Grover's Algorithm: Only √n speedup
Unlike Shor's exponential speedup for factoring, Grover's search only provides a quadratic advantage. 2^128 → 2^64 operations.
Qubit Count
Drag to simulate quantum computer scaling
2,000
logical qubits
10010,000
RSA KEY VULNERABILITY (1/5 broken)
RSA-512
BROKEN
RSA-1024
SAFE
RSA-2048
SAFE
RSA-3072
SAFE
RSA-4096
SAFE
ML-KEM (all levels)
ALWAYS SAFENo qubit threshold exists — lattice problems have no known efficient quantum solution
Classical RSA / ECC
VULNERABLEShor's algorithm uses quantum period-finding to factor large numbers exponentially faster than any classical algorithm. The key step is modular exponentiation in superposition, followed by the QFT. This breaks RSA, whose security relies on the difficulty of factoring.
Enter a number between 2 and 999
ALGORITHM STEPS
Enter a number above to simulate Shor's algorithm
Post-Quantum (ML-KEM)
SECUREML-KEM (formerly CRYSTALS-Kyber), standardized in NIST FIPS 203, is based on the MLWE lattice problem. Even quantum computers with Grover's algorithm only achieve a √n speedup — not enough to break it.
WHY QUANTUM CAN'T BREAK LATTICE
No known quantum algorithm for SVP
The Shortest Vector Problem in high-dimensional lattices has no efficient quantum algorithm — unlike integer factoring.
Noise hides the secret
LWE adds Gaussian noise to lattice computations. Even with quantum superposition, the noise prevents extracting the secret key.
GROVER'S SPEEDUP COMPARISON
Classical brute force2128 ≈ 3.40×1038
Grover's quantum search264 ≈ 1.84×1019
Still 1.8×10^19 operations — completely infeasible even for quantum computers
ML-KEM SECURITY LEVELS
- ML-KEM-512SAFE
- ML-KEM-768SAFE
- ML-KEM-1024SAFE
ML-KEM remains secure at 2,000 qubits
No quantum algorithm can efficiently solve the lattice problem
Ref: NIST FIPS 203 (2024) · Grover (1996) · Regev (2005)