October 13 – 18 , 2019, Dagstuhl Seminar 19421

Quantum Cryptanalysis


Michele Mosca (University of Waterloo, CA)
Maria Naya-Plasencia (INRIA – Paris, FR)
Rainer Steinwandt (Florida Atlantic University – Boca Raton, US)
Krysta Svore (Microsoft Corporation – Redmond, US)

For support, please contact

Dagstuhl Service Team


List of Participants
Shared Documents
Dagstuhl Seminar Schedule [pdf]


At this point in time, it is clear that quantum computers can in principle undermine the security of many of the deployed cryptographic schemes—including RSA and elliptic curve based digital signatures, to give prominent examples. These attacks become relevant as soon as an attacker has access to a scalable quantum computer. As a result, standardization efforts for asymmetric cryptography are underway to find post-quantum replacements that can form the foundation for security protocols once quantum attacks are a reality.

In the 2019 installment of the Quantum Cryptanalysis Dagstuhl Seminar series we want to focus on practical cryptanalytic aspects, needed for standards and implementers of post-quantum cryptography. We are less interested in novel designs for post-quantum cryptography, but very much welcome demonstrations and discussions of implementations of more mature candidates for post-quantum cryptography. The seminar focus is on

    I. Identifying new cryptanalytic improvements by means of quantum algorithms and optimizing the best available cryptanalytic attacks in meaningful quantum attack models. We want to fully leverage state-of-the-art quantum computing.
    II. Establishing reasonable precise quantum resource counts for cryptanalytic attacks, especially for problem instances and parameter choices that are actually deployed or considered for standardization for future deployment.

The overarching goal of this Dagstuhl Seminar is the identification of robust guidelines, backed by precise cryptanalytic analyses, for parameter choices in state-of-the-art proposals for post-quantum cryptography. This comes naturally with the analysis of quantum attacks against today’s RSA and elliptic-curve based cryptography, as this is needed to have reliable estimates for when a transition is needed. We explicitly include the quantum cryptanalysis of relevant symmetric primitives (like SHA-3 or AES) in the seminar scope.

As in the past, the seminar brings together researchers who work in the field of quantum computing with experts in classical cryptography, taking into account the latest advances in both fields, and we aim at a group composition with about 50% of the participants having strong roots in each of the two underlying fields.

Motivation text license
  Creative Commons BY 3.0 DE
  Michele Mosca, Maria Naya-Plasencia, Rainer Steinwandt, and Krysta Svore

Dagstuhl Seminar Series


  • Data Structures / Algorithms / Complexity
  • Security / Cryptology


  • Quantum computing
  • Post-quantum cryptography
  • Quantum hardware and resource estimation


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.