October 17 – 22 , 2021, Dagstuhl Seminar 21421

Quantum Cryptanalysis


Stacey Jeffery (CWI – Amsterdam, NL)
Michele Mosca (University of Waterloo, CA)
Maria Naya-Plasencia (INRIA – Paris, FR)
Rainer Steinwandt (University of Alabama in Huntsville, US)

For support, please contact

Dagstuhl Service Team


List of Participants
Shared Documents
Dagstuhl Seminar Schedule [pdf]


Quantum cryptanalysis is at the crossroad between quantum computing and cryptography, and this Dagstuhl Seminar aims to study quantum attacks against cryptographic solutions that are deployed or considered for standardization. Apart from algorithmic insights, we are interested in software tools that support the quantum cryptanalyst in optimizing and quantifying (quantum) resources. We plan to explore the security of symmetric and asymmetric cryptographic solutions against quantum attacks.

The seminar is a sequel to Dagstuhl Seminars Nº 11381, Nº 13371, Nº 15371, Nº 17401, and Nº 19421 with the same title. This sixth installment of the Quantum Cryptanalysis series intends to focus on deployed schemes and more mature post-quantum cryptographic schemes, such as Round 3 candidates in NIST’s standardization effort. The envisioned emphasis is on quantum cryptanalysis, which includes learning about software tools to improve cost analyses.

For the technical program, we are particularly interested in

  1. Quantum algorithmic innovations to attack cryptographic building blocks.
    How can we levarage quantum algorithms to improve cryptanalytic capabilities, and how can we optimize the best available cryptanalytic results in meaningful quantum attack models? We want to fully leverage state-of-the-art quantum computing.
  2. Techniques and software tools to optimize and quantify resources for such attacks.
    Can we establish reasonably precise quantum resource counts for cryptanalytic attacks, especially for problem instances and parameter choices that are actually deployed or considered for standardization for future deployment?

Quantum attacks against today’s RSA or elliptic-curve based cryptography, and against AES are naturally part of this conversation. This is needed to have reliable estimates for when a transition to new algorithms is needed. We are no less interested in quantum attacks on mature post-quantum proposals, so that standardized parameters can stand the test of time without impeding on performance more than necessary.

Complementing theoretical investigations, we are interested in presentations on existing tools to analyze quantum algorithms/circuits in software. The composition of the seminar group should help to identify which tools/features cryptanalysts are lacking most to reliably quantify the cost of advanced quantum cryptanalytic attacks.

As in the past, the seminar brings together researchers who work in the field of quantum computing with experts in classical cryptography, taking into account the latest advances in both fields, and we aim at a group composition with about 50% of the participants having strong roots in each of these two fields.

Motivation text license
  Creative Commons BY 3.0 DE
  Stacey Jeffery, Michele Mosca, Maria Naya-Plasencia, and Rainer Steinwandt

Dagstuhl Seminar Series


  • Cryptography And Security
  • Emerging Technologies


  • Quantum computing
  • Post-quantum cryptography
  • Quantum resource estimation
  • Computational algebra


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.