University of Nebraska - Lincoln

DigitalCommons@University of Nebraska - Lincoln

Honors Theses Honors Program

Spring 3-1-2024

Quantum Computing and U.S. Cybersecurity: A Case Study of the

Breaking of RSA and Plan for Cryptographic Algorithm Transition
Helena Holland
University of Nebraska - Lincoln

Follow this and additional works at: https://digitalcommons.unl.edu/honorstheses

Part of the Mathematics Commons, and the Political Science Commons

Holland, Helena, "Quantum Computing and U.S. Cybersecurity: A Case Study of the Breaking of RSA and
Plan for Cryptographic Algorithm Transition" (2024). Honors Theses. 681.
https://digitalcommons.unl.edu/honorstheses/681

This Thesis is brought to you for free and open access by the Honors Program at DigitalCommons@University of
Nebraska - Lincoln. It has been accepted for inclusion in Honors Theses by an authorized administrator of
DigitalCommons@University of Nebraska - Lincoln.
 QUANTUM COMPUTING AND U.S. CYBERSECURITY: A CASE STUDY OF THE
BREAKING OF RSA AND PLAN FOR CRYPTOGRAPHIC ALGORITHM TRANSITION

An Undergraduate Honors Thesis

Submitted in Partial Fulfillment of

University Honors Program Requirements

University of Nebraska-Lincoln

by

Helena Holland, BS

Mathematics

College of Arts and Sciences

March 2024

Faculty Mentors:

Alexandra Seceleanu, PhD, Mathematics

Tyler White, PhD, Political Science

 2

Acknowledgements

Thank you to my faculty advisors, Dr. White and Dr. Seceleanu, for their valuable feedback on this
project. Thank you to my parents and siblings for their love and support throughout my collegiate
career.
 3

Abstract

The invention of a cryptographically relevant quantum computer would revolutionize computing

power, transforming industry and national security. While a theoretical possibility at the time of this
writing, the ability of quantum algorithms to solve the factoring and discrete logarithm problems,
upon which all currently employed public-key cryptography depends, presents a serious threat to
digital communications. This research examines both the mathematics and government policy behind
these risks and their implications for cybersecurity. Specifically, a case study of RSA, Shor’s algorithm,
and the American Intelligence Community’s plan to transition toward quantum-resistant algorithms
is presented to analyze quantum threats and opportunities and characterize the potential large-scale
consequences of the technology.

Key Words: Post-quantum cryptography, quantum computing, public-key cryptography, RSA, Shor’s
algorithm, Kyber, Learning with Errors, NSM-10, NIST
 4

Table of Contents

Introduction……………………………………………………………………………………………………………………………………………………6

Section One: Theoretical Framework………………………………………………………………………………………………………….7

1.1 What is a Quantum Computer?
1.1.1 Key Quantum Mechanical Concepts
1.1.2 Quantum Bits, Gates, and Circuits
1.1.3 The Engineering Challenge
1.1.4 Quantum Possibilities
1.1.4.1 Quantum Speed-up
1.1.4.2 Other Opportunities
1.2 Public-key Cryptography……………………………………………………………………………………………………………….10
1.2.1 What is Cryptography?
1.2.2 Encryption
1.2.3 Public-key Infrastructure
1.2.3.1 Fundamentals
1.2.3.2 Hard Problems
1.2.3.3 The Factoring Problem
1.2.3.4 The Discrete Logarithm Problem
1.3 The Quantum Threat to Cybersecurity……………………………………………………………………………………….12
1.3.1 Shor’s Algorithm and the Breaking of RSA, Diffie-Hellman, and Elliptic Curve
Cryptography
1.3.2 Grover’s Algorithm and the Lesser Threat to Symmetric Encryption
1.3.3 Post-Quantum Cryptographic Algorithms
1.3.3.1 Code-Based
1.3.3.2 Lattice-Based
1.3.3.3 Multivariate
1.3.3.4 The Learning with Errors Problem

Section Two: Methodology…………………………………………………………………………………………………………………………..14

Section Three: Case Study…………………………………………………………………………………………………………………………..15

3.1 RSA and Shor’s Algorithm
3.1.1 The Mathematics of RSA
3.1.2 The Mathematics of Shor’s Algorithm and the Breaking of RSA………………………………….18
3.1.2.1 The Quantum Part
3.1.2.2 The Classical Part
3.1.2.3 A Probabilistic Proof that Shor’s Algorithm for Prime Factorization Terminates
3.2 The U.S. Intelligence Community’s Response…………………………………………………………………………....24
3.2.1 Algorithm Standardization
3.2.1.1 NIST’s Quantum-Resistant Algorithm Selection Process
3.2.1.2 The First Set of Algorithms Selected for Standardization and CNSA 2.0
3.2.2 The Mathematics Behind the Kyber Quantum-Resistant Algorithm…………………………….26
3.2.2.1 The Plain LWE Encryption Scheme
3.2.2.2 Kyber
 5

3.2.3 National Security Memorandum 10 (NSM-10)………………………………………………………………….32

3.2.3.1 Directives and Emphases
3.2.3.2 The Challenges of Transition
3.3 SWOT Analysis of Transition Plan………………………………………………………………………………………………36

Section Four: Discussion………………………………………………………………………………………………………………………………37

4.1 Key Threats to Cybersecurity
4.2 Key Opportunities for Cybersecurity

Conclusion……………………………………………………………………………………………………………………………………………………..39

Appendix………………………………………………………………………………………………………………………………………………………..40

Bibliography…………………………………………………………………………………………………………………………………………………..43

Abbreviations

CRQC – Cryptographically Relevant Quantum Computer

NSA – National Security Agency

NIST – National Institute of Standards and Technology

DHS – Department of Homeland Security

QFT – Quantum Fourier Transform

JQI – Joint Quantum Initiative

QIS – Quantum Information Science

NSM-10 – National Security Memorandum 10

CNSA – Commercial National Security Algorithm Suite

CISA – Cybersecurity and Infrastructure Security Agency

NSS – National Security Systems

LWE – Learning with Errors

List of Tables and Figures

Figure 1: Shor’s QFT Output Example

Table 1: Quantum-Resistant Algorithms to be Standardized

Table 2: Kyber Encryption Algorithm Parameters and Corresponding Decryption Failure

Probability δ

Figure 2: Quantum-Resistant Algorithm Standardization Timeline

Table 3: CNSA 1.0

Table 4: CNSA 2.0

 6

Introduction

To the general American public, the term “quantum computing” smacks of science fiction. A computer
built upon the principles of quantum rather than classical mechanics, it is either unheard of or a
technology of the future with little effect on the present. This attitude may soon change. While
physicists and mathematicians have maintained that quantum computing is theoretically possible for
decades, none have successfully invented a cryptographically relevant quantum computer, and many
have predicted that this will be impractical due to the instability of subatomic particles. However,
quantum computing has gained much traction in recent years as knowledge progresses, with China
and the U.S. taking the lead on its research and development. Many scientists now regard the
technology as a “significant engineering challenge” rather than a practical impossibility. 1 The question
has now become one of timing. If powerful quantum computers became a reality, they would possess
capabilities beyond those of classical computers and bring with them both opportunities and threats
for American industry and national security. With applications in cryptography, precise data
processing, and artificial intelligence, quantum technology affords its wielders better military
intelligence, more accurate decision models, and access to adversaries’ confidential data. In light of
this, the first nation to invent a quantum computer would have a massive strategic advantage, and
many draw parallels between the quantum race and the space race or Manhattan project. While these
predictions may or may not come to pass, quantum computers will undoubtedly transform computing
technology and the world stage.

The exact changes that quantum computing will bring to governments, businesses, and individuals
alike are uncertain and abstract with few concrete examples, much like the technology itself. However,
the most certain consequences of quantum computing are in the cybersecurity domain. While the
technology has many useful applications, it is the quantum threat to public-key cryptography that
has inspired the most interest. Public-key cryptography is a form of asymmetric encryption that
secures e-commerce and other digital communications and includes the RSA, Diffie-Hellman, and
elliptic curve cryptographic algorithms. A classical computer, any computer in existence today, cannot
crack these schemes in a reasonable amount of time, but a quantum computer can. This is not because
it is an entirely new machine; rather, quantum computing extends the capabilities of classical
computers by finding new approaches to solving problems, approaches only possible through
leveraging quantum mechanics. Because quantum computing would effectively break the security of
internet communications, it is important that U.S. intelligence begins preparing for its emergence
now.

Current research surrounding quantum computing technology and national security is theoretical and
predictive. The theory of quantum computing is well-established, as are the mathematics of quantum
algorithms such as Shor’s algorithm, which demonstrates a quantum computer’s ability to crack
public-key cryptography. The knowledge gap lies in the divide between theory and practice, as the
hardware and engineering challenges are known but not yet overcome. Physicists understand the
quantum computing concepts of qubits and entanglement but cannot yet transport qubits over long
distances reliably, a feat required to produce a cryptographically relevant quantum computer (CRQC).
While large-scale quantum technology is not yet in existence, the real threat it poses to current

1
2016 Report on Post-Quantum Cryptography 2 (NIST).
 7

cryptographic systems is not in dispute, and American intelligence agencies have mobilized to make
U.S. cryptosystems quantum-resistant. The plans and progress of this transition project are
documented in National Security Memorandum 10 (NSM-10) and NSA, NIST, and DHS webpages,
conference materials, and publications. This topic connects to many conversations surrounding
quantum technology, including how it will affect current technology, how the U.S. should prioritize
mitigating quantum threats and leading the development of the first quantum computer, and whether
current plans to transition to quantum-resistant systems will be successful.

The central research question of this thesis asks what impact quantum computing technology will
have on U.S. cybersecurity. The research method is an intrinsic case study of quantum computing’s
threat to public-key cryptography, focusing on Shor’s algorithm and the breaking of RSA, and an
analysis of the American Intelligence Community’s plan to transition vulnerable cryptosystems. The
research objectives include characterizing quantum threats to cybersecurity, analyzing the government
initiatives to mitigate these threats, and drawing conclusions about the potential large-scale
consequences of quantum technology. In addition, this project places the mathematics of RSA, Shor’s
algorithm, and the Kyber quantum-resistant algorithm within their national security contexts.

The following sections begin with the theoretical framework for the research and proceed to case
study findings and discussion of results. Section One introduces the details of quantum computing,
the fundamentals of cryptography and encryption, the RSA algorithm, quantum algorithms, and
quantum-resistant encryption algorithms. Section Two describes the research methodology. Section
Three presents the case study findings, including the mathematics of RSA, Shor’s algorithm, and the
Kyber algorithm, as well as a SWOT analysis of U.S. Intelligence initiatives to transition America
toward quantum-resistant systems. Section Four discusses case study results, and the thesis concludes
with a summary of the research that highlights the key implications of quantum computing for
cybersecurity going forward.

Section One: Theoretical Framework

1.1 What is a Quantum Computer?

1.1.1 Key Quantum Mechanical Concepts

All computations entail inputting information, manipulating the information according to mathematical
rules, and outputting the desired result. 2 Quantum computing is no exception to this definition, but it
is revolutionary in its combination of quantum physics with computation and computer science. To
understand quantum computers at a basic level, one must be familiar with some key principles of
quantum mechanics, namely superposition, measurement, and entanglement.

Quantum mechanics deals with the behavior of subatomic particles, which exhibit true randomness
and other counterintuitive properties. While the basic unit of information for classical computations
is the bit, the basic unit of information for quantum computations is the quantum bit, or qubit. 3 A
classical bit takes on the values of 0 or 1, and the value of the bit remains unchanged before and after

2
Bernhardt 1.
3
Aumasson 251.
 8

measurement. In contrast, a qubit can exist in states 0 and 1 simultaneously and takes on one of these
two values only at the moment of measurement.

This phenomenon, in which a qubit exists in multiple states at once, is called superposition and
contributes to quantum computing’s power over classical computing. 4 The concept of the wave
function in quantum physics helps make sense of this property. For example, an electron may exist in
multiple orientations simultaneously before observation. The position of an electron is modeled by
the wave function, which collapses around a definite orientation only at the moment of observation,
an operation known as “measurement” in quantum mechanics.5 This example is significant, as the
spin of an electron or polarization of a photon are physical representations of a qubit and demonstrate
how the act of measurement changes the qubit, takes it out of a state of superposition, and causes it
to behave as a classical bit.

Entanglement is the final key concept, which occurs when measuring one qubit affects the state of
the other, even when the particles are light-years apart. 6 This is a mystery of quantum physics that
allows for quantum computing to be physically realizable, as entanglement stabilizes a qubit’s state.
In addition to their use of quantum mechanics, quantum computers are distinct from classical
computers in the mathematics that model their operation. While classical computing is based in
Boolean algebra, linear algebra underlies quantum computing. 7

1.1.2 Quantum Bits, Gates, and Circuits

As mentioned in the previous section, a qubit can be modeled by the spin of an electron or the
polarization of a photon.8 The electron spin model will be used for illustration purposes. In a quantum
computer, computation is done using qubits, but the result is outputted in the form of classical bits,
allowing the device to manipulate data differently than a classical computer while producing a familiar
result. A classical computer saves bits of information on memory and processes a set of instructions,
while a quantum computer transforms qubits reversibly through a quantum circuit, or array of
quantum gates.9 Recall that classical computing is modeled by Boolean algebra, and quantum
computing is modeled by linear algebra. This distinction is important, as a quantum gate acts as a
matrix multiplication on a vector of quantum state amplitudes (probabilities of each state occurring
at measurement), rather than a Boolean operation on classical bits. 10 Given n qubits, a quantum
circuit can process 2n numbers.11 This is due to the electron’s state of superposition and allows
quantum computers to encode exponentially more implicit states than a classical computer. To explain
why 2n numbers are necessary to describe n qubits, recall that a qubit can exist in a superposition of
two states, 0 or 1, and an n-qubit system exists as a superposition of all possible states for that
system. For example, a 2-qubit system is a superposition of states 00, 10, 01, and 11, allowing the

4
Ibid.
5
Oriyano 253.
6
Aumasson 252.
7
Bernhardt 17.
8
Bernhardt 8.
9
Aumasson 255.
10
Bernhardt 117.
11
Ibid.
 9

computer to encode 22 numbers, or specifically, 4 state amplitudes. After passing through a quantum
circuit, the value of one or more qubits is measured to obtain the final computational result.

The Hadamard quantum gate and the quantum Fourier transform (QFT) play important roles in
Shor’s algorithm, the algorithm that demonstrates a quantum computer’s ability to break public-key
cryptography. The Hadamard quantum gate is used in quantum circuits to go from a deterministic
state to a probabilistic one and vice versa.12 A QFT is a generalization of the Hadamard gate. Through
applying the Hadamard gate to each qubit, the QFT allows the user of a quantum computer to access
hidden frequency information encoded in quantum registers.13 The intricate mathematics of this
transformation require advanced training, but familiarity with the general effect of the QFT is
important to understanding Shor’s algorithm and the risks that quantum computers introduce in the
cybersecurity world.

1.1.3 The Engineering Challenge

Building a quantum computer is an extremely difficult task due to the small size and instability of
quantum particles representing qubits. These quantum particles are kept at temperatures near
absolute-zero, hard to stabilize for more than a few seconds, and easily affected by the environment,
rendering them useless in most practical situations. The invention of a stable, accurate system
consisting of a few qubits that can apply quantum gates would be a monumental accomplishment,
but for this system to be useful or cryptographically relevant, it must then be scaled to thousands or
millions of qubits. To put this in perspective, the Joint Quantum Institute’s (JQI) Monroe team holds
the record in keeping 14 qubits stable for a few milliseconds. 14 While building a quantum computer is
a daunting task, American government and industries continue to prioritize quantum research and
development because of the opportunities the technology offers.

1.1.4 Quantum Possibilities

1.1.4.1 Quantum Speed-up

Of the possibilities that quantum computing unlocks, quantum speed-up receives the most attention.
Quantum speed-up refers to a quantum computer’s ability to solve a computational problem more
quickly than a classical computer. This is significant to cryptography, as the security of cryptographic
algorithms is based on the inability of classical computers to solve certain hard mathematical problems
in a reasonable amount of time. The field of complexity theory quantifies the time difference between
quantum and classical algorithms used to solve these problems. Problems are grouped into complexity
classes depending on computational difficulty, and these classes determine their solvability. For
example, complexity theorists consider exponential time, such as O(2n) for input of size n, as
unsolvable within reasonable time constraints and polynomial time, O(nk) for some fixed number k,
as practically solvable.15 The great promise of quantum computing is the ability to turn problems
with exponential time complexity when solved on a classical computer into problems with polynomial
time complexity when solved on a quantum computer, the difference between a billion years and a

12
Bernhardt 122.
13
Johnson 125.
14
Aumasson 262.
15
Bernhardt 163.
 10

few minutes of computer processing. This jeopardizes cryptographic algorithms that depend on the
exponential time complexity of their underlying computational problems.

1.1.4.2 Other Opportunities

It is important to acknowledge that quantum computing also has the power to create extremely secure
encryption. This technique, known as quantum key distribution, uses a stream of quantum particles
to share an encryption key. The quantum computer would be able to detect any eavesdropping across
the transmission medium, making this method’s security unprecedented. 16 Outside of cybersecurity,
quantum technology could lead to atomically precise sensors for biotechnology, radar, and defense,
improved geospatial technologies, better methods of simulating chemical and physical phenomena,
and more efficient machine learning and optimization algorithms.17 The exact applications of quantum
technology will surface as the field advances, but its potential in a wide variety of sectors points to
the magnitude of change it may bring about and its right to the title “revolutionary”. 18 With the
basics of quantum computing covered, the next section discusses the most certain impact of quantum
computing, the breaking of public-key cryptography.

1.2 Public-Key Cryptography

1.2.1 What Is Cryptography?

Modern cryptography is an application of advanced mathematics that secures information through

keeping sensitive data confidential, detecting when information has been modified, and authenticating
identity.19 Cryptography takes many forms, but encryption is the area most threatened by quantum
computing and therefore the focus of this research.

1.2.2 Encryption

Encryption is a form of cryptography that secures the confidentiality of information. It performs this
function through transforming confidential data into an incomprehensible state that unwelcome
viewers cannot decipher, maintaining the secrecy of sensitive information shared over insecure
channels.20 An encryption algorithm is the mathematical or logical procedure that converts the data
from its plaintext, the original message, to ciphertext, its incomprehensible state. The algorithm uses
a key during the encryption process, a variable that configures the algorithm at any one time and
produces a corresponding ciphertext. To decipher the message, the ciphertext must be transported to
a recipient who possesses a decryption key to “unlock” the encrypted message according to the
decryption algorithm.21 Only the holder of the decryption key may read the original contents of the
message.

The three common forms of encryption are symmetric, asymmetric, and hash functions. Symmetric
encryption is the oldest form of encryption in which the same key is used to encrypt and decrypt an

16
Oriyano 258.
17
National Strategic Overview for Quantum Information Science, National Quantum Initiative.
18
“The History and Future of Quantum Information”, NIST.
19
Martin 10.
20
Aumasson 1.
21
Oriyano 12.
 11

original message.22 Symmetric encryption must tackle the problem of key distribution, safely providing
the key to the receiving party. In contrast, asymmetric encryption, also known as public-key
cryptography, is a newer form of encryption that uses one key to encrypt and a different but related
key to decrypt. This form of encryption is most vulnerable to a quantum computer. Finally, hash
functions are a form of encryption that maintains the integrity of data by detecting any modification
of the original message.23

Symmetric and asymmetric forms of encryption depend on the secrecy of their key. Cryptanalysis,
the study of the breaking of codes, focuses on finding these keys as the means to cracking systems. If
cryptanalysts discover the key to a symmetric encryption algorithm or the private key to an
asymmetric encryption algorithm, they can decrypt a confidential message. The key is the “key” to
security, so well-designed algorithms specify a large keyspace, or number of available keys, and secure
cryptosystems ensure that keys are random and changed frequently. 24

1.2.3 Public-key Infrastructure

1.2.3.1 Fundamentals

Public-key infrastructure provides secure digital communications over an insecure channel and
validates the credentials of system users.25 As explained in the Section 1.2.2, public-key (asymmetric)
cryptography maintains two keys, a public key and a private key. The public key is available to the
masses and the private key is kept secret, held by only one party, and what is performed with the
public key is only reversible using the private key. Public-key cryptography solves the problem of key
management, the process of securing and distributing keys within a system, simply because keys no
longer need to be distributed. System managers need only publish the public key, which anyone can
use to encrypt a message to the holder of the private key, but the holder of the private key is the only
party that can decrypt these messages. Hence, the information remains secure over any medium of
transmission. The public-key algorithms in use today are RSA, Diffie-Hellman, and elliptic curve
cryptography.26 The security of these algorithms depends on the hardness of their underlying
mathematical problems.

1.2.3.2 Hard Problems

Cryptographers quantify the security of algorithms through a complexity analysis of the mathematical
problems that they rely on. The goal of cryptographic security is “to make well-defined problems
impossible to solve”.27 In other words, finding the key to an encryption algorithm would amount to
solving a mathematical problem known to have high computational complexity, which guarantees the
code’s security as long as the underlying problem remains hard. All public-key algorithms employed
today rely on the hardness of either the factoring problem or the discrete logarithm problem for
security.

22
Oriyano 13.
23
Oriyano 14.
24
Martin 30.
25
Oriyano 175.
26
Martin 85.
27
Aumasson 164.
 12

1.2.3.3 The Factoring Problem

The factoring problem is among the most well-known hard problems in cryptography. Simple to
understand yet difficult to solve, it has been used in public-key algorithms for the past fifty years and
forms the security basis for the RSA algorithm. The factoring problem consists of finding prime
numbers p and q such that a large number n = pq.28 A prime number is a number p only divisible by
1, -1, p, and -p, and every integer has a unique prime factorization, or can be written uniquely as a
product of prime numbers. The factoring problem is essentially finding the prime factorization of a
large number, a much more difficult task than it appears. For example, the fastest classical factoring
algorithm to date, the general number field sieve, has a complexity of O(exp(1.91 * n 1/3(logn)2/3)).29
It takes this algorithm the equivalent of 2000 years of computation to factor a 768-bit number. 30 In
practice, the large numbers used in RSA-based cryptosystems are at least 1024-bit. 31 The
impracticality of factoring a large number makes RSA secure under classical computing capabilities.

1.2.3.4 The Discrete Logarithm Problem

Although the factoring problem is more well-known, a problem known as the discrete logarithm
problem entered the scene of cybersecurity first. This problem is harder to understand and
conceptualize than the factoring problem; however, it is related to the factoring problem and forms
the basis of security for the Diffie-Hellman algorithm and elliptic curve cryptography. 32 Similar to
factoring large numbers, this problem is computationally secure under classical computing capabilities
but may be solved through Shor’s algorithm on a quantum computer.

1.3 The Quantum Threat to Cybersecurity

1.3.1 Shor’s Algorithm and the Breaking of RSA, Diffie-Hellman, and Elliptic Curve
Cryptography

In 1994, AT&T researcher Peter Shor published an article titled “Polynomial-Time Algorithms for
Prime Factorization and Discrete Logarithms on a Quantum Computer” that identified quantum
algorithms causing exponential speed-up in the factoring and discrete logarithm problems, rendering
them solvable in polynomial time.33 This discovery revealed that a quantum computer would break
RSA, Diffie-Hellman, elliptic curve cryptography, and all current public-key cryptosystems, effectively
destroying internet security. It is not surprising that this discovery sparked interest in both quantum
research and defense against threats to cybersecurity.

Quantum computing provides computer scientists and mathematicians with a new way of viewing a
problem that is inaccessible through a classical paradigm. In the case of Shor’s algorithm, quantum
gates represented as orthogonal matrices reveal structures within the data being processed that may

28
Aumasson 171.
29
Ibid.
30
Aumasson 173.
31
Martin 35.
32
Aumasson 174.
33
Aumasson 259.
 13

be exploited to more quickly solve a problem that is based on periodicity, or intervals of recurrence. 34
This seemingly small achievement allows a quantum computer to exploit the periodicity implicit
within the factoring and discrete logarithm problems.

1.3.2 Grover’s Algorithm and the Lesser Threat to Symmetric Encryption

While the most devastating consequence of quantum computing is its destruction of public-key
cryptography, a quantum computer also poses a small threat to symmetric encryption through
Grover’s algorithm. Similar to Shor’s, Grover’s algorithm involves a quantum speed-up and
demonstration of quantum computing’s power over classical computers. However, Grover’s algorithm
speeds up data searches rather than solutions to hard problems. 35 This algorithm allows cryptanalysts
to more quickly search keyspaces until the correct symmetric key is found, compromising the security
of shorter keys. In contrast to public-key algorithms, which are completely destroyed, a symmetric
algorithm is quantum-resistant as long as the key or hash value size is long enough. 36 Effectively,
transitioning symmetric key cryptosystems to quantum-resistant systems means doubling key and
hash value size.

1.3.3 Post-Quantum Cryptographic Algorithms

Post-quantum cryptographic algorithms are algorithms that cannot be broken by a quantum or

classical computer. Since the publishing of Shor’s algorithm, there has been national interest in
standardizing quantum-resistant algorithms and beginning the transition to post-quantum
cryptosystems. So far, cryptologists have identified three main families of quantum-resistant
asymmetric algorithms: code-based, lattice-based, and multivariate.

1.3.3.1 Code-Based

Code-based cryptography is based on error-correcting codes, which ensure the integrity of information
through the detection and correction of errors in data. Cryptosystems may employ code-based
cryptography in both encryption and signatures, which encode information and authenticate viewers,
respectively. However, this family of algorithms has seen the most success with encryption schemes. 37

1.3.3.2 Lattice-Based

Lattices are sets of points in an n-dimensional space with some periodic structure. 38 The hard problems
underneath lattice-based cryptography are instances of the “closest vector” problem on a lattice, or
the problem of “finding the vector closest to a given point in a lattice by combining a set of basis
vectors”.39

1.3.3.3 Multivariate

34
Bernhardt 169.
35
Bernhardt 174.
36
Aumasson 260.
37
2016 Report on Post-Quantum Cryptography 4 (NIST).
38
Aumasson 264.
39
2016 Report on Post-Quantum Cryptography 3 (NIST).
 14

This family of algorithms is based on the problem of solving systems of multivariate polynomials over
finite fields. Due to their slow speed and large memory requirements, multivariate algorithms are most
successful in signature rather than encryption schemes. 40

1.3.3.4 The Learning With Errors Problem

The Learning with Errors (LWE) problem is related to hard lattice problems and consists of solving
a system of equations with the addition of small errors. Kyber, the quantum-resistant algorithm
described in Section Three, is based on LWE.41 See Section 3.2.2.1 for a formulation of the general
LWE problem.

Section Two: Methodology

The research presented in this thesis explores the question of quantum computing’s impact on
cybersecurity through an intrinsic case study of the breaking of public-key cryptography. In particular,
the study investigates the mathematics of RSA and Shor’s algorithm and conducts a SWOT analysis
of the government policies put in place to address the quantum threat to asymmetric cryptography.
RSA was chosen as the representative public-key algorithm because it is the most widely used and
well-known, and the mathematical structure of RSA translates to a simplified explanation of Shor’s
algorithm.

An intrinsic case study emphasizes the case at hand over the larger theory that it represents. This
method was chosen because the breaking of public-key cryptography is the most definite consequence
of quantum computing, and an exploration of this case allows for some analysis of post-quantum
cybersecurity without generalizing findings beyond current evidence. The case study is broken into
two parts, one explaining the mathematics of RSA and Shor’s algorithm and another detailing and
analyzing the plans to migrate American cryptosystems, including a mathematical description of the
Kyber quantum-resistant algorithm that will likely replace RSA. The objective of this research is to
identify the direct and indirect consequences of quantum computing in both cryptographic theory
and practical security systems.

The data presented in the case study were collected from journal publications and government
websites and archives. The mathematics of RSA appear in introductory modern algebra and
cryptography texts. Peter Shor’s pivotal paper “Polynomial-Time Algorithms for Prime Factorization
and Discrete Logarithms on a Quantum Computer” was the primary source for the discussion of
Shor’s algorithm. The NSA, NIST, and NSM-10’s plans for quantum-resistant algorithm
standardization and the transition of vulnerable systems were gathered from government archives
containing timelines, proposed steps toward transition, FAQs, and progress assessments. After a
description of these efforts in Section 3.2, a SWOT analysis identifies and critiques the migration
project’s strengths, weaknesses, opportunities, and threats. The discussion of case study findings
draws out the implications of quantum computing for American cybersecurity in light of Shor’s
algorithm and the migration plan, broken into categories of key threats and opportunities.

40
2016 Report on Post-Quantum Cryptography 4 (NIST).
41
“A Mathematical Perspective on Post-Quantum Cryptography”, 4.
 15

There are strengths and weaknesses associated with this case study method. A case study allows for
an in-depth analysis of quantum computing’s threat to public-key cryptography from the vantage
points of mathematics and government policy. In addition, the study focuses research on the most
pressing security concern. However, this method analyzes the impact of quantum computing from
only a cybersecurity perspective and lacks valid generalization beyond quantum computing’s effect on
public-key cryptography. For example, the case study omits a detailed discussion of the positive
consequences of quantum technology in scientific modeling, radar, and other fields related to national
defense.

To maintain rigor, the research is clearly bound to consider only asymmetric cryptography and official
national security policy surrounding algorithm transition. The structured SWOT analysis formalizes
the interpretation of this information, relying on the evidence presented in the case study to infer
possible large-scale consequences of a powerful quantum computer. The discussion of these
consequences in Section 4 is not meant to be thorough and decisive, as current research on the topic
is neither. Rather, the discussion attempts to broadly catalog the potential fates of U.S. national
security in the post-quantum era.

Section Three: Case Study

3.1 RSA and Shor’s Algorithm

3.1.1 The Mathematics of RSA 42

RSA is a cornerstone algorithm of present-day public-key cryptography. Emerging in 1977 through

the work of cryptologists Rivest, Shamir, and Adleman (RSA), this asymmetric encryption algorithm
is unique in its ability to both generate keys and encrypt information. 43 Its use is ubiquitous. Almost
all digital communications, including e-commerce, web browsers, email services, and VPNs, rely on
RSA. The mathematics behind RSA demonstrate how the factoring problem secures its use and
presage Shor’s algorithm and the cybersecurity threat that it uncovered.

Fermat’s little theorem, discovered in the seventeenth century, is central to RSA, and relies on several
definitions and theorems given below.

Definition 3.1: (ℤ denotes the set of all integers.) The numbers a, b ∈ ℤ are congruent modulo N,
written a ≡ b (mod N), if N | a – b.

Theorem 3.1: If p is prime, ℤp is a field.

Proof: Suppose p is prime. It follows from the definition of prime that either p | a, in which case [a] p
= [0]p, or gcd(a,p) = 1. Hence, every nonzero unit [a]p is such that gcd(a, p) = 1. Because the greatest
common divisor is equal to a linear combination of terms, we have 1 = ax + py for some x, y ∈ ℤ.
Rearranging yields 1 – ax = py, so p | 1 – ax by definition of divides. Rewriting this in terms of
congruence modulo p gives [ax]p = [a]p[x]p = [1]p. Therefore, every nonzero [a]p is a unit in ℤp by
definition of unit, and ℤp is a field. □

42
Hungerford 437-442.
43
Rivest, R., A. Shamir, L. Adleman 1.
 16

Definition 3.2: A function f: A→B is injective if whenever x,y ∈ A are such that f(x) = f(y), then x
= y.

Definition 3.3: The image of a function f: A→B is the set Im(f) = {f(a) | a ∈ A}.

Definition 3.4: A function f: A→B is surjective if Im(f) = B.

Lemma 3.1: If A and B are finite sets which have the same number of elements, then the following
are equivalent:
(i) f is injective.
(ii) f is surjective.
Proof: We will prove the statement if f is injective, then f is surjective, as this is the only piece needed
for Fermat’s little theorem. Suppose f: A→B is injective, and the number of elements in A = the
number of elements in B = n. Then A = {x1, x2, …, xn}, and xi ≠ xj whenever i ≠ j by definition of
injective. It follows that f(xi) ≠ f(xj) when i ≠ j by the contrapositive of the definition of injective. So,
the image of f, the set {f(x1), f(x2), …, f(xn)}, has exactly n distinct elements. Because n distinct
elements are in Im(f) and n distinct elements are in B, it follows that Im(f) = B, and f is surjective
by Definition 3.4. □

Lemma 3.2: Suppose R is a commutative ring and r ∈ R, r ≠ 0, is a unit. If ra = rb for any a,b ∈ R,
then a = b.
Proof: Suppose ra = rb. Because r is a unit by assumption, there exists a multiplicative inverse of r
in R, denoted r-1. Multiplying both sides of the equation by r-1, it follows that r-1ra = (r-1r)a (by the
associative property of commutative rings) = 1a (by definition of multiplicative inverse r-1) = a = r-
1
rb = (r-1r)b = 1b = b. Therefore, a = b. □

Theorem 3.2 Fermat’s Little Theorem: If p is a prime integer and a is an integer not divisible by p
then ap-1 ≡ 1 (mod p).
Proof: Suppose p is a prime integer and a is an integer not divisible by p. It follows that [a]p ≠ [0]p.
ℤp is a field by Theorem 3.1, so [a]p is a unit in ℤp by definition of field. Consider the function f:
ℤp\{[0]p}→ℤp\{[0]p} defined as f([x]p) = [a]p[x]p. If f([x]p) = f([y]p), then [a]p[x]p = [a]p[y]p. Lemma 3.2
may be applied because [a]p is a unit, so [x]p = [y]p. Hence, f is injective by Definition 3.2.

Because f is injective and the domain and codomain, ℤp\{[0]p}, both have p – 1 elements, f is surjective
by Lemma 3.1. By Definition 3.4, Im(f) = ℤp\{[0]p} = {[1]p, [2]p, …, [p-1]p} = {[a]p[1]p, [a]p[2]p, …, [a]p[p-
1]p}. Taking the product of the elements in Im(f), we have
[a]p[1]p∙[a]p[2]p∙…∙[a]p[p-1]p = [1]p∙[2]p∙…∙[p-1]p = [1]p∙[2]p∙…∙[p-1]p∙[a]pp-1 = [1]p∙[2]p∙…∙[p-1]p.
By Lemma 3.2, [a]pp-1 = [1]p, and ap-1 ≡ 1 (mod p). □

Lemma 3.3: If p and q are positive primes such that p ≠ q and a is an integer such that p|a and q|a,
then (pq)|a.
Proof: Suppose p,q > 0 are distinct primes and a is an integer such that p|a and q|a. It follows that
a = px for some x ∈ ℤ by definition of divides. So, q|px by assumption. Then q|p or q|x, as q is prime.
 17

Hence, p = q or x = qy for some y ∈ ℤ. Then a = pqy or q = p. So, pq|a or q = p. Because q = p

contradicts our assumption, we must have (pq)|a. □

Theorem 3.3: If p,q are positive primes, de ≡ 1 (mod (p - 1)(q - 1)) and b is an integer, then bde ≡ b
(mod pq).
Proof: Let x ≡ 1 (mod (p - 1)(q - 1)) for positive primes p and q. Then x = 1 + (p - 1)(q - 1)z for
some z ∈ ℤ.

Consider congruence modulo p:

Case 1: Suppose p does not divide b. Then by Fermat’s little theorem,
bx = b1+(p-1)(q-1)z ≡ b(bp-1)(q-1)z ≡ b∙1(q-1)z ≡ b (mod p).
Case 2: If p|b, then [b]p = [0]p, and [bx]p = [0]p, so [bx]p = [b]p.

Consider congruence modulo q:

Case 1: Suppose q does not divide b. Then by Fermat’s little theorem,
bx ≡ b1+(p-1)(q-1)z ≡ b(bp-1)(q-1)z ≡ b∙1(q-1)z ≡ b (mod q).
Case 2: Suppose q|b, then [b]q = [0]q and [bx]q = [0]q. So, [bx]q = [b]q.

All together, we have p|bx – b and q|bx – b by definition of congruence. We have p ≠ q and p, q are
positive primes, so by Lemma 3.3, pq|bx – b. Letting x = de, we have bde ≡ b (mod pq). □

In the RSA algorithm, the user first chooses two primes p and q and computes n = pq. The user then
chooses an exponent e that shares no common factors, or is coprime, with (p – 1)(q – 1). The values
n and e comprise the public key that is available to the masses for use during encryption. The variable
b represents the original message. The encrypted message takes the form y = be (mod n). The user
then computes d = e-1 (mod (p - 1)(q - 1)) using the Euclidean algorithm. The value d comprises the
private key, which may be found if the values of p and q are known. Hence, p and q are kept secret.
Finally, in the decryption phase, the holder of the private key finds bed ≡ b (mod n) (by Theorem
3.4), recovering the original message b.

As explained in Section 2, the factoring problem is behind the security of RSA. The algorithm employs
what is known as a “trapdoor permutation”, a function that transforms a number into another number
within the same range easily using a public key.44 However, retrieving the original number is impossible
without knowledge of the private key. Public-key algorithms are easy one way and hard the other,
hence the name “trapdoor”. At a high level, RSA encryption involves the multiplication of large
numbers. Factoring n = p*q means finding the two large primes p and q, which gives d ≡ e-1 (mod (p
- 1)(q - 1)). In short, a quantum computer’s ability to factor n allows d, the private key, to be easily
found, rendering RSA obsolete. Algorithms 3.1 and 3.2 give the RSA encryption and decryption
phases in systematic form.

44
Aumasson 182.
 18

Algorithm 3.1: RSA Key Establishment and Encryption

Input: plaintext b

1. Pick at random two primes, p and q.

2. Compute n = p*q.
3. Choose a value e such that 1 < e < (p - 1)(q - 1) and gcd(e, (p - 1)(q - 1)) = 1.
4. Publish the public key (e,n).
5. Compute d ≡ e-1 (mod (p - 1)(q - 1)), the private key.
6. To encrypt a message b, a user computes y = be (mod n), the encrypted message.

Output: ciphertext y

Algorithm 3.2: RSA Decryption

Input: private key d; ciphertext y = be (mod n)

1. Compute b = yd (mod n) to recover the original message.

Output: plaintext message b

Example 3.1 RSA Encryption and Decryption with p = 3 and q = 11 :

A party designated to hold the private key chooses two primes, p = 3 and q = 11, and computes n =
p*q = 3*11 = 33 and (p - 1)(q - 1) = 2*10 = 20. A value e is chosen such that 1 < e < 20 and e and
20 are coprime. In this example, e = 7 satisfies these requirements. The party then computes a value
for d such that d ≡ e-1 (mod 20). The value d = 3 works, as 3*7 ≡ 1 (mod 20). The public key, which
is available to anyone seeking to encrypt a message, is (e,n), (7,33). The private key, which is kept
secret by the party with decryption privileges, is d = 3. The encrypted message for plaintext b = 2,
is y = be (mod n) = 27 (mod 33) = 29. The decrypted message, only available to the holders of the
private key, is b = bed (mod n) = yd (mod 33) = 293 (mod 33) = 2.

Example 3.1 illustrates how the RSA encryption scheme works in its simplest form. In practice, p and
q are much larger numbers, and standard RSA key sizes are 1024-bit, 2048-bit, or 4096-bit, making
n = p*q computationally difficult to factor and RSA secure under classical computing capabilities. 45

3.1.2 The Mathematics of Shor’s Algorithm and the Breaking of RSA

Shor’s algorithm was a crowning mathematics and computer science achievement of the last century.
A simplified explanation of how Shor’s algorithm solves the factoring problem is given here. The
algorithm has both a quantum part and a classical part.

3.1.2.1 The Quantum Part

Shor’s algorithm depends partially on the following proposition and definition.

45
Martin 35.
 19

Proposition 3.1: If a, n ∈ ℤ with gcd(a,n) = 1, then there exists an r ∈ ℕ so that [a]nr = [1]n.
Proof: Suppose that a, n ∈ ℤ with gcd(a, n) = 1. Then 1 = ax + ny for some x,y ∈ ℤ. Then ny = 1
– ax, so n|1-ax and [1]n = [a]n[x]n, so [a]n is a unit in ℤn. Consider the set ℤn = {[a]n1, [a]n2, [a]n3, …,
[a]nn, [a]nn+1}. The set ℤn has n distinct elements. Since ℤn has n elements and the list [a] , [a] , …,
[a] has n + 1 elements, there must be a repetition in this list. Hence, there exists some i,j ∈ ℕ such
that 1 ≤ i < j ≤ n + 1 and [a]ni = [a]nj. Because [a]n is a unit, there exists a [a]n-1 ∈ ℤn such that [a]n[a]n-
1
= [1]n. Raising [a]n-1 to the ith power gives [a]n-i ∈ ℤn due to the closure under multiplication property
for fields. Multiplying both sides of [a]ni = [a]nj by [a]n-i yields [a]n-i∙[a]ni = [a]n-i∙[a]nj, so [1]n = [a]nj-i.
Taking r = j – i > 0, we have an r ∈ ℕ such that [a]nr = [1]n. □

Definition 3.5: The order of [a]n in ℤn is the smallest positive integer r such that [a]nr = [1]n.

The quantum part of Shor’s algorithm involves finding the order of a periodic function implicit in the
factoring problem. The ability of a quantum computer to find this order is due to the QFT gate
mentioned in Section 2, which allows for the detection of more types of periods than any classical
computer. In fact, Shor’s algorithm solves instances of a larger class of problems involving periodic
functions, known as hidden subgroup problems, of which both the factoring and discrete logarithm
problems are an example.

To factor a large number n = p*q, we first find the order of the function ax (mod n), where the
variable n is the number we wish to factor, and the integer a is such that 1 < a < n and a is coprime
with n.46 Notice the similar mathematical structure to the RSA encryption algorithm. Recall that the
function ax (mod n) returns the remainder when ax is divided by n. As proven in Proposition 3.1, the
sequence of this function’s values eventually repeats itself, so there will be some r such that a r ≡ 1
(mod n).47 We want to find the order, denoted r, which gives the number of values between repeated
function values. Obtaining this result allows for a post-processing shortcut in finding prime factors
which may run on either quantum or classical computers.

Quantum computing solves the periodicity of ax (mod n) through a QFT. Specifically, qubits
representing the number ax (mod n) are passed through a quantum Fourier transform gate and
outputted as magnitudes and relative phases.48 The qubits are then in a superposition of the input
frequencies. The result of a QFT gate is a graph 49 that displays the probability P of observing value
c:

46
Johnson 235.
47
Shor 8.
48
Johnson 237.
49
Shor 18.
 20

Figure 1: Shor’s QFT Output Example

This graph gives the magnitudes and relative phases of a function as detected by a QFT. For the
function ax (mod n) with repeat period r, the graph that the QFT produces will have r evenly spaced
spikes.50 In the above image from Shor’s paper, r = 10. Finding the period r is only possible through
quantum mechanics; a classical computer cannot solve this problem within reasonable time. This
concludes the quantum part of Shor’s algorithm. Once a method of finding the order r is known, an
iterative classical algorithm can determine the prime factors p and q.

3.1.2.2 The Classical Part

With a quantum algorithm for finding the order of a periodic function established, an algorithm
possible on both quantum and classical computers performs mathematical manipulations that easily
find and check potential factors of n. Once a nontrivial factor of n is found, the prime factorization
of n = p*q may be derived and the private key of an RSA encryption scheme found. The fact that
Shor’s algorithm terminates is proven probabilistically.

Definition 3.6: A function f(x) is periodic if there is an r (the period), such that f(x + r) = f(x) for
any x.

Example 3.2 The Periodic Function Implicit in the Factoring Problem: The function f: ℤ →ℤn, f(x)
= [a]nx where [a]n ∈ ℤn is such that gcd(a,n) = 1, is periodic. A period of f is the order of [a]n from
Definition 3.5. In fact, any multiple of the order is a period.

Shor’s algorithm to find a nontrivial factor of n is presented in Algorithm 3.3. Once the order of [a]n
∈ ℤ is found using the quantum part of Shor’s algorithm, the remaining steps may be performed on
a classical computer.

50
Johnson 242.
 21

Algorithm 3.3: Shor’s Algorithm for Prime Factorization51

Input: n ∈ ℤ

1. Pick a ∈ ℤ at random such that gcd(a,n) = 1 and 1 < a < n.

2. Find r = order of [a]n (using the quantum part of Shor’s algorithm).
3. Case 1: r is odd.
(i) The algorithm FAILS. Return to step 1 and choose another a.
Case 2: r is even.
1. Compute gcd(n, ar/2 – 1) using the Euclidean algorithm.
(i) Case 1: n > g = gcd(n, ar/2 – 1) > 1.
1. The algorithm SUCCEEDS and terminates. A non-trivial factor of n, g, has
been found.
(ii) Case 2: gcd(n, ar/2 – 1) = 1.
1. The algorithm FAILS. Return to step 1 and choose another a.

Output: g, a nontrivial factor of n

Algorithm 3.3 inputs an integer n to be factored. Shor’s algorithm begins by sampling an integer a at
random such that gcd(a,n) = 1. The Euclidean algorithm may be used to find greatest common
divisors in polynomial time. The quantum part of Shor’s algorithm as explained in the previous
section is then employed to find the order r of [a]n. Once found, it follows that [a]nr = [1]n by definition
of order r, ar ≡ 1 (mod n), and n | (ar – 1).

If r is odd, the algorithm fails, as factoring (ar – 1) into the form (ar/2 + 1)(ar/2 – 1) is impossible
because ar/2 does not exist. The user returns to step 1 to pick another a.

If r is even, then n | (ar/2 – 1)(ar/2 + 1) with (ar/2 – 1), (ar/2 + 1) ∈ ℤ. Because r is the smallest number
such that [a]nr = [1]n, and r/2 < r, we have [a]nr/2 ≠ [1]n. Hence, gcd(n, ar/2 – 1) ≠ n. If it is the case
that n > g = gcd(n, ar/2 – 1) > 1, then n = g*k for some k ∈ ℤ with g ≠ 1 and g ≠ n. So, a non-trivial
factor of n, g, has been found. Shor’s algorithm succeeds and terminates. If it is the case that g =
gcd(n, ar/2 – 1) = 1, then n = g*k for some integer k. However, g = 1 and k = n, so no non-trivial
factor of n has been found. Notice that if gcd(n, ar/2 – 1) = 1, then ar/2 + 1 must be divisible by n.
This means that the algorithm fails if ar/2 ≡ -1 (mod n), and the user returns to step 1 to sample
another a. This process repeats until a non-trivial factor of n is found from which the prime
factorization of n = p*q may be derived. Example 3.3 demonstrates the use of Shor’s algorithms with
small numbers.

Example 3.3 Shor’s Algorithm: Consider the public key from Example 3.1, (e, n) = (7, 33). To
factor n = 33 using Shor’s Algorithm, we will sample at random an integer a coprime with n = 33
such that 1 < a < 33.
 Pick a = 2. Then r, the order of [2]33, is 10. Because r is even, we compute gcd(33, 210/2 – 1)
= gcd(33, 31) = 1. Shor’s algorithm fails for this choice of a.
 Pick a = 4. Then r = 5. Because r is odd, Shor’s algorithm also fails for this choice of a.

51
Shor 15.
 22

Pick a = 5. Then r = 10. Because r is even, we compute gcd(33, 5 10/2 – 1) = gcd(33, 3124) =
11. Shor’s algorithm succeeds and terminates, as a non-trivial factor of n, 11, has been found.
From the knowledge that q = 11, it may be deduced that p = 3. This compromises the security of
RSA, as the private key d ≡ e-1 (mod (p – 1)(q – 1)) may now be calculated with ease. Carrying out
this calculation yields 7d ≡ 1 (mod 20), which implies that 20 | (7d – 1). Therefore, d = 3, and the
private key of Example 3.1 has been found.

In practice, Shor’s algorithm would factor much larger numbers than those in Example 3.1 and
Example 3.3, and finding the order of [a]n would be impractical without a cryptographically relevant
quantum computer. The time complexity of Shor’s algorithm is O(n2(logn)(loglogn)), in polynomial
rather than exponential time.52 As a result, factoring a large n into two primes is no longer an infeasible
task and neither is breaking all public-key encryption in use today.

3.1.2.3 A Probabilistic Proof that Shor’s Algorithm for Prime Factorization Terminates

It may be shown that Shor’s algorithm outputs a non-trivial factor of n with a probability of at least
1 – 1/2k-1, k being the number of distinct odd prime factors of n.53 As the number of iterations
increases, the probability of success approaches 1. The Chinese Remainder Theorem and the following
definitions and lemmas are used in the proof of this result.

Definition 3.7: A ring homomorphism T is isomorphic, denoted by the symbol ≅ , if T is bijective.

Theorem 3.4 The Chinese Remainder Theorem: If gcd(a,b) = 1, then ℤab ≅ ℤa × ℤb. More generally,
the Chinese Remainder Theorem states that if b1, …, bk is such that gcd(bi,bj) = 1 for i≠j, we have
ℤ … ≅ ℤ × ℤ × … × ℤ . Moreover, the ring isomorphism [𝑎] … → ([𝑎] , …, [𝑎] ) is given.

Corollary 3.1: If n = ∏ p , with primes pi ≠ pj for i ≠ j, then ℤn ≅ ℤ ×ℤ ×…×ℤ .

Proof: Suppose n = ∏ p , with primes pi ≠ pj for i ≠ j. Because n = p p … p , and
gcd(p , p ) = 1 for all i ≠ j, as prime numbers are coprime, the Chinese Remainder Theorem applies
directly. By Theorem 3.4, ℤn ≅ ℤ ×ℤ ×…×ℤ .□
This implies [a]n → ([a] , …, [a] ) is a bijection by Definition 3.7.
Lemma 3.4: If a, s, t ∈ ℤ and gcd(a, s) = 1 = gcd(a, t) and the order of [a]s is |[a]s|, the order of [a]t
is |[a]t|, then the order of ([a]s, [a]t) in ℤs × ℤt is |([a]s, [a]t)| = lcm(|[a]s|, |[a]t|). More generally if b1, …,
bk ∈ ℤ and gcd(a, bi) = 1 for all i, then |([a] , [a] , …, [a] )| = lcm(|[a] |, |[a] |, …, |[a] |).
Proof: Suppose that a ∈ ℤ, b1, …, bk ∈ ℤ, and gcd(a, bi) = 1 for all i. Then there exists an order ri ∈
ℕ for each [a] such that [a] = [1] by Proposition 3.1. Let w be the least common multiple of these
ri, so that w = lcm(|[a] |, |[a] |, …, |[a] |). It follows that ([a] , [a] , …, [a] )w = ([a] , [a] , …,
[a] ) = ([1] , [1] , …, [1] ) because any multiple m of an order ri of [a] is such that [a] = [1] .

We now prove that w is the smallest positive integer such that ([a] , [a] , …, [a] )w = ([1] , [1] ,
…, [1] ). Suppose to a contradiction that there exists a l ∈ ℤ with 0 < l < w such that ([a] , [a] ,

52
Shor 11.
53
Shor 16.
 23

…, [a] )l = ([1] , [1] , …, [1] ). Because l < w, the least common multiple of |[a] |, |[a] |, …,
|[a] |, l is not a common multiple of |[a] |, |[a] |, …, |[a] |. Hence, there exists a bi such that |[a] |
does not divide l. This means that [a] l
≠ [1] , as only |[a] | or a multiple of this order can satisfy
this condition and l is neither. It follows that ([a] , [a] , …, [a] )l = ([1] , [1] , …, [1] ) is not
possible. This contradicts our assumption. Therefore, there is no such l, and w is the smallest positive
integer such that ([a] , [a] , …, [a] )w = ([1] , [1] , …, [1] ). Then w is the order of ([a] , [a] ,
…, [a] ) by Definition 3.5, and |([a] , [a] , …, [a] )| = lcm(|[a] |, |[a] |, …, |[a] |). □

Definition 3.8: The totient function φ is defined as φ(n) = #{a ∈ ℤ | 0 < a < n, gcd(n, a) = 1}.

Lemma 3.5: If φ(p ) = #{a ∈ ℤ | 0 < a < p , gcd(p , a) = 1}, then for each non-negative divisor d
of φ(p ), there is a unique a ∈ ℤ, as defined above, such that and |a| = d. In other words, there is a
bijection between the divisors d of φ(p ) and integers a such that 0 < a < p , gcd(p , a) = 1, and
|a| = d.

Theorem 3.5: Suppose n = ∏ p , the prime factorization of n where k is the number of distinct
odd prime factors of n, and pi ≠ pj when i ≠ j for i,j ∈ ℕ. Then:
(i) The probability of success for the algorithm for some a chosen randomly is at least
1 – 1/2k-1.
(ii) The probability of failure for one a is less than or equal to 1/2k-1.
(iii) The probability of failure for t different a’s is less than or equal to (1/2 k-1)t = 1/(2k-1)t.
(iv) The probability of success for t different a’s is at least 1 – 1/(2k-1)t ~ 1 for t ›› 0. 54
Proof:
(i) Suppose n = ∏ p , the prime factorization of n where k is the number of distinct odd prime
factors of n, and pi ≠ pj when i ≠ j for i,j ∈ ℕ. Let ri = |[a] |. Then r = |[a]n| is the least common
multiple of all these ri by Lemma 3.4. Consider the value l = max{t ∈ ℤ | t ≥ 0, 2t divides r}, the
exponent of the largest power of 2 that divides r. Let li be the exponent of the highest power of 2
dividing each ri. Recall that Shor’s algorithm fails if r is odd or if ar/2 ≡ -1 (mod n). This occurs when
li agree for all i. If r is odd, then li = 0 for each i. If ar/2 ≡ -1 (mod n), then all these li = l. To justify
this claim, suppose to a contradiction that ar/2 ≡ -1 (mod n), but there exists an i such that li < l. If
it is the case that ar/2 ≡ -1 (mod n), then by the Chinese Remainder Theorem, ar/2 ≡ -1 (mod p )
holds for all i. However, if there exists a li < l, then ri | r/2 and ar/2 ≡ 1 (mod p ). Hence, ar/2 ≢ -1
(mod p ) for some i. This is a contradiction; therefore, if ar/2 ≡ -1 (mod n), then all the li agree and
are equal to l.

As stated above, the probability of failure for Shor’s algorithm is the probability that these l i agree
for all i. By Corollary 3.1, we may choose an [a]n at random, which is the same as choosing a number
[a] for each i. Here p is the ith prime power factor of n. The probability of picking an [a] such
that any particular li is the exponent of the largest power of 2 dividing the order ri is 1/2. This result
is justified as follows. The multiplicative group of units in ℤ is cyclic, meaning that there exists a
[g] ∈ ℤ so that any unit [a] ∈ ℤ can be written as [a] = [g] for some 0 ≤ h ≤ φ(p ).
Let 2 be the largest power of 2 dividing 𝜑(p ), and let ri be the order |a (mod p )|. Recall by Lemma

54
Ibid.
 24

3.5 that ri | 𝜑(p ), so 2 is the highest possible power of 2 that may divide ri. We now consider two
cases. If h is odd, then 𝑔 ≡ 1 (mod p ). This means 𝜑(p ) | hri. Because h is odd, we must have
2 | ri. If h is even, then
𝑔 ( )/ ≡ (𝑔 ( ) )h/2 ≡ 1h/2 ≡ 1 (mod p ).
This means that ri | 𝜑(p )/2; hence, because 2 is the highest power of 2 dividing 𝜑(p ), 2 does not
does divide r. We conclude that if Shor’s algorithm fails then [a] = [g] for some odd h, and that
for a random choice of 0 ≤ h ≤ φ(p ), the probability that h is odd is ½. Given these cases, there is
a probability of ½ that 2 | ri. Therefore, there is a probability of ½ that a particular li is the exponent
of the largest power of 2 dividing the order ri.55

By this result, the probability that these li agree for all i is at most 1*(1/2)k-1 = 1/2k-1, where k is the
number of distinct odd prime factors of n. (The value of l1 may be arbitrary, but the other li must
agree with l1, which is why ½ is raised to the power k-1.) So, the probability of failure for the chosen
a is less than or equal to 1/2k-1. Therefore, Shor’s algorithm succeeds for some a chosen randomly
with a probability of at least 1 - 1/2k-1.

(ii) The probability of failure for one a is less than or equal to 1/2k-1 from (i).

(iii) Suppose t is the number of a’s sampled. The probability of failure for one a is less than or equal
to 1/2k-1, so the probability of failure for t different a’s is less than or equal to (1/2 k-1)t = 1/(2k-1)t.

(iv) Suppose t is the number of a’s sampled. As t becomes arbitrarily large, the probability that
Shor’s algorithm succeeds, 1 - 1/(2k-1)t , approaches 1. Therefore, the probability of success for t
different a’s is at least 1 – 1/(2k-1)t ~ 1 for t ›› 0. □

By Theorem 3.5, Shor’s algorithm for prime factorization terminates.

3.2 The U.S. Intelligence Community’s Response

Shor’s discovery as detailed in the previous section turned a theoretical interest into a national security
concern, sparking a response on the part of the American Intelligence Community. The following
sections describe the NSA and NIST’s quantum-resistant algorithm standardization efforts and the
directives outlined in NSM-10 that mobilized whole-government initiatives for the development of
QIS and protection against quantum threats to current cryptography. The unique challenges
associated with a cryptosystem migration of this scale are also discussed. As directed in NSM-10, the
U.S. government aims to complete the algorithm transition process for national security systems and
critical infrastructures by 2035, the low estimate of when a cryptographically relevant quantum
computer may come on the scene.56

55
Nielson M.A., I. L. Chuang, Appendix A4.3.
56
NSM-10.
 25

3.2.1 Algorithm Standardization

Progress in the field of quantum information science led the National Security Agency (NSA) to
officially call for a transition to quantum-resistant cryptographic algorithms in 2015. 57 After the
agency’s initiation of this challenge, it has relied on the National Institute for Standards and
Technology (NIST) to select and standardize these algorithms. At present, NIST has selected the first
round of algorithms, and the NSA has published their Commercial National Security Algorithm Suite
(CNSA) 2.0, which updated the approved list of cryptographic algorithms for use in national security
systems (NSS) to include only quantum-resistant standards. NIST is expected to publish its new
standard, which will include software implementation protocols, as early as 2024. 58

3.2.1.1 NIST’s Quantum-Resistant Algorithm Selection Process

Following NSA’s call for transition in 2015, NIST began the process to “solicit, evaluate, and
standardize” quantum-resistant public-key cryptographic algorithms. 59 From 2015 to 2022, NIST held
three rounds of competition for quantum-resistant algorithms, with finalists advancing to the next
round of evaluation. In July of 2022, NIST selected its first quantum-resistant algorithms to be
standardized, which were reported to NSA for inclusion in CNSA 2.0. The overall standardization
project involves both approving commercial algorithm designs and standardizing software
implementations. Standardization of additional quantum-resistant algorithms is ongoing until the
transition process completes. The timeline for soliciting and selecting these algorithms is listed in the
Appendix.

3.2.1.2 The First Set of Algorithms Selected for Standardization and CNSA 2.0

The rounds of competition for workable quantum-resistant algorithms resulted in the selection of
algorithms in Table 1. All candidate algorithms were required to have a security strength at least
equivalent, in the absence of quantum computing, to the quantum-vulnerable algorithm being
replaced.

Table 1: Quantum-Resistant Algorithms to be Standardized

The NIST evaluated the algorithms of Table 1 in the areas of security, cost and performance, and
algorithm/implementation characteristics.60 In terms of security, the algorithms selected must be
computationally hard and include a variety of algorithm families for long-term security. The NIST

57
The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ, NSA.
58
NSM-10.
59
“Post Quantum Cryptography Standardization”, NIST.
60
Status Report on the Third Round 5, NIST.
 26

seeks a diversity of practically efficient algorithms to decrease the likelihood that a single security
breach will affect all standardized algorithms.61 The selected algorithms include code-based, lattice-
based, and multivariate families. For example, CRYSTALS-KYBER and CRYSTALS-Dilithium are
based on the learning with errors problem, closely related to lattice-based cryptography. 62 The Kyber
cryptographic algorithm will be explored at length in the next subsection.

In terms of cost and performance, the primary concerns are the “computational efficiency of key
generation and public/private key operations, transmission costs for public keys and signatures or
ciphertexts, and implementation in terms of RAM”.63 The algorithm and implementation
characteristics criterion evaluated the algorithms for flexibility, simplicity, and how efficiently they
are adopted in a variety of cryptosystems.64 The algorithms of Table 1 will be standardized for
commercial use. Of the public-key algorithms displayed in Table 1, the NSA selected CRYSTALS-
KYBER and CRYSTALS-Dilithium for inclusion in CNSA 2.0 due to their ease of implementation
over the others. These are the public-key algorithms that completely replace RSA, Diffie-Hellman,
and elliptic curve cryptography from CNSA 1.0. (See the Appendix for a comparison of CNSA 1.0
and CNSA 2.0.) As discussed in the theoretical framework, symmetric key algorithms are not as badly
broken by quantum computing as asymmetric algorithms, requiring only increased key length.
Therefore, NSA has carried over the symmetric algorithms, Advanced Encryption Standard and
Secure Hash Algorithm, from CNSA 1.0 to CNSA 2.0 while only modifying accepted key lengths. The
NSA is currently waiting for implementation standards for these algorithms to become available, but
announcing these selections allows vendors and NSS managers to begin building toward these
requirements.

3.2.2 The Mathematics Behind the Kyber Quantum-Resistant Algorithm

The Kyber algorithm is a quantum-resistant public-key encryption scheme based on the learning with
errors (LWE) problem. CRYSTALS-KYBER employs this algorithm, and the mathematical
description exemplifies a direction that cryptography will take in the post-quantum world. The general
LWE-based encryption scheme is discussed before the specifics of Kyber.

3.2.2.1 The Plain LWE Encryption Scheme

The learning with errors (LWE) problem is a computationally hard problem that a quantum computer
is unable to solve in polynomial time. Example 3.4 gives an instance of the LWE problem.

Example 3.4 The Learning With Errors Problem: Let ℤq be the ring of integers modulo q. Consider
the linear equation system A∙s = b, where A ∈ ℤqn*m, s ∈ ℤqm, and b ∈ ℤqn.65 Here, m and n represent
matrix dimensions, n and m being the number of rows and columns, respectively. For example,

61
Status Report on the Third Round
7, NIST.
62
Status Report on the Third Round
46, NIST.
63
Status Report on the Third Round
7, NIST.
64
Status Report on the Third Round
16, NIST.
65
“A Mathematical Perspective on Post-Quantum Cryptography” 4.
 27

1 2 9 4 11
A= ⋮ ⋮ ⋮ , b = ⋮ in equation form gives
6 4 3 8 6

1∙s1 + 2∙s2 + 9∙s3 + 4∙s4 = 11

⋮
6∙s1 + 4∙s2 + 3∙s3 + 8∙s4 = 6.

Adding even small error values of e ∈ ℤqn to the equation system yields A∙s + e = b. With the
addition of these errors, solving the equation system for s becomes computationally hard.66

As illustrated in Example 3.4, the LWE problem takes the form A∙s + e = b, where A ∈ ℤqnxm, s ∈
ℤqm, and e ∈ ℤqn.67 The values of A and b form the public key, and the values of s and e are kept
secret. The values of s and e are small and chosen from an error distribution. The hardness of the
LWE problem depends on the difficulty of finding s or e from only A and b.68

The following description of the LWE encryption phase demonstrates the encryption of only a single-
bit message, but the encryption steps may be repeated n times in parallel to encrypt a bitstring of
size n.69 To begin the encryption phase, values r ∈ ℤqn, e1 ∈ ℤqm, and e2 ∈ ℤq are randomly sampled to
construct the system of equations
u = AT∙r + e1 ∈ ℤqm
v = bT∙r + e2 ∈ ℤq.

It is hard to calculate e1 , e 2, r, or s from the values (A,b,u,v). A result of the decisional LWE problem,
which links LWE to computational lattice problems, is that it is also difficult to detect a difference μ
between (u,v) and (u,v’) for an arbitrary v, with v’ = v + μ = b T∙r + e2 + μ. The LWE encryption
scheme makes use of this fact, as the encrypted message is embedded in this error value μ. In other
words, the single-bit message one wishes to send is the difference v’ – v = μ. For example, when the
message is 0, one party transmits v’ = v (so that μ = 0). If the message is 1, the party transmits v’
= v + q/2 (so that μ = q/2). If q is odd, then the value q/2 is rounded to the nearest integer. The
value q/2 corresponds to 1 because the modified remainder is taken to be the unique integer such
that v’ = qk + r with -q/2 < r ≤ q/2. Hence, q/2 is the greatest modified remainder in ℤq and
therefore represents the value 1. The result of the LWE encryption phase is the ciphertext (u,v’),
which is transmitted to the holder of the private key s.70

In the decryption phase, assume that (u,v’) has been sent to a recipient with knowledge of s. The
recipient would calculate sT∙u = sT∙(AT∙r + e 1). Because e1, e2, are small errors, we have sT∙u ≈
sT∙AT∙r and v = bT∙r + e2 ≈ bT∙r ≈ (A∙s)T∙r = sT∙AT∙r. Therefore, sT∙u ≈ v. The final step in the
decryption phase is calculating v’ – sT∙u ≈ v’ – v, which equals μ when rounded to the nearest
multiple of q/2. If this difference is closer to 0 (mod q), then the original message was 0; if this

66
Ibid.
67
“A Mathematical Perspective on Post-Quantum Cryptography” 6.
68
Regev 8.
69
“A Mathematical Perspective on Post-Quantum Cryptography” 7.
70
Regev 8.
 28

difference is closer to q/2 (mod q), then the original message was 1. Hence, the original message may
be deduced from (u,v’) and the private key s.71

Algorithms 3.4 and 3.5 give the Plain LWE encryption and decryption phases in systematic form.

Algorithm 3.4: Plain LWE Encryption Phase72

Input: single-bit message μ ∈ {0, q/2}

1. Randomly sample values r ∈ ℤqn, e1 ∈ ℤqm, and e2 ∈ ℤq.

2. Construct u = A T∙r + e1 ∈ ℤqm.
3. Construct v’ = bT∙r + e2 + μ ∈ ℤq.

Output: ciphertext (u, v’)

Algorithm 3.5: Plain LWE Decryption Phase

Input: ciphertext (u, v’), private key s

1. Calculate v’ – sT∙u.
2. Round the result from step 1 to the nearest multiple of q/2 to obtain μ.

Output: original single-bit message μ

As mentioned previously, the Plain LWE encryption and decryption phases may be iterated to extend
the encryption scheme to longer bitstrings.

3.2.2.2 Kyber

The Kyber algorithm is a public-key encryption algorithm based on a variant of this LWE encryption
scheme known as Module-LWE. In Module-LWE, ring elements of the polynomial ring Rq = ℤq[x]/(xn
+ 1) for n,q ∈ ℕ replace the scalars in the Plain LWE encryption scheme detailed in the previous
section. Calculations take place in the underlying ring R q, the ring of polynomials up to degree n – 1
with coefficients in ℤq. The following are definitions and propositions supporting the Kyber algorithm.
Definition 3.10 and Proposition 3.2 describe congruence classes mod (f(x)), while Definition 3.9 and
Proposition 3.3 establish Rq as a quotient ring.

Definition 3.9: If a(x) and b(x) are in ℤp[x], then a(x) ≡ b(x) (mod f(x)) if f(x) | (a(x) – b(x)).

Proposition 3.2: The operator ≡ is an equivalence relation.

Proof:
 Reflexive property: Let a(x) ∈ ℤp[x]. It follows that a(x) – a(x) = 0 by the existence of an
additive inverse property for rings, and f(x) | (a(x) – a(x)) implies f(x) | 0. This is true, as

71
Ibid.
72
“A Mathematical Perspective on Post-Quantum Cryptography” 6.
 29

every polynomial divides the zero polynomial. Therefore, a(x) ≡ a(x) (mod f(x)) by definition
of congruence modulo f(x), and the reflexive property holds.
 Symmetric property: Suppose a(x), b(x) ∈ ℤp, a(x) ≡ b(x) (mod f(x)), and f(x) | (a(x) – b(x)).
It follows that a(x) – b(x) = f(x)∙h(x), with h(x) ∈ ℤp[x]. We have b(x) – a(x) = -(a(x) –
b(x)), so b(x) – a(x) = -(f(x)∙h(x)) = f(x)(-h(x)). By definition of polynomial division, f(x) |
b(x) – a(x), and b(x) ≡ a(x) (mod f(x)) by definition of congruence modulo f(x). Therefore,
a(x) ≡ b(x) (mod f(x)) implies b(x) ≡ a(x) (mod f(x)), and the symmetric property holds.
 Transitive property: Suppose a(x) ≡ b(x) (mod f(x)) and b(x) ≡ c(x) (mod f(x)) with a(x),
b(x), c(x) ∈ ℤp[x]. It follows that f(x) | a(x) – b(x) and f(x) | b(x) – c(x), so a(x) – b(x) =
f(x)h(x) for some h(x) ∈ ℤp[x] and b(x) – c(x) = f(x) g(x) for some g(x) ∈ ℤp[x]. Substituting
b(x) yields
o a(x) – (f(x)g(x) + c(x)) = f(x)h(x)
o a(x) – f(x)g(x) – c(x) = f(x)h(x)
o a(x) – c(x) = f(x)h(x) + f(x)g(x) = f(x)(h(x) + g(x)) = f(x)((h + g)(x)).
o Hence, f(x) | a(x) – c(x) by definition of polynomial division, and a(x) ≡ c(x) (mod
f(x)) by definition of congruence modulo f(x). The transitive property holds.
 Because ≡ satisfies the reflexive, symmetric, and transitive properties in ℤp[x], ≡ is an
equivalence relation. □

Definition 3.10: The congruence class of a(x) (mod f(x)) is [a(x)]f(x) = {b(x) | a(x) ≡ b(x) (mod f(x))}.

Definition 3.11: The set ℤp[x]/(f(x)) := {[a(x)]f(x) | a(x) ∈ ℤp[x]} with operations
[a(x)] + [b(x)] = [a(x) + b(x)] and [a(x)]∙[b(x)] = [a(x)∙b(x)] where [a(x)] + [b(x)], [a(x)]∙[b(x)] ∈
ℤp[x]/(f(x)) and [a(x) + b(x)], [a(x)∙b(x)] ∈ ℤp[x] is called a quotient ring.

Proposition 3.3: If a(x) = a’(x) and b(x) = b’(x), then [a(x) + b(x)] = [a’(x) + b’(x)] and [a(x)∙b(x)]
= [a’(x)∙b’(x)].
Proof:
Suppose a(x) ≡ a’(x) (mod f(x)) and b(x) ≡ b’(x) (mod f(x)).

We will use the fact that congruence classes can be added.

Proof: By supposition, f(x) | a(x) – a’(x) and f(x) | b(x) – b’(x). So, f(x) divides the sum of a(x) –
a’(x) and b(x) – b’(x). Because f(x) | ((a(x) + b(x)) – (a’(x) + b’(x)), we have a(x) + b(x) ≡ a’(x) +
b’(x) (mod f(x)) by definition of congruence modulo f(x).

We will now prove that the congruence classes [a(x) + b(x)] and [a’(x) + b’(x)] must be equal.
Consider the contrapositive, [a(x) + b(x)]f(x) ∩ [a’(x) + b’(x)]f(x) = ∅ if and only if a(x) + b(x) ≢ a’(x)
+ b’(x) (mod f(x)).

Claim: If [a(x) + b(x)] ∩ [a’(x) + b’(x)] = ∅, then a(x) + b(x) ≢ a’(x) + b’(x) (mod f(x)).
Proof: Suppose [a(x) + b(x)] ∩ [a’(x) + b’(x)] = ∅. Then a(x) + b(x) ∈ [a(x) + b(x)]f(x) is not an
element of [a’(x) + b’(x)]f(x). So, a(x) + b(x) ≢ a’(x) + b’(x) (mod f(x)) by definition of congruence
class. Taking the contrapositive of the claim, which has the same truth value, it follows that a(x) +
b(x) ≡ a’(x) + b’(x) (mod f(x)) implies [a(x) + b(x)] = [a’(x) + b’(x)].
 30

Claim: If a(x) ≡ a’(x) (mod f(x)) and b(x) ≡ b’(x) (mod f(x)), then [a(x)b(x)] = [a’(x)b’(x)].
Proof: Suppose a(x) ≡ a’(x) (mod f(x)) and b(x) ≡ b’(x) (mod f(x)). Then f(x) | a(x) – a’(x) and f(x)
| b(x) – b’(x). So, f(x) | (a(x) – a’(x))b(x) and f(x) | (b(x) – b’(x))a’(x). It follows that f(x) also
divides the linear combination
(a(x) – a’(x))b(x) + (b(x) – b’(x))a’(x) =
a(x)b(x) – a’(x)b(x) + b(x)a’(x) – b’(x)a’(x) =
a(x)b(x) – b’(x)a’(x).
So, we have f(x) | a(x)b(x) – b’(x)a(x), and a(x)b(x) ≡ a’(x)b’(x) (mod f(x)). By the previous claim,
it follows that [a(x)b(x)]f(x) = [b’(x)a’(x)]f(x). □

By Definition 3.9 and Proposition 3.3, Rq, the underlying structure in which calculations for the
Kyber algorithm take place, is a quotient ring. The corresponding module is R with rank k ∈ ℕ.73

The Kyber algorithm encrypts a plaintext message, which takes the form of a ring element in R q. To
convert a bitstring message m ∈ {0,1}256 to polynomial form, the toRing function is employed. In the
Kyber decryption phase, the fromRing function converts a polynomial to the original bitstring
message. These functions are defined as follows. If q is odd, then the value q/2 is rounded to the
nearest integer.74

Definition 3.12: The function toRing: ℤ → ℤq[x]/(xn + 1) is defined as

a 0 if a = 0
toRing ⋮ = ∑ b xi with bi = .
a if a = 1
Definition 3.13: The fromRing function is the inverse function of toRing so that fromRing =
toRing-1.

Example 3.5 The toRing Function: The following demonstrates the toRing function, which converts
a bitstring to polynomial form:

1
toRing( 0 ) → toRing( 0 ) → q/2 + 0x + (q/2)x2.75
1

To carry out the reverse, converting a polynomial to a bitstring, the fromRing function is employed
through “coefficient-wise division by q/2 and subsequent rounding”. 76

Proposition 3.4: The function toRing, defined as

a 0 if a = 0
toRing ⋮ = ∑ b xi with bi = , is injective.
a if a = q/2
Proof: Suppose that a and b are vectors with entries in ℤq such that toRing(a) = toRing(b). This
means a1 + a2x + a3x2 + … + anxn-1 = b1 + b2x + b3x2 + … + bnxn-1, and a1 = b1, a2 = b2, a3 = b3,

73
“A Mathematical Perspective on Post-Quantum Cryptography” 8.
74
“A Mathematical Perspective on Post-Quantum Cryptography” 7.
75
Ibid.
76
Ibid.
 31

and so on. Hence, a = b, as their vector entries are equal. Therefore, toRing is injective by definition
of injective. □

By Proposition 3.4, for every element m* of the image of toRing, there is a unique element m in the
domain so that m* = toRing(m). While toRing is not surjective, we can define a partial inverse
function fromRing from the image of toRing to the domain of toRing that is specified as fromRing(m*)
= m where m is the unique element such that m* = toRing(m).

The Kyber algorithm begins similarly to the Plain LWE encryption phase, by generating A ∈
Matk(Rq), s ∈ R , and e ∈ R . The matrix Matk(Rq) is a k × k matrix with entries in Rq, and the
vector R is a vector with k entries in Rq. The public key is (A, b), and the private key is s, as in
Plain LWE. Let m be the message one seeks to encrypt. In the Kyber encryption phase, μ (as in Plain
LWE) is synonymous with the output of toRing(m) ∈ Rq. Algorithm 3.6 shows the Kyber encryption
phase.

Algorithm 3.6: Kyber Encryption Phase77

Input: public key (A, b), message m ∈ {0,1}256

1. Pick r ∈ R at random.
2. Pick e1 ∈ R at random.
3. Pick e2 ∈ R at random.
4. Calculate u = A Tr + e1 .
5. Calculate v’ = bTr + e 2 + toRing(m).

Output: ciphertext (u, v’)

This ciphertext is then transmitted to a holder of the private key s, who begins the decryption process
of Algorithm 3.7.

Algorithm 3.7: Kyber Decryption Phase78

Input: private key s, ciphertext (u, v’)

1. Calculate m* = v’ – sTu.
2. Calculate m = fromRing(m*).

Output: message m

There is a high probability that the Kyber decryption phase outputs the correct message m. However,
the decryption failure probability depends on the chosen parameters for the encryption algorithm.
Table 2 shows the parameters and their corresponding decryption failure probabilities δ. As the rank
k increases, the probability of decryption failure decreases.

77
“A Mathematical Perspective on Post-Quantum Cryptography” 9.
78
Ibid.
 32

Table 2: Kyber Encryption Algorithm Parameters and Corresponding Decryption Failure

Probability δ79

n k q δ
Kyber512 256 2 3329 2-139
Kyber768 256 3 3329 2-164
Kyber1024 256 4 3329 2-174

As an algorithm selected for inclusion in CNSA 2.0, Kyber is a strong candidate for replacing RSA
and other forms of asymmetric cryptography in use today.

3.2.3 National Security Memorandum 10 (NSM-10)

The standardization of quantum-resistant algorithms such as Kyber is the critical first step in
transition to post-quantum cryptography; however, an effective plan towards a quantum-resistant
nation must connect government agencies, American businesses, academia, and allied nations.
Published in May of 2022 in anticipation of NIST’s upcoming set of standards, NSM-10 specifies the
Biden administration’s plan for “promoting United States leadership in quantum computing while
mitigating risks to vulnerable cryptographic systems” and unites organizations toward this goal. 80 The
document identifies the “key steps” involved in maintaining a competitive edge in QIS and
transitioning to quantum-resistant systems to address “cyber, economic, and national” security
concerns. The memorandum directs its policies and initiatives toward government agencies who will
work together to begin this “multi-year process” of preparing for the arrival of a technology that will
revolutionize computing and cryptography.81

3.2.3.1 Directives and Emphases

NSM-10 is broken into four main sections that cover QIS background, strategies to maintain U.S.
leadership in QIS, mitigating quantum risks to cryptography, and protecting American quantum
technology as it advances. Because this research focuses on quantum computing’s risk to public-key
cryptography, the NSM-10 directives to address the risk to current cryptography are detailed here.

Section 3 of NSM-10 gives fifteen directives for addressing quantum computing’s risks to encryption,
with the stated goal of “mitigating as much of the quantum risk as is feasible by 2035”. 82 The
memorandum acknowledges the NSA and NIST’s standardization efforts and develops a cross-agency
plan for transition once the first set of standards is published. As organizations migrate to quantum-
resistant solutions through these products, they should plan to support rapid adaptations to new

79
“A Mathematical Perspective on Post-Quantum Cryptography” 10.
80
NSM-10 1.
81
NSM-10 Sec. 1a.
82
NSM-10 Sec. 3a.
 33

cryptographic primitives and algorithms, a quality known as cryptographic agility. 83 NSM-10 identifies
two overarching emphases in effectively transitioning vulnerable systems to quantum-resistant
cryptography – cryptographic agility and stronger collaboration between academia, industry, and
foreign allies.

The following are selected mandates for the transition of critical infrastructure and NSS, headed by
NIST and the Cybersecurity and Infrastructure Security Agency (CISA):
 “The Secretary of Commerce, through the Director of NIST, shall initiate an open working
group with industry, including critical infrastructure owners and operators, and other
stakeholders, as determined by the Director of NIST, to further advance adoption of quantum-
resistant cryptography. This working group shall identify needed tools and data sets, and
other considerations to inform the development by NIST of guidance and best practices to
assist with quantum-resistant cryptography planning and prioritization. Findings of this
working group shall be provided, on an ongoing basis, to the Director of the Office of
Management and Budget (OMB), the Assistant to the President for National Security Affairs
(APNSA), and the National Cyber Director to incorporate into planning efforts.” 84
 “The Secretary of Commerce, through the Director of NIST, shall establish a “Migration to
Post-Quantum Cryptography Project” at the National Cybersecurity Center of Excellence to
work with the private sector to address cybersecurity challenges posed by the transition to
quantum-resistant cryptography. This project shall develop programs for discovery and
remediation of any system that does not use quantum-resistant cryptography or that remains
dependent on vulnerable systems.” 85
 “Within 90 days of the release of the first set of NIST standards for quantum-resistant
cryptography, and on an annual basis thereafter, as needed, the Secretary of Commerce,
through the Director of NIST, shall release a proposed timeline for the deprecation of
quantum-vulnerable cryptography in standards, with the goal of moving the maximum
number of systems off quantum-vulnerable cryptography within a decade of the publication
of the initial set of standards. The Director of NIST shall work with the appropriate technical
standards bodies to encourage interoperability of commercial cryptographic approaches.” 86

The remaining mandates specify actions for inventorying and prioritizing vulnerable national security
systems, assigning agencies tasks for carrying out transition once NIST publishes the first set of
standards, and updating vulnerable symmetric algorithms within NSS by increasing key length.
Ultimately, NSM-10 serves as a high-level blueprint for government agencies to work together towards
cybersecurity in the quantum age.

3.2.3.2 The Challenges of Transition

The challenges of transition center around the vast and disorganized use of cryptography within
organizations and the difficulty of changing whole infrastructures to employ quantum-resistant
algorithms. The National Cybersecurity Center of Excellence’s “Migration to Post-Quantum

83
Migration to Post-Quantum Cryptography, NCCoE.
84
NSM-10 Sec. 3c. i.
85
NSM-10 Sec. 3c. ii.
86
NSM-10 Sec. 3c. vii.
 34

Cryptography Project”, initiated in the second bullet point of NSM-10 and Section 3.2.3.1, provides
a transition template that specifies the actions individual organizations must take to prepare for
quantum computing and the problems they are likely to encounter.

The success of the project depends on the success of algorithm replacement. The steps to replace an
algorithm include finding where an organization is employing public-key cryptography, determining
use characteristics, selecting replacement algorithms, and considering challenges associated with
adoption and implementation across the organization. Cryptographic algorithms cannot be replaced
until every part of a system can support the replacement, which entails updates to protocols, schemes,
and infrastructures.87 In other words, algorithm replacements cannot be “dropped in”, presenting a
massive migration challenge. Algorithm replacement is disruptive and often takes decades to complete,
so it is imperative that organizations begin preparing now.

Another challenge to migration is the protection of previously secured data. Once a cryptographically
relevant quantum computer is built, all communications protected by public-key cryptography will
become vulnerable, including data in storage that remains confidential. Organizations must re-encrypt
old confidential information as well as plan for encrypting through quantum-resistant algorithms going
forward. Previously authenticated information must be re-signed or timestamped using quantum-
resistant methods.88 Information stored by an adversary before re-processing cannot be secured. If an
adversary steals encrypted information before re-processing with plans to read it once a quantum
computer becomes available, nothing can be done to save it.

Considering these challenges, the Migration to Post-Quantum Cryptography Project Description

specifies the following planning requirements:
 “The replacement of algorithms may require changing or replacing cryptographic
libraries, implementation validation tools, hardware that implements or accelerates
algorithm performance, dependent operating system and application code,
communications devices and protocols, and user and administrative procedures.”
 “Security standards, procedures, and best practice documentation must be changed
or replaced, as well as installation, configuration, and administration documentation.”
 “The creation of a detailed migration playbook.”
 “Organizations must identify where and for what purpose public-key cryptography is
used within systems.”
 “Organizations must identify cybersecurity standards and guidelines that specify or
presume the use of public-key cryptography.” 89

Most organizations have minimal records of where public-key cryptography is employed in their
operations. This exposes the need for precise documentation of cryptography’s uses and functions.

87
Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-
Quantum Cryptographic Algorithms 2, NIST.
88
Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-
Quantum Cryptographic Algorithms 3, NIST.
89
Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-
Quantum Cryptographic Algorithms 5, NIST.
 35

This would also support the goal of crypto-agility, as detailed records of where cryptography is used
within systems facilitates future transitions.

In summary, the American Intelligence Community’s transition plan entails ongoing quantum-
resistant algorithm development and standardization, the execution of NSM-10 directives, and agency
projects that facilitate migrations across government and industry. Increased cryptographic agility,
collaboration, and continued leadership in QIS are imperative to the success of the United States’
preparations for the arrival of quantum computing. The following section analyzes the strengths,
weaknesses, opportunities, and threats of the transition plan presented in this case study.
 36

3.3 SWOT Analysis of Transition Plan

STRENGTHS WEAKNESSES OPPORTUNITIES THREATS

Emphasis on Project success Efficient future Adversary plans to

cryptographic agility depends on the algorithm adaptations steal vulnerable,
to ease future uncertain timing of due to increased encrypted information
transitions standards rounds and crypto-agility before re-processing
ability to modify
underlying
infrastructures within
the next decade
Focus on QIS research NSS and other critical Increased QIS research Changing
and development in organizations have and awareness within cryptographic
accordance with NSM- diverse infrastructures American government, infrastructures is
10 which require many academia, and disruptive, and the
individualized industry transition process may
solutions make systems
temporarily more
vulnerable to
cryptanalysis
Ongoing algorithm NSS and other critical Increased organization Interdependent
standardization efforts organizations have of infrastructures and organizations’ failure
to increase quantum- minimal record of cybersecurity to complete standards,
resistant cryptography standards within NSS, implementation
cryptographic placement and critical organizations, guidelines, or
algorithm diversity function within and American migration playbooks
systems industry in time for a CRQC
Collaboration between Omission of a plan for Increased automation Negatively affecting
U.S. government protection against the and documentation of NSS or business
agencies, industry, stealing and storing of cryptography in functions through
academia, and foreign vulnerable encrypted American cyberspace large infrastructure
allies in preparing for data to decrypt once a changes
quantum technology CRQC becomes
available
Feasible project Lack of technical Stronger relationships Dangers associated
timeline and goal of literature on between government with exporting
transitioning as many supporting crypto- agencies, standards cryptographic
systems as possible by agility beyond bodies, and federal products to aid
2035, mandated by automated inventory cybersecurity teams foreign allies
NSM-10 and documentation of
cryptography
 37

Section Four: Discussion of Case Study Results

The case study of the breaking of RSA and U.S. policies for algorithm transition stresses the
connection between the theory of quantum computing and its security impacts, as advancements in
QIS have an effect on the relative safety or jeopardy of digital systems. The consequences of quantum
computing technology extend beyond the direct impact to currently deployed algorithms and will
likely bring about both positive and negative indirect effects, such as greater crypto-agility within
systems and long-term system disruption during migration. Using case study insights, Section 4
discusses the obvious and subtle implications of quantum computing for national cybersecurity,
divided into key threats and opportunities. This discussion aims to broadly catalog threats and
opportunities rather than provide detailed analyses of each.

4.1 Key Threats to Cybersecurity

As echoed throughout this study, the most significant threat that quantum computing poses to
cybersecurity is the solving of the factoring and discrete logarithm problems and subsequent breaking
of all public-key cryptography in use today. The case study explores this phenomenon through a
mathematical lens, looking at the role of Shor’s 1994 discovery in beginning the transition from
vulnerable RSA to quantum-resistant algorithms such as Kyber. The seriousness of this consequence
of quantum technology has been established. Should the transition project fail, quantum computing
would undermine civilian and military communications, control systems for critical infrastructure,
and online financial transactions. 90 Unprotected data could lead to system attacks, enemy exploitation
of information, decreased competition within industry, and other national security issues.

The weaknesses listed in the SWOT analysis of the U.S. plan to adapt American systems before the
arrival of a CRQC suggest that a failure of transition is possible due to the difficulty of algorithm
replacement, uncertain timing, system infrastructure diversity and complexity, and poor records of
public-key cryptography within organizations. To mitigate this risk, it is imperative that NSS and
critical infrastructures begin migration as early as possible to provide ample time for addressing
problems as they arise. This begins with spreading awareness of the quantum threat and encouraging
individualized transition plans for organizations in anticipation of NIST’s implementation standards.

Beyond the risks that a failure to transition brings, the transition project itself may threaten American
cybersecurity through the large-scale disruption that a successful migration requires. The effects of
this will surface as the transition goes underway, but massive changes to infrastructures may create
system inefficiencies, compromise systems’ ability to fulfill main functions, or introduce weaknesses
that further undermine security or performance. Given that algorithm standardization is an ongoing
process and advancements in QIS may identify new quantum threats to digital communications,
whole-system disruptions are likely to continue.

While a powerful quantum computer is not yet in existence, confidential data is threatened now by
adversary plans to steal vulnerable, encrypted information before re-processing. This data could then
be decrypted once a CRQC becomes available, exposing national, trade, or business secrets. Hence,
preparation for quantum computing entails greater protection of past and current data and strict
policies surrounding information-sharing while transition is underway. A related external threat to

90
NSM-10 Sec. 1b.
 38

cybersecurity is the stealing of cryptographic technologies by global or business competitors, which is

why U.S. policy mandates strict rules surrounding the export of American cryptographic solutions,
including the CRYSTALS-KYBER algorithm. Failure to protect these innovations would cause the
U.S. to lose its competitive edge in preparing for quantum threats, signaling the need for new trade
laws and data protection plans.

The theory of quantum computing collides with national security policy in the anticipation of risks
to current computing systems. Theoretical discoveries, such as Shor and Grover’s algorithms, translate
to real security concerns and capabilities, which is one of the reasons behind the United States’
insistence on maintaining leadership in QIS. Through keeping the forefront of quantum research and
development on American soil, the nation has an advantage in understanding and preparing for
impacts.

4.2 Key Opportunities for Cybersecurity

Quantum computing is a double-edged sword; while it introduces serious threats, there are many
opportunities for stronger security made possible by quantum computers and broader QIS. QIS may
facilitate massive upgrades in American digital systems, including “faster communication speeds,
extremely secure encryption, precise scientific modeling, improved machine learning and optimization
solutions, artificial intelligence, and more accurate radar and sensing”. 91 As the theory behind quantum
technology progresses and hardware catches up, researchers will likely discover more applications. For
now, quantum’s ability to exploit frequency information and speed data searches, which makes Shor
and Grover’s algorithms possible, has given it the most power over classical computing. This ability
to more quickly, accurately, and precisely process data and interpret previously invisible patterns has
the potential to increase cybersecurity and lead to greater system performance.

The SWOT analysis of Section 3.3 identifies many opportunities for security brought about by the
transition to quantum-resistant cryptography. The looming threat of quantum computing to current
encryption schemes is forcing the organization of American cyberspace, which developed organically
over the last half-century with minimal record or documentation of the use and function of
cryptography.92 This effort contributes to crypto-agility and will allow for better cybersecurity going
forward. Increased automation will also increase system security and efficiency. The stronger
partnerships between government, academia, and industry mandated by NSM-10 may lead to greater
innovation in QIS, forming a united front against external cyberthreats.

The sudden interest in post-quantum cryptography may lead to innovation in the field of cryptology.
There is new attention on creating a diverse array of quantum-resistant algorithms, the importance
of which is stressed in NIST’s algorithm standardization project. The Kyber algorithm is only one
direction that post-quantum cryptography may take, and mathematicians are continually devising
quantum-resistant algorithms around a variety of hard problems. While mathematical creativity,
increased system security and performance, and the organization of cyberspace are among the many
opportunities that quantum computing may bring to cybersecurity, the U.S. must balance these
innovations with threat management to maintain security in the post-quantum world.

91
“The realist’s guide to quantum technology and national security”, Deloitte.
92
Martin 21.
 39

Conclusion

The central research question of this thesis sought to identify the potential consequences of quantum
computing for U.S. cybersecurity. As concluded from a qualitative case study analysis, the key threats
that quantum computing poses to cybersecurity are the destruction of asymmetric cryptography, the
complete vulnerability of confidential data in the event of migration project failure, whole-system
disruption from algorithm transition, and adversary incentive to steal cryptographic solutions and
data before reprocessing. The key opportunities that quantum computing may bring to cybersecurity
are based in a quantum computer’s ability to exploit patterns unseen by a classical computer. This
can create extremely secure encryption and increase digital security. The impact of quantum
computing depends largely on the success of the transition project but will likely include large-scale
system change and disruption across government and industry.

To explore the research question, an intrinsic case study focused on the most definite security
consequence of quantum computing, the breaking of public-key cryptography. The case study features
a mathematical analysis of the topic and tells the chronological story of RSA’s development, Shor’s
algorithm, and the effect of Shor’s discovery in mobilizing government agencies to prepare for the
destruction of RSA and other forms of asymmetric cryptography. A SWOT analysis formalizes case
study findings and organizes the security consequences of quantum computing in readable form. This
approach centered the research on the quantum threat to public-key cryptography and the algorithm
migration plan recounted in NSM-10, allowing for justifiable conclusions in a topic susceptible to
fantastical speculation. However, the case study method prioritized breadth over depth. The
discussion of results categorizes threats and opportunities that follow from case study findings without
providing detailed analyses of each. This raises many questions that demand further research, such
as how transition plans should be effectively executed given challenges presented in this study, the
politics of an international quantum race, how current advances in QIS and cryptography may update
this research, and quantum computing’s impact in domains outside of cybersecurity.

This research is unique in its combination of genres. It presents both a mathematical analysis of the
topic, as well as a qualitative case study investigating the national plan for algorithm transition. This
method establishes understanding of quantum computing from two notable paradigms, cryptography
and national security, and connects advancements in cryptography to political effects. Because the
story of quantum computing is in its infancy, there is minimal literature exploring current initiatives
to combat threats and transition cryptosystems. In the absence of treatment, this study aimed to
craft a preliminary analysis of quantum computing and U.S. cybersecurity, identifying possible
threats, opportunities, and outcomes while encouraging further research into the expanding quantum
frontier.
 40

Appendix

NIST Standardization Timeline

Figure 2: Quantum-Resistant Algorithm Standardization Timeline

 41

CNSA 1.0 vs. CNSA 2.0

Table 3: CNSA 1.0

Table 4: CNSA 2.0

 42

NSA

The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in
cryptology that encompasses both signals intelligence (SIGINT) insights and cybersecurity products
and services and enables computer network operations to gain a decisive advantage for the nation
and our allies. NSA/CSS is referred to collectively as NSA. 93

NIST

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of
the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories. Its
stated mission is the promotion of U.S. innovation and industrial competitiveness by advancing
measurement science, standards, and technology in ways that enhance economic security and improve
our quality of life.94

CISA

CISA is the operational lead for federal cybersecurity and the national coordinator for critical
infrastructure security and resilience.95

93
NSA.gov
94
NIST.gov
95
CISA.gov
 43

Bibliography

Alagic, G., Cooper, D., Dang, Q., Dang, T., Kelsey, J., Lichtinger, J., Liu, Y., Miller, C., Moody,
D., Peralta, R., Perlner, R., Robinson, A., Smith-Tone, D. and Apon, D. (2022), Status
Report on the Third Round of the NIST Post-Quantum Cryptography Standardization
Process, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and
Technology, Gaithersburg, MD, https://doi.org/10.6028/NIST.IR.8413,
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934458. Accessed 19 August 2023.

Aumasson, Jean-Philippe. Serious Cryptography: A Practical Introduction to Modern Encryption.

No Starch Press, Inc., 2018.

Barker, William, William Polk, Murugian Souppaya. Getting Ready for Post-Quantum
Cryptography: Exploring Challenges Associated with Adopting and Using Post-Quantum
Cryptographic Algorithms. NIST Cybersecurity White Paper, 2021,
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04282021.pdf.

Bernhardt, Chris. Quantum Computing for Everyone. First MIT Press, 2020.

“National Security Memorandum on Promoting United States Leadership in Quantum Computing

While Mitigating Risks to Vulnerable Cryptographic Systems.” The Biden Administration, 4
May 2022, https://www.whitehouse.gov/briefing-room/statements-
releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-
in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/.

Buchholz, Scott, Joe Mariani, Adam Routh. “The realist’s guide to quantum technology and
national security.” Deloitte, 6 February 2020.

Chen L, Jordan S, Liu Y-K, Moody D, Peralta R, Perlner R. Smith-Tone D (2016) Report on Post-
Quantum Cryptography. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Internal Report (NISTIR) 8105. https://doi.org/10.6028/NIST.IR.8105.

Hungerford, Thomas W. Abstract Algebra: An Introduction. 3rd Edition, Brooks/Cole, Pacific

Grove, 2020, pp. 437.

Johnson, Eric R. Programming Quantum Computers: Essential Algorithms and Code Samplers.
O'Reilly Media, Inc., 2019.

Martin, Keith. Cryptography: The Key to Digital Security, How It Works, and Why It Matters. W.
W. Norton & Company, Inc., 2020.

Migration to Post-Quantum Cryptography. National Cybersecurity Center of Excellence, National

Institute of Standards and Technology, 2021, https://www.nccoe.nist.gov/crypto-agility-
considerations-migrating-post-quantum-cryptographic-algorithms. Accessed 15 July 2023.

Morgus, Robert. “What Policymakers Need to Know About Quantum Computing.” Council on
Foreign Relations, 31 July 2018.

"National Quantum Initiative: The Federal Source and Gateway to Quantum R&D Across the U.S.
Government." National Quantum Coordination Office, 2018, quantum.gov.
 44

National Strategic Overview for Quantum Information Science. National Quantum Initiative
Subcommittee on Quantum Information Science, Ver. 16, September 2022.

Nielson, M.A., I. L. Chuang. Quantum Computation and Quantum Information. Cambridge

University Press, 2011.

Oriyano, Sean-Philip. Cryptography: Infosec Pro Guide. McGraw-Hill Education, 2013.

"Post-Quantum Cryptography'. Department of Homeland Security, https://www.dhs.gov/quantum.

"Post Quantum Cryptography Standardization." National Institute of Standards and Technology,

https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography
Standardization. Accessed 2 August 2023.

Regev, Oded. “The Learning with Errors Problem.” CRYPTO, 2006.

Richter, Maximilian, Magdalena Bertram, Jasper Seidensticker, Alexander Tschache. “A

Mathematical Perspective on Post-Quantum Cryptography.” Mathematics 2022, 10, 2579.
https://doi.org/10,3390/math10152579.

Rivest, R., A. Shamir, L. Adleman. A Method for Obtaining Digital Signatures and Public-Key
Cryptosystems. MIT Laboratory for Computer Science and Department of Mathematics,
1978.

Shor, Peter. “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a
Quantum Computer”, SIAM J. Comput., 26 (5), 1997, pp. 1484–1509.
http://dx.doi.org/10.1137/s0036144598347011.

Stein, Ben P. “The History and Future of Quantum Information.” National Institute of Standards
and Technology, 5 April 2022, https://www.nist.gov/content/history-and-future-quantum-
information. Accessed 19 August 2023.

The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ . National
Security Agency, Ver. 1.0, Sep. 2022, https://media.defense.gov/2022/Sep/07/2003071836/-
1/-1/0/CSI_CNSA_2.0_FAQ_.PDF, Accessed 19 August 2023.