October 13 – 18 , 2019, Dagstuhl Seminar 19421

Quantum Cryptanalysis


Michele Mosca (University of Waterloo, CA)
Maria Naya-Plasencia (INRIA – Paris, FR)
Rainer Steinwandt (Florida Atlantic University – Boca Raton, US)
Krysta Svore (Microsoft Corporation – Redmond, US)

For support, please contact

Dagstuhl Service Team


Dagstuhl Report, Volume 9, Issue 10 Dagstuhl Report
Aims & Scope
List of Participants
Dagstuhl's Impact: Documents available
Dagstuhl Seminar Schedule [pdf]


Motivation and Scope

This fifth installment of a Dagstuhl seminar on Quantum Cryptanalysis was heavily informed by NIST's ongoing standardization effort in post-quantum cryptography. Several NIST employees attended the seminar and lead a discussion session on the topic. As one would hope hoped for, many talks had an algorithmic focus. Two areas were of particular interest for this seminar:

  • Quantum cryptanalytic progress. Identifying new cryptanalytic improvements that make use of quantum algorithms and expanding the applicability of the best known cryptanalytic attacks by means of quantum technology. Different quantum attack models can be considered here, and attack models that are close to being realizable with today's technology are particularly relevant. We want to fully leverage quantum computing, including expected mid-term advancements.
  • Quantum resource estimation. Establishing reasonably precise quantum resource counts for cryptanalytic attacks against symmetric and asymmetric schemes, especially for problem instances and parameter choices that are actually deployed or considered for standardization for future deployment. In addition to logical resources, understanding the overhead caused by handling imperfections of quantum hardware is of interest.

In addition to original quantum cryptanalytic research, the program included presentations with a strong survey component, explaining key concepts of particular areas within post-quantum cryptography. Deviating from prior editions, this time we did not include a presentation to document the status of the development of quantum hardware. Such a talk could have been a welcome addition, but the seminar program was already packed with a substantial number of relevant cryptanalytic results, and it was important to leave sufficient time for discussions.


Following the organization of the prior quantum cryptanalysis seminars in Dagstuhl, for this fifth edition, again experts from academia, government, and industry came together. We re-invited a number of leading experts in the field from the prior quantum cryptanalysis seminar edition, and at the same time invited several new participants. This included in particular young scientists, who entered this exciting research area more recently. In total, we had with 46 participants a slightly larger number of participants than in the preceding meeting. In line with the Dagstuhl tradition and with prior quantum cryptanalysis seminars, for Wednesday afternoon we left the schedule open. Seminar participants could devote the afternoon to an excursion, to discussions, or to work on their research.

Results and next step

At this point, communication and collaboration between the classical cryptographic and the quantum algorithmic research communities has become very fruitful, and it seems fair to say that this seminar is also of significant value in supporting ongoing standardization efforts in post-quantum cryptography. In addition to quantum cryptanalytic results on asymmetric cryptography, more results on symmetric cryptography are emerging. There is still substantial research potential -- and research need -- in quantifying security margins in the presence of quantum computing, and the field keeps moving fast. Improved software tools become available to analyze quantum resources and describe quantum algorithms, bringing research in quantum cryptanalysis closer together with areas in traditional computer science.

Summary text license
  Creative Commons BY 3.0 Unported license
  Michele Mosca, Maria Naya-Plasencia, and Rainer Steinwandt

Dagstuhl Seminar Series


  • Data Structures / Algorithms / Complexity
  • Security / Cryptology


  • Quantum computing
  • Post-quantum cryptography
  • Quantum hardware and resource estimation


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.