define their hardness — shortest-vector problem, closest-vector problem, learning-with-errors — have been studied since the 1990s and have resisted quantum attacks. The best quantum algorithms give at most polynomial speedup; no Shor-style exponential break is known.

Deployment has begun. Cloudflare and Google experimented with hybrid Kyber+X25519 in TLS 1.3 as early as 2023. Apple announced PQ3 for iMessage in 2024. Signal rolled out a Kyber-based post-quantum handshake in 2024. The TLS 1.3 working group has standardised the hybrid mode. Within the year, a meaningful fraction of HTTPS connections are being protected by a combination of classical and post-quantum key exchange — belt and braces, because neither community is ready to trust the other alone.

The Indian stakes

India's cryptographic surface is enormous, and unusually exposed to harvest-now-decrypt-later because of how much of it is long-lived, biometric, or financial.

Aadhaar. Every Aadhaar authentication carries an RSA-2048-signed payload from UIDAI. The biometric templates themselves — fingerprints and iris scans — are encrypted in transit using TLS, whose key exchange is ECDH or RSA-KEM. A harvested Aadhaar authentication stream from 2023 contains biometric templates that are good for the enrollee's lifetime.

UPI. UPI processed over 17 billion transactions in March 2026. Each transaction is signed with ECC (typically ECDSA over secp256r1 or P-256). Transaction logs — which must be retained for at least ten years for tax and anti-fraud purposes — are stored and backed up across multiple NPCI datacentres.

GoI digital signatures. The Controller of Certifying Authorities (CCA) under MeitY operates a PKI for government digital signatures. Aadhaar-linked e-signatures on income tax returns, GST filings, and government contracts all rely on this hierarchy, which is RSA-based at the root and RSA/ECC at the leaves.

ISRO. ISRO's ground-space communications use classical TLS with RSA-based key exchange. Long-term mission telemetry, satellite control sequences, and inter-agency coordination data are exposed over channels that are routinely tapped.

CERT-In and the National Quantum Mission. CERT-In, India's cybersecurity coordination body, issued a first post-quantum migration advisory in 2024 urging critical-infrastructure operators to begin inventorying their public-key dependencies. The NQM (2023, ₹6003 crore over 8 years) has a dedicated pillar on post-quantum and quantum-safe cryptography, coordinating with UIDAI, NPCI, RBI, SEBI, and the Bureau of Indian Standards (BIS). The published roadmap targets substantive PQC migration across critical infrastructure by 2030–2035, with pilot Dilithium/Kyber deployments in Aadhaar and UPI starting 2027.

That roadmap is aligned with Mosca's rule — for data with X \lesssim 10 years, Z = 10 and Y \in [15, 30] gives marginal safety. For Aadhaar-scale lifetime data, as the worked example showed, there is no fully clean answer; the best the country can do is start fast and limit further accumulation of harvest-vulnerable ciphertext.

Hype check. You will read press claiming the quantum threat is "years away" (therefore no action is needed) or "already breaking RSA" (therefore panic). Both are wrong in the same way. The threat is on a calendar — Q-day is estimated at 2035–2050 with wide error bars — and that calendar already imposes action, because migration itself takes a decade and data harvested today is vulnerable later. "Years away" and "urgent" are both true at the same time, and Mosca's rule is the way to hold both thoughts simultaneously.

Common confusions

• "Quantum computers break all encryption." Only public-key systems based on factoring or discrete logarithm. Symmetric encryption (AES) is merely weakened quadratically by Grover; upgrading to AES-256 restores the security margin. Hash functions are similarly only weakened.
• "Longer RSA keys fix the problem." They don't. Shor runs in polynomial time in \log_2 N. Going from RSA-2048 to RSA-4096 multiplies the quantum attack time by a constant factor, not by 2^{1024}. Key-length doubling is a classical defence; it is nearly useless against Shor.
• "Quantum is years away, so migration can wait." Harvest-now-decrypt-later makes this reasoning wrong. Secrets with long horizons must be migrated before the ciphertext is harvested, not before Q-day arrives. For Aadhaar, migration should already be finished.
• "PQC is secure for all time." PQC is secure against all currently known quantum and classical attacks. SIKE, an isogeny-based candidate in NIST's Round 4, was broken classically in 2022 by Castryck and Decru — in under an hour on a laptop. Cryptographic assumptions are always provisional; the lattice-based standards look solid but the guarantee is empirical, not proven.
• "The National Quantum Mission is only about quantum computers." The NQM explicitly includes post-quantum cryptography, quantum key distribution (chapter 152), quantum sensing, and quantum materials. Crypto-agility is a stated pillar, not a side project.

Going deeper

The NIST PQC competition, 2016–2024

NIST opened the PQC call in December 2016 with 82 submissions, 69 of which met the minimum requirements. Round 1 (2017–2019) winnowed to 26; Round 2 (2019–2020) to 15; Round 3 (2020–2022) to 7 finalists and 8 alternates. In July 2022, NIST announced the first standards: CRYSTALS-Kyber (KEM), CRYSTALS-Dilithium (signatures), FALCON (signatures), and SPHINCS+ (hash-based signatures). Round 4 (2022–2024) evaluated additional KEM candidates (BIKE, Classic McEliece, HQC, SIKE — the last broken during the round) and finalised the first three FIPS documents: FIPS 203 (ML-KEM, the Kyber standard, August 2024), FIPS 204 (ML-DSA, the Dilithium standard, August 2024), FIPS 205 (SLH-DSA, the SPHINCS+ standard, August 2024). An additional signature on-ramp process, opened 2023, is in progress.

Lattice cryptography — why Shor does not apply

Lattice cryptography is built on problems like the Learning With Errors (LWE) problem: given a matrix A \in \mathbb{Z}_q^{m \times n} and a vector \mathbf{b} = A \mathbf{s} + \mathbf{e} where \mathbf{s} is a short secret and \mathbf{e} is a small noise vector, recover \mathbf{s}. Without the noise, this is a linear system solvable by Gaussian elimination in O(n^3) time. With the noise, the best known algorithms — classical and quantum — take 2^{O(n)} time.

Shor's algorithm exploits the single-period structure of modular exponentiation: a^x \bmod N is periodic in x with period equal to the multiplicative order of a. The quantum Fourier transform is the optimal tool to extract a period from a superposition. Lattices have a rich algebraic structure — they are discrete subgroups of \mathbb{R}^n — but that structure is multidimensional, not a single global period. The quantum Fourier transform over \mathbb{Z}_q^n does not immediately reveal a short lattice vector; known quantum attacks give at most polynomial speedup over classical lattice-reduction algorithms (BKZ, sieving). CRYSTALS-Kyber at parameter set Kyber-768 is estimated at roughly 2^{183} classical work and 2^{167} quantum work to break — comfortably above the post-quantum safety floor.

Hash-based signatures and the SPHINCS+ fallback

Hash-based signatures rest on the collision-resistance of the underlying hash function and nothing else. Merkle's 1979 original scheme and its modern descendants (XMSS, LMS, SPHINCS+) build a signature as a traversal of a Merkle tree whose leaves are one-time-signature public keys. Security reduces entirely to the hash; if the hash is collision-resistant, the signature scheme is unforgeable. Grover and BHT attacks halve and third the collision-resistance respectively, so using SHA-256 internally gives \sim 2^{85} quantum collision resistance — borderline — while SHA-512 (or doubled-output Keccak) gives \sim 2^{170}, comfortable.

The price is signature size: a SPHINCS+ signature is \sim 8 KB compared to Dilithium's \sim 2.4 KB or Falcon's \sim 0.7 KB. For on-chain signatures and high-volume TLS, this is painful. For code-signing, firmware updates, and low-frequency government signatures, it is fine. SPHINCS+ is the conservative fallback in case lattice assumptions fall: its security model is the oldest and most trusted in all of cryptography.

Estimating Q-day — the detailed calculus

The Gidney-Ekerå 2021 analysis (chapter 83) set the qubit budget for Shor-RSA-2048 at \sim 2 \times 10^7 physical qubits running for \sim 8 hours, assuming surface-code error correction at physical error rate \sim 10^{-3}. Today's best hardware is 1121 qubits (IBM Condor, 2023), 105 qubits (Google Willow, 2024) at the best error rates, and 64 qubits (IonQ Tempo, 2024) with high-fidelity trapped-ion gates. The gap is four orders of magnitude in qubit count and two orders of magnitude in sustained error rate.

Qubit count has roughly doubled every 18 months across the industry from 2016 to 2024 (Neven's "double-exponential" observation adjusts for generation quality, not count). At that rate, 10^3 \to 10^7 is \sim 14 doublings or \sim 21 years. The standard analysis then adds:

• Connectivity scaling: surface code needs 2D-local qubit connectivity; today's chips handle \sim 10^3 qubits locally, and scaling to 10^7 requires modular chip-to-chip coupling that is just starting to be demonstrated.
• Gate-fidelity scaling: error rates must stay below \sim 10^{-3} as the chip grows; this is harder at scale because of crosstalk and fabrication variation.
• Magic-state distillation cost: T-gates dominate Shor's circuit. Distilling magic T-states efficiently consumes \sim 10^6 additional physical qubits.

The NIST/NSA/CRYSTALS working consensus is Y \in [15, 30] from 2025. More aggressive estimates (Chow, Gambetta) say Y \approx 10; more conservative estimates (Preskill) say Y \to \infty pending error-correction breakthroughs.

India's crypto-agility roadmap — the detail

India's NQM cryptography working group, jointly staffed by C-DAC, MeitY, UIDAI, NPCI, and the BIS, published a phased roadmap in 2024:

1. 2024–2026: inventory of public-key dependencies across critical infrastructure. CERT-In required reporting for major financial and government systems.
2. 2026–2028: pilot hybrid classical+PQC deployments. UIDAI pilots Dilithium alongside RSA-2048 for Aadhaar authentication signatures. NPCI pilots Kyber+X25519 for UPI PSP connections.
3. 2028–2032: production migration. Aadhaar, UPI, RTGS, NEFT, and the CCA root hierarchy move to NIST-standardised PQC primitives.
4. 2032–2035: deprecation of classical public-key crypto for long-term data. Legacy TLS with RSA-only key exchange disabled by default across major Indian services.

This calendar is chosen to respect Mosca's rule for X \le 10 years data and to minimise (though not eliminate) the harvest-now exposure window for longer-horizon data like Aadhaar biometrics. It is also aligned with the US federal government's OMB M-23-02 memorandum, which imposes a similar timeline on US federal agencies, and with the EU NIS2 directive's post-quantum migration recommendations.

Where this leads next

• BB84 — Quantum Key Distribution — a cryptographic protocol whose security does not rest on any computational assumption, only on the laws of quantum mechanics.
• Post-Quantum Cryptography — deeper dive into lattice-based Kyber and Dilithium, hash-based SPHINCS+, and the mathematics that makes them quantum-safe.
• Resource Estimates for RSA-2048 — the twenty-million-qubit number, built up from logical qubit count, T-gate count, and surface-code overhead.
• Factoring and RSA — the specific cryptosystem Shor's algorithm breaks, and why its security rests entirely on the hardness of factoring.
• Grover's Algorithm Circuit — the quadratic speedup that weakens symmetric primitives by a factor of two.

References

1. Michele Mosca, Cybersecurity in an era with quantum computers: will we be ready? (2015) — arXiv:1512.00039.
2. Craig Gidney and Martin Ekerå, How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits (2021) — arXiv:1905.09749.
3. NIST Post-Quantum Cryptography Standardization — csrc.nist.gov/projects/post-quantum-cryptography.
4. Markus Grassl, Brandon Langenberg, Martin Roetteler, Rainer Steinwandt, Applying Grover's algorithm to AES: quantum resource estimates (2016) — arXiv:1512.04965.
5. Wikipedia, Post-quantum cryptography.
6. John Preskill, Lecture Notes on Quantum Computation, Chapter 6 — theory.caltech.edu/~preskill/ph229.