What Quantum Computing Actually Does to Encryption: Shor, Grover, and Beyond

The Question Everyone Is Getting Wrong

When people say quantum computers will "break encryption," they are usually half right, half wrong, and almost always imprecise about which half is which. The reality is more nuanced: quantum computing threatens certain types of cryptography catastrophically, leaves others mostly intact, and forces a complete rethink of everything in between. Understanding the difference is not just academic. It determines which blockchains, wallets, and communications systems need urgent replacement and which can afford to wait.

This article walks through the two quantum algorithms that matter most, Shor's algorithm and Grover's algorithm, explains exactly what each one does to the encryption schemes you rely on today, and cuts through the noise on what "broken" actually means in practice.

Two Algorithms, Two Very Different Threat Levels

Quantum computing does not magically solve every hard problem. It provides speed-ups for specific mathematical structures. The two algorithms relevant to cryptography exploit two different structures, and their consequences are dramatically different.

Shor's Algorithm: The Asymmetric Crypto Killer

Published by Peter Shor in 1994, Shor's algorithm solves the integer factorisation problem and the discrete logarithm problem in polynomial time. On a classical computer, both problems are computationally infeasible at large key sizes. That infeasibility is the entire foundation of asymmetric cryptography.

Here is what that means concretely for the algorithms in use today:

• RSA: Security depends on the difficulty of factoring the product of two large primes. Shor's algorithm factors these numbers efficiently. A sufficiently powerful quantum computer running Shor's algorithm reduces RSA-2048 from a problem requiring billions of years on classical hardware to one solvable in hours or days.
• ECDSA (Elliptic Curve Digital Signature Algorithm): Used to sign Bitcoin and Ethereum transactions, ECDSA security rests on the elliptic curve discrete logarithm problem. Shor's algorithm solves this too. Every public key on a blockchain that uses ECDSA is potentially recoverable, and from the public key an attacker can derive the private key.
• Diffie-Hellman key exchange: Classical DH and its elliptic curve variant ECDH both rely on discrete logarithm hardness. Both fall to Shor's algorithm.

The practical implication is stark. All TLS connections negotiated with RSA or ECDH, all digital signatures made with ECDSA or RSA, and all certificate infrastructure built on these primitives become insecure once a cryptographically relevant quantum computer (CRQC) exists. For a deeper dive into how Shor's algorithm works step by step, see our full explainer.

How many qubits does this actually require? Current estimates place the threshold for breaking Bitcoin's ECDSA at roughly 4,000 logical qubits running fault-tolerant operations. Today's best machines operate in the hundreds of noisy physical qubits, but the trajectory of progress is not something defenders can ignore. Our analysis of qubit requirements for breaking Bitcoin goes into precise detail.

Grover's Algorithm: The Symmetric Crypto Speed-Up

Grover's algorithm, published in 1996, provides a quadratic speed-up for unstructured search problems. Applied to cryptography, this means it can search a key space of size N in roughly the square root of N operations instead of N.

The consequences here are serious but manageable:

• AES-128: A 128-bit key has 2^128 possible values. Grover's algorithm reduces the effective search to 2^64 operations. That is within the range of a sufficiently powerful adversary. AES-128 is considered weakened but not immediately catastrophic.
• AES-256: Grover's algorithm reduces this to 2^128 operations. That remains computationally infeasible even for quantum adversaries. AES-256 is generally considered quantum-safe with its current key size.
• SHA-256: Used in Bitcoin's proof-of-work and in HMAC constructions, SHA-256 produces 256-bit outputs. Grover's algorithm against a preimage attack reduces security to 2^128. For collision resistance, the relevant analysis is more complex, but SHA-256 is not considered broken by quantum computers.
• SHA-3 and other hash functions: Similar analysis applies. Doubling output length maintains security margins against Grover.

The practical takeaway from Grover is straightforward: migrate away from 128-bit symmetric keys toward 256-bit keys, and you have largely addressed the threat. This is painful but achievable through configuration changes, not algorithmic replacement.

What "Broken" Actually Means

Cryptographers use "broken" in a precise sense that differs from the colloquial meaning. A scheme is broken if there exists an attack that is significantly faster than brute force, even if that attack remains practically infeasible today.

By this definition, RSA and ECDSA are broken by Shor's algorithm the moment a CRQC exists. Not weakened. Not reduced in security margin. Completely broken, because Shor solves the underlying problem efficiently rather than merely speeding up brute force.

AES-128 is weakened by Grover but not broken in the same sense. Its security margin is reduced to a level that might be acceptable depending on the threat model and time horizon.

This distinction matters enormously for prioritisation. Systems using RSA or ECDSA need full algorithmic replacement, not just key size increases. Systems using AES-128 need a key size upgrade. Systems using AES-256 or SHA-256 for symmetric operations need careful monitoring but no immediate action on the algorithm itself.

The Harvest Now, Decrypt Later Problem

There is a threat that does not require a CRQC to exist today. Nation-state and sophisticated adversaries are collecting encrypted traffic now, storing it, and planning to decrypt it once quantum hardware matures. Any data encrypted with RSA or ECDSA today is already compromised in the sense that its confidentiality has a future expiry date.

For long-lived secrets, classified information, or financial records with multi-decade relevance, this threat is active right now. The harvest-now, decrypt-later attack vector is explored in full detail in our dedicated article.

For blockchain systems specifically, every transaction ever signed with ECDSA is stored permanently on a public ledger. Once a CRQC arrives, any exposed public key becomes a liability. Addresses that have been used to send transactions, and therefore had their public key revealed on-chain, are retroactively vulnerable.

Algorithms That Are Genuinely Safe

Not all cryptography falls under the quantum threat in the same way. The following categories are currently considered quantum-resistant or quantum-safe:

• Lattice-based cryptography: Problems like Learning With Errors (LWE) and its variants have no known efficient quantum algorithm. NIST's post-quantum standards, including CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for signatures, are lattice-based.
• Hash-based signatures: XMSS and SPHINCS+ rely only on the security of the hash function itself. Their quantum resistance is well understood and conservative.
• Code-based cryptography: Based on the hardness of decoding random linear codes, with no known quantum speed-up of practical significance.
• Isogeny-based cryptography: SIKE was a candidate until a classical (not quantum) attack broke it in 2022, illustrating that post-quantum is not synonymous with unbreakable. The field continues to develop more robust constructions.

Our introduction to post-quantum cryptography covers each of these families in accessible detail.

What Needs Replacing Right Now

The algorithms that need full replacement, not just parameter adjustment, are any scheme whose security reduces to integer factorisation or discrete logarithm. That list includes:

1. RSA in all its variants (RSA-1024, RSA-2048, RSA-4096)
2. ECDSA and EdDSA over standard curves (secp256k1, P-256, Curve25519)
3. ECDH and classical Diffie-Hellman key exchange
4. ElGamal encryption

For blockchain networks in particular, the signature scheme used to authorise transactions is the critical vulnerability. Bitcoin and Ethereum both use secp256k1-based ECDSA. Every wallet, every smart contract, every validator key on these networks depends on a problem that Shor's algorithm solves completely. A detailed vulnerability ranking of major cryptocurrencies is available in our analysis.

Beyond Shor and Grover: Other Quantum Threats

Shor and Grover dominate the conversation, but the field of quantum algorithms continues to develop. Researchers have proposed quantum algorithms for solving certain systems of multivariate equations, for speeding up meet-in-the-middle attacks, and for attacking some lattice constructions under specific parameter choices. None of these currently threaten well-parameterised post-quantum standards, but the landscape requires ongoing vigilance.

The deeper lesson is that cryptographic security is never a permanent state. It is a function of the best known attacks at a given time against a given construction. The quantum transition is not a one-time migration event but a shift in the baseline threat model that requires continuous reassessment.

What a Quantum-Resistant Blockchain Must Do Differently

Building a blockchain that survives the quantum transition requires more than swapping ECDSA for a post-quantum signature scheme, though that is the necessary starting point. It requires rethinking consensus mechanisms that depend on public key infrastructure, address formats that expose or protect public keys, and upgrade paths that can migrate existing key material without breaking backward compatibility.

Our overview of quantum-resistant blockchain design explains the full architectural requirements. QuanChain's approach integrates post-quantum cryptography at the protocol layer, including the TADEQs signature framework and a consensus mechanism designed from the ground up for a post-quantum threat environment.

For those assessing their own exposure, the QuanChain quantum threat calculator provides a practical tool for evaluating how vulnerable a given system or portfolio is under different quantum timeline scenarios.

The Timeline Question

Predictions about when a CRQC will arrive range from five years to never. The honest answer is that no one knows with confidence, and the responsible posture is to treat the migration timeline as the binding constraint, not the hardware timeline.

Large organisations and critical infrastructure take five to fifteen years to complete cryptographic migrations. Banking systems, identity infrastructure, and blockchain networks all have deep dependencies on current standards. If a CRQC appears in ten years and migration takes fifteen, the window is already closed. The migration problem for blockchains specifically is one of the most underappreciated challenges in the industry.

Shor's algorithm has been known for thirty years. NIST finalised its first post-quantum standards in 2024. The cryptographic community has done its part. The remaining work is engineering, deployment, and the institutional will to treat a future threat as a present priority.

Summary: What to Take Away

Shor's algorithm completely breaks RSA and ECDSA. Grover's algorithm halves the effective key length of symmetric ciphers and hashes. AES-256 and SHA-256 survive with adequate margin. RSA and ECDSA do not survive at any key size.

The encryption that needs replacing is specific and well-understood. The replacement algorithms are standardised and available. The timeline pressure is real, driven not by the arrival of quantum hardware but by the years required to migrate away from vulnerable systems. What happens on the day a CRQC arrives is not a hypothetical to defer indefinitely. It is an engineering deadline that the cryptographic community, and the blockchain industry in particular, needs to treat as already overdue.