Post-QuantumQuantum Computing

Kuperberg’s Algorithm and its Impact on Post-Quantum Cryptography (PQC)

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email September 1, 2014
16 minutes read
Kuperberg's Algorithm PQC

Updated in August 2024 after NIST’s Standard

What Is Kuperberg’s Algorithm and What Problem Does It Solve?

Kuperberg’s algorithm is a quantum algorithm that addresses a specific cryptographic puzzle known as the dihedral hidden subgroup problem (DHSP). In simple terms, the DHSP asks us to find a “hidden” value (like a secret shift or reflection) that is concealed within a function defined over a dihedral group (the group of symmetries of a polygon). The dihedral group, denoted $$D_N$$, consists of rotations and reflections of an $$N$$-sided polygon. The hidden subgroup in this context is generated by a reflection that, when applied, leaves the target function invariant. Solving the DHSP means uncovering that hidden reflection or shift.

In classical computing, solving the DHSP is believed to be very hard – the best classical algorithms require on the order of $$\sqrt{N}$$ queries to uncover the secret, which is essentially exponential in the size of the secret (since $$N$$ grows exponentially with the number of bits needed to describe the secret). Kuperberg’s breakthrough was to show that a quantum computer can solve the DHSP in subexponential time. Specifically, his algorithm runs in roughly $$O!\big(\exp(C\sqrt{\log N})\big)$$ time (for some constant $$C$$), which is significantly faster than the classical $$O(\sqrt{N})$$ time for large $$N$$.

In more intuitive terms, if $$N$$ is about $$2^n$$ (meaning the secret is $$n$$ bits long), a classical brute-force method might take on the order of $$2^{n/2}$$ steps, whereas Kuperberg’s quantum method would take on the order of $$2^{c\sqrt{n}}$$ steps for some constant $$c$$. This is still exponential in $$n$$ (hence not a feasible polynomial-time algorithm), but it grows much more slowly than the classical brute force. For example, for a problem size corresponding to $$n=128$$ bits, a classical brute force might need about $$2^{64}$$ steps, while Kuperberg’s approach might heuristically require on the order of $$2^{16}$$ or $$2^{32}$$ steps – a huge theoretical improvement, though still a very large number.

This subexponential behavior is what makes Kuperberg’s algorithm notable: it shows that certain problems believed to require exponential time classically can be cracked faster on a quantum machine (albeit still not efficiently in the usual sense of polynomial time).

Crucially, the DHSP is not just an abstract math problem – it has cryptographic implications. The dihedral hidden subgroup problem can be re-framed as the hidden shift problem for cyclic groups. In a hidden shift problem, one might have two related functions or signals, where one is a shifted version of the other by some secret amount $$s$$, and the goal is to find $$s$$. Kuperberg’s algorithm can find such hidden shifts in subexponential time as well. Certain cryptographic constructions (often historical or theoretical) could be reduced to a hidden shift problem. If a cryptosystem’s security relied directly on an instance of the DHSP, a quantum adversary running Kuperberg’s algorithm would have a subexponential-time attack against it.

In fact, researchers have studied how some cryptographic problems map to group hidden subgroup problems: for instance, the integer factorization and discrete logarithm problems map to abelian hidden subgroup problems (solved efficiently by Shor’s algorithm), whereas problems like certain lattice problems and graph isomorphism can be viewed as non-abelian hidden subgroup problems (like DHSP). Kuperberg’s algorithm specifically tackles the dihedral (non-abelian) case. In summary, Kuperberg’s algorithm solves the DHSP – a problem where a secret “reflection” is hidden in a function on a dihedral group – much faster than we believe any classical algorithm can.

How Does Kuperberg’s Algorithm Work? (Dihedral HSP, Quantum Fourier Sampling, Complexity)

Kuperberg’s algorithm builds on the general framework of quantum Fourier sampling used in many quantum hidden subgroup algorithms. In Shor’s algorithm (for abelian groups like the integers mod $$N$$ or multiplicative group of a prime field), the quantum Fourier transform is used to extract the periodic structure hiding a secret.

For the non-abelian case of the dihedral group, things are more complicated because the group’s representations are more complex. Nevertheless, Kuperberg’s method starts by creating quantum superposition states that encode the hidden shift. Specifically, given an oracle function $$f$$ that hides a reflection in $$D_N$$, the algorithm prepares quantum states (often called coset states) that are uniform over two configurations related by the secret reflection. It then performs a form of quantum Fourier transform (in the dihedral group, this is sometimes called a quantum character transform) on these states. This is analogous to how other hidden subgroup algorithms begin by performing a Fourier transform to obtain information about the subgroup structure from the phase of the quantum state.

However, a single round of Fourier sampling on a non-abelian group like $$D_N$$ does not directly yield the secret. Kuperberg’s insight was to use a clever sieving technique. In essence, the algorithm generates many such quantum states and then combines them in pairwise fashion to “sift out” information about the hidden shift bit by bit. Early iterations of the algorithm produce partial information (e.g. a low-order bit of the secret). By combining states recursively – each time using quantum interference and measurements to focus in on more “favorable” states – the algorithm gradually deduces all bits of the secret shift. This process is sometimes described as a collimation sieve: one starts with many qubit states carrying weak information about the secret, tensored them together to form higher-dimensional qudits, and measures in a way that “collimates” or aligns the phases of these states. With enough repetitions and memory, one eventually obtains a state where a measurement directly yields a bit of the hidden shift. Repeating and shifting the input data can then reveal all bits of the hidden value.

The original version of Kuperberg’s algorithm required a large quantum memory (storing on the order of as many qubits as queries made) to hold all these intermediate states while they were combined. Its time complexity and space (qubit) complexity were both on the order of $$2^{O(\sqrt{n})}$$ (if we denote $$n = \log N$$ as the size in bits of the group). Subsequent improvements by Kuperberg himself and others (notably Regev) introduced methods to significantly reduce the quantum space requirement, at the cost of a slightly larger time complexity. For example, Regev described a variant that uses only a polynomial number of qubits (recycling them cleverly) by doing the sieve combinatorics more sequentially, achieving a time complexity about $$2^{O(\sqrt{n}\log n)}$$ instead. In any case, all these algorithms remain subexponential in time, not polynomial.

To put the performance in perspective: a subexponential algorithm like Kuperberg’s is faster than generic brute force or Grover’s search for sufficiently large problem sizes, but it’s far slower than the dramatic speedup Shor’s algorithm achieves for factoring. A classical brute force on a space of size $$N$$ takes $$O(N)$$ steps, which for cryptographic sizes is infeasible. Grover’s quantum search would shave that down to $$O(\sqrt{N})$$ steps, which is still exponential in the input length but with a smaller exponent. Kuperberg’s algorithm goes further for the special case of hidden shift problems: it can solve the problem in $$2^{O(\sqrt{\log N})}$$ steps.

For example, researchers have noted that if one designs a symmetric-key cipher to use modular additions (which introduce a hidden shift structure), then instead of the attack cost being roughly $$2^{n/2}$$ (Grover’s algorithm cost for $$n$$-bit keys), a quantum attacker could use Kuperberg’s algorithm to achieve a cost on the order of $$2^{O(\sqrt{n})}$$. In practical terms, that means a scheme aiming for ~128-bit security could, in principle, be reduced to an attack cost comparable to only ~216 or 232 operations – highlighting a potential vulnerability if cryptosystems inadvertently rely on structures susceptible to hidden shift attacks.

Fortunately, most modern cryptosystems are not directly reducible to a clean hidden shift problem that Kuperberg’s algorithm can exploit (or if they were, those systems would be considered broken in the quantum threat model). In summary, Kuperberg’s algorithm works by quantum Fourier sampling combined with a sieving strategy to iteratively extract a hidden reflection (or shift) in a dihedral group. Its complexity is subexponential in the size of the problem, representing a noteworthy – but not unlimited – quantum speedup for this class of problems.

Lattice-Based Cryptography and the ML-KEM Standard (Kyber)

While Kuperberg’s algorithm is a fascinating quantum advancement, today’s post-quantum cryptography efforts are largely focused on cryptosystems believed to resist even quantum attackers. One of the most prominent families of such cryptosystems is lattice-based cryptography. Lattice-based schemes are built on problems that arise from the geometry of high-dimensional grids (lattices) of points. A classic hard lattice problem is, for example, the Shortest Vector Problem (SVP): given a multi-dimensional lattice specified by some basis vectors, find the shortest nonzero lattice point. Such problems are believed to be intractable for both classical and quantum computers when the lattice dimension is large and the lattice is chosen with “random-looking” structure.

A cornerstone of lattice-based cryptography is the Learning With Errors (LWE) problem. In LWE, one is given linear equations (inner products with a secret vector) that are perturbed by small random errors, and the goal is to recover the secret. The random “errors” make the problem difficult – they act like noise that hides the exact relations. LWE and its variants (such as Ring-LWE and Module-LWE) have become the foundation of many encryption schemes, digital signatures, and key exchange algorithms in the post-quantum world. Critically, LWE has a worst-case hardness guarantee: solving average instances of LWE (with appropriate parameters) is at least as hard as solving certain worst-case lattice problems like approximating the shortest vector or closest vector in a lattice. This means even a quantum computer would have to effectively solve a hard lattice problem to break LWE-based cryptography, for which no efficient algorithms are known.

ML-KEM (Module-Lattice Key-Encapsulation Mechanism) is the name of the new public-key encryption standard based on lattice cryptography – specifically, it’s based on the algorithm originally known as CRYSTALS-Kyber. Kyber was selected by the U.S. National Institute of Standards and Technology (NIST) as the primary post-quantum encryption scheme after a multi-year worldwide competition. In NIST’s documentation, the Kyber algorithm has been renamed to ML-KEM to highlight that it’s a Key-Encapsulation Mechanism built on module-lattice problems. (Module-LWE is a generalization of LWE that offers a balance between security and efficiency by working over small structured lattices called modules). ML-KEM is designed for key exchange: it allows two parties to securely establish a shared secret key over an open network, even in the presence of quantum eavesdroppers.

The reason lattice-based schemes like ML-KEM (Kyber) are so important in the post-quantum context is that they appear to resist all known quantum attacks. Unlike RSA or elliptic-curve cryptography (which are broken by Shor’s algorithm), lattice schemes have stood firm against intense scrutiny by cryptographers and quantum algorithm researchers.

The best known algorithms for attacking LWE and related lattice problems are either brute-force (which is completely infeasible for recommended parameters) or offer only minor speedups over brute force (e.g. certain classical algorithms or limited quantum techniques). No quantum algorithm even remotely as powerful as Shor’s has been found for lattice problems. In fact, as of now, lattice-based cryptographic problems like LWE are notable examples of problems that do not admit any known super-polynomial quantum speedup.

Researchers have tried – and thus far failed – to find an algorithm that solves LWE efficiently on a quantum computer. This is one of the key reasons NIST and the cryptographic community are confident in schemes like ML-KEM/Kyber: these schemes rest on problems that appear to be quantum-resistant. Even if a large-scale quantum computer is built, we expect ML-KEM to remain secure because solving its underlying lattice problem seems to require exponential time (just as it does for a classical attacker).

Why Kuperberg’s Algorithm Is Not a Practical Threat to ML-KEM

Given that Kuperberg’s algorithm can tackle a certain hidden subgroup problem in subexponential time, a natural question is whether this threatens lattice-based schemes like ML-KEM (Kyber). After all, there is a known theoretical relationship between LWE and the dihedral hidden subgroup problem: one can mathematically reduce the task of solving LWE to a kind of “noisy” hidden shift problem on a dihedral group. Specifically, Regev’s 2004 work showed a quantum reduction from (a variant of) the unique shortest vector lattice problem to the dihedral HSP, suggesting that if one could solve the DHSP robustly, one might solve certain lattice problems. However, the crucial point is that lattice cryptosystems like ML-KEM involve noise, which makes all the difference.

Kuperberg’s algorithm and its variants solve the clean (noise-free) hidden subgroup or hidden shift problem. They assume we have a perfect oracle that, upon query, provides a state corresponding to a perfect coset of the hidden subgroup. In the context of LWE, any analogous oracle would be “noisy” – the information we get (LWE samples) have random error. When researchers tried to extend Kuperberg’s approach to handle LWE, they found that the algorithm is not tolerant to this kind of noisewhich means we can’t use LWE reduction together with Kuperberg’s algorithm to come up with a subexponential quantum algorithm for LWE. In other words, while LWE can be related to a hidden subgroup problem in theory, the presence of errors in LWE samples means that Kuperberg’s technique doesn’t directly apply. To break ML-KEM, an attacker would need a quantum algorithm that can handle the noisy dihedral hidden subgroup problem – and no such algorithm is currently known.

Another reason Kuperberg’s algorithm isn’t a practical threat is its resource requirements. Even for the problems it does solve (the idealized DHSP), the algorithm is subexponential, not polynomial. Subexponential time might sound manageable for small examples, but in cryptography the problem sizes are enormous. ML-KEM is designed with parameters (like key sizes and lattice dimensions) that target security levels such as 128-bit security. This generally means an attacker would have to perform on the order of $$2^{128}$$ operations classically to break it. A subexponential-time quantum algorithm might reduce the effective exponent, but not remove it. For instance, suppose – optimistically – that the relevant hidden subgroup instance for Kyber could be solved in $$2^{c\sqrt{n}}$$ quantum steps (just as a ballpark figure). If $$n$$ corresponds to a 128-bit security level, $$\sqrt{n}$$ is about 11.3, so that would suggest on the order of $$2^{11.3c}$$ steps. If $$c$$ and the interpretation of $$n$$ were such that this was, say, $$2^{30}$$ or $$2^{40}$$ operations, that might be within reach of a future large quantum computer. But this back-of-envelope reasoning is likely far too optimistic – in practice the “$$n$$” for a lattice-based scheme might be larger (Kyber’s security involves a lattice of dimension 256 or higher and modulus $$q$$ around $$2^{12}$$, which make the group size in any hidden shift formulation astronomically large). More concretely, lattice attacks often involve solving problems in spaces of size $$q^n$$ or combinatorial objects with complexity exponential in $$n$$. Kuperberg’s algorithm would still face an exponential-in-$$\sqrt{n}$$ cost, which for lattice parameters (where $$n$$ can be a few hundred) is utterly infeasible. Thus, even if one tries to apply subexponential hidden shift algorithms to lattice cryptography, the absolute cost in time and required qubit count put it far beyond practical capability.

Moreover, Kuperberg’s algorithm demands a large number of qubits with long coherence. The original algorithm required storing on the order of $$2^{O(\sqrt{n})}$$ quantum states at once. Improved versions reduced the quantum memory requirement, but often at the expense of more computational steps or large classical memory. In any case, running these algorithms would require a quantum computer not only big enough to hold thousands (or millions) of qubits, but also capable of performing a huge number of operations in sequence (quantum circuit depth) without succumbing to decoherence or error. Current and near-future quantum hardware are nowhere close to this scale.

By comparison, breaking RSA-2048 with Shor’s algorithm is estimated to require a few thousand logical qubits and billions of operations – a daunting task, but one that’s conceptually within future reach. Breaking Kyber with a Kuperberg-type algorithm would likely require orders of magnitude more qubits or operations, given the subexponential (but still superpolynomial) scaling and the need to handle noisy data.

Lastly, it’s important to note that ML-KEM (Kyber) is not directly reducible to an instance of the dihedral hidden subgroup problem in the way that, say, factoring is reducible to an abelian HSP. While we can frame LWE in a hidden subgroup language for theoretical analysis, that doesn’t give an efficient way for an attacker to instantiate the needed oracle or perform the necessary quantum steps on real cryptographic ciphertexts. The “oracle” in DHSP algorithms provides a very particular quantum state (a uniform superposition over a coset of the hidden subgroup). In a real-world lattice KEM attack, one would have to create analogous superposition states from the public key or ciphertexts, but there’s no known procedure to do so deterministically due to the presence of randomness and error in those public values. So not only is the algorithm insufficient – we don’t even have the set-up to feed a lattice instance into a Kuperberg algorithm in a clean way.

In summary, Kuperberg’s algorithm is not a practical threat to ML-KEM (Kyber) because:

  1. it offers at best a subexponential speedup, which is still astronomically slow for cryptographic sizes;
  2. it would require an unrealistically large and noise-free quantum computer (with extensive quantum memory and operation depth) to implement; and
  3. lattice-based KEMs are built on problems with inherent noise and structure that lie outside the direct reach of Kuperberg’s current algorithm.

Indeed, as experts have pointed out, LWE corresponds to a non-abelian hidden subgroup problem (a dihedral group) for which no efficient quantum algorithms are known – existing algorithms like Kuperberg’s are not polynomial-time and thus “do not currently offer a pathway to a superior LWE solution”. This is a reassuring fact for the security of ML-KEM.

Comparison to Shor’s and Grover’s Quantum Algorithms

It’s useful to place Kuperberg’s algorithm in context with other famous quantum algorithms, particularly Shor’s and Grover’s, to understand their different impacts on cryptography:

Shor’s Algorithm

Peter Shor’s algorithm (1994) demonstrated that a quantum computer can factor large integers and compute discrete logarithms in polynomial time. These problems underlie the security of RSA and elliptic curve cryptography, respectively. Classically, factoring an $$n$$-digit number is believed to take sub-exponential to exponential time (and discrete log in, say, a 2048-bit prime field is similarly hard), but Shor’s quantum algorithm runs in time roughly $$O(n^3)$$ or better, which for practical key sizes is on the order of a few million operations – well within reach if a large quantum computer is built.

Shor’s algorithm is an instance of an abelian hidden subgroup algorithm – it leverages the structure of cyclic groups (like the integers mod $$N$$ under addition for factoring, or multiplicative groups of prime fields for discrete log) and uses the quantum Fourier transform on those abelian groups to find periods efficiently.

This is a polynomial speedup that completely changes the security landscape: RSA/ECC would be outright broken by a sufficiently powerful quantum computer running Shor’s algorithm.

Grover’s Algorithm

Lov Grover’s search algorithm (1996) is a more general quantum algorithm that provides a quadratic speedup for unstructured search problems. If an attacker needs to brute-force search through $$N$$ possibilities (e.g., trying all $$2^n$$ possible keys of an $$n$$-bit symmetric key), a classical attack takes $$O(N)$$ steps on average, whereas Grover’s algorithm can find a solution in $$O(\sqrt{N})$$ steps.

Importantly, Grover’s algorithm is provably optimal for unstructured search – we don’t expect any quantum algorithm to do significantly better than the square-root speedup in this scenario. For cryptography, this means that Grover’s algorithm can halve the effective security level: a 128-bit symmetric key (which would require $$2^{128}$$ trials to brute force classically) could be searched in about $$2^{64}$$ steps quantumly.

The implication is that we should double key sizes for symmetric algorithms in a post-quantum world (for instance, use 256-bit keys to target ~128-bit post-quantum security against Grover’s algorithm). Unlike Shor’s, Grover’s algorithm does not break cryptosystems outright; it just weakens them by a square-root factor.

It’s also worth noting that Grover’s algorithm is not specific to any particular problem – it’s a general-purpose method – and it requires an oracle that can recognize a correct solution. In practice, using Grover’s against a cipher like AES would entail implementing the entire cipher as a quantum circuit, which is non-trivial but conceivable for future quantum computers. Grover’s algorithm runs in time exponential in $$n$$ (specifically $$2^{n/2}$$ for an $$n$$-bit key search), so it’s not a polynomial-time algorithm in the input size; it’s just a substantial constant-factor speedup in the exponent.

Kuperberg’s Algorithm

As discussed, Kuperberg’s algorithm occupies a middle ground in some sense. It is specialized (like Shor’s algorithm) to a particular class of problems (hidden shift problems, particularly dihedral HSP), but its speedup is subexponential rather than fully polynomial. It dramatically outperforms brute force for those specific problems (much more than Grover’s quadratic speedup) – for example, turning an $$O(2^{n/2})$$ problem into roughly $$O(2^{c\sqrt{n}})$$  – yet it falls short of making those problems easy in the way Shor’s algorithm does for factoring.

In terms of complexity classes, Shor’s algorithm places factoring and discrete log in BQP (meaning solvable in polynomial time on a quantum computer), whereas Kuperberg’s algorithm suggests that DHSP is easier than brute force but not in BQP (since subexponential is still super-polynomial). Grover’s algorithm, likewise, doesn’t put NP-search problems in BQP, it just reduces the complexity slightly.

From a cryptographic perspective, Shor’s algorithm is the game-changer – it necessitates abandoning RSA, Diffie-Hellman, DSA, ECC, and any other trapdoor functions based on factoring or discrete logs once large quantum computers exist. Grover’s algorithm forces a quantitative tweak – using bigger keys for symmetric cryptography and hashing – but does not fundamentally upend the viability of those systems. Kuperberg’s algorithm, on the other hand, is more of a specialized threat: it tells us that if someone tried to base a cryptosystem on a problem closely related to a dihedral hidden shift, it wouldn’t be safe (at least not to the 128-bit level) because a quantum adversary could solve it faster than expected.

However, mainstream post-quantum algorithms, like lattice-based schemes (ML-KEM/Kyber) or code-based and hash-based schemes, are not built on problems known to reduce to the pure hidden shift in a straightforward way. Thus, Kuperberg’s algorithm is more of a concern for theoretical constructions or certain algebraic problems (such as some group-based or isogeny-based schemes) but is not a broad-spectrum breaker. It’s also a reminder that even non-abelian group problems might be somewhat accessible to quantum attacks – but in the case of lattices, the “non-abelian-ness” combined with noise thus far has kept them out of reach.

In summary, Shor’s, Grover’s, and Kuperberg’s algorithms illustrate three levels of quantum impact on cryptography:

  • Shor’s: Polynomial-time attack on specific number-theoretic problems – devastating for RSA/ECC (hence we migrate away from those).
  • Grover’s: Quadratic (square-root) speedup on brute-force search – necessitates larger symmetric key sizes but not a failure of the scheme.
  • Kuperberg’s: Subexponential-time attack on a special class of hidden shift problems – a significant speedup, but still too slow to break properly chosen post-quantum schemes like ML-KEM, and requiring enormous quantum resources to have any chance of working.

Conclusion

Kuperberg’s algorithm is an impressive quantum algorithmic achievement that expands the boundary of what quantum computers might do beyond the original realm of Shor’s algorithm. It demonstrates that even some non-trivial group problems (like the dihedral hidden subgroup problem) are easier for quantum computers than for classical ones, albeit not easy in an absolute sense. In the context of cryptography, Kuperberg’s result serves as a caution: it tells designers to avoid building cryptosystems on algebraic problems that secretly reduce to hidden shift instances.

Fortunately, lattice-based cryptography – and ML-KEM (Kyber) in particular – stands on much firmer ground. ML-KEM’s security is founded on LWE and lattice problems that have so far resisted all quantum algorithmic attacks except possibly modest subexponential ones that remain impractical. The consensus in the research community, supported by analysis from academic and standards bodies (like NIST), is that there is no known quantum algorithm that poses a practical threat to lattice-based schemes at this time. Kuperberg’s algorithm, with its exponential memory and time requirements and intolerance to noise, does not undermine the security of ML-KEM.

Photo of Marin Ivezic Marin Ivezic Follow on X Send an email September 1, 2014
16 minutes read
Photo of Marin Ivezic

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap