Grover's algorithm

Grover's algorithm is a quantum search algorithm, published by Lov Grover in 1996, that finds a marked item among N unsorted possibilities in roughly the square root of N steps. Applied to cryptography, it speeds up brute force key search quadratically, which weakens symmetric ciphers and hash functions but, unlike Shor's algorithm, does not break them outright.

How it works

Grover's algorithm treats a search problem as a black-box function that marks the correct answer, then uses amplitude amplification to boost the probability of measuring that answer (Grover 1996). Each iteration applies the function once and reflects the quantum state around the average amplitude; after about the square root of N iterations, measurement returns the marked item with high probability. The quadratic speedup is provably optimal: no quantum algorithm can solve unstructured search faster (Bennett et al. 1997), so there is no risk of a future exponential improvement for this class of attack.

Effect on symmetric cryptography and hashes

For a cipher with a k-bit key, classical brute force takes about 2^k trial decryptions. Grover reduces the count to about 2^(k/2), which in query-counting terms halves the effective key length (NIST security levels).

Primitive Classical attack cost Grover query cost Assessment
AES-128 key search 2^128 about 2^64 Theoretically degraded, still hard in practice
AES-256 key search 2^256 about 2^128 Secure with wide margin
SHA-256 preimage 2^256 about 2^128 Secure with wide margin
SHA-256 collision 2^128 no practical quantum gain Secure

For hash functions, Grover applies to preimage search. For collisions, the Brassard-Hoyer-Tapp algorithm achieves 2^(n/3) queries in theory but requires enormous quantum-accessible memory, and analyses conclude that classical parallel collision search remains the cheaper attack in any realistic cost model.

Why Grover is less practical than the exponent suggests

The 2^(k/2) figure counts oracle queries, not real cost, and three constraints make actual quantum key search far more expensive.

First, each Grover iteration must run the entire cipher as a reversible quantum circuit: attacking AES-128 means executing on the order of 2^64 sequential, error-corrected quantum evaluations of AES. At any plausible gate speed that serial chain takes astronomically long. Second, Grover parallelizes badly. Splitting the search across M machines yields only a factor of about the square root of M in speedup, whereas classical search parallelizes linearly, so an attacker cannot buy time with hardware the way classical brute force allows (Fluhrer 2017). Third, error correction inflates every logical operation into many physical ones (quantum computer, logical qubit).

NIST's evaluation framework encodes these limits: its call for proposals defines security categories against AES key search and SHA collision search under an explicit circuit-depth cap (MAXDEPTH), reflecting that unbounded serial Grover runs are physically unrealistic (NIST 2016). NIST's own report on post-quantum cryptography concluded that larger key sizes suffice for symmetric algorithms (NIST IR 8105).

Practical guidance

The consensus is that symmetric cryptography needs parameter review, not replacement. AES-256 and SHA-384 or SHA-512 provide comfortable margins under any quantum cost model, and AES-128 remains hard to attack in practice even though its nominal quantum security is degraded. The NSA's CNSA 2.0 suite mandates AES-256 and SHA-384 or SHA-512 for national security systems as a conservative margin (NSA CNSA 2.0).

This is why post-quantum cryptography concentrates on public-key cryptography: Grover's quadratic dent in symmetric primitives is manageable with key sizes, while Shor's exponential break of RSA and elliptic curves requires entirely new algorithms such as ML-KEM and ML-DSA.

Grover's algorithm also retains significance beyond key search. Amplitude amplification is a building block inside many other quantum algorithms, and the Grover query bound anchors the security categories used throughout the NIST evaluation process. For cryptographic practice, its lesson has been stable for three decades: quantum computers force a parameter review for symmetric primitives, not a redesign.

Sources

  1. A fast quantum mechanical algorithm for database search (arXiv, 1996)
  2. Reassessing Grover's Algorithm (IACR ePrint, 2017)
  3. NIST IR 8105, Report on Post-Quantum Cryptography (NIST, 2016)
  4. Post-Quantum Cryptography Standardization: Call for Proposals (NIST, 2016)
  5. Strengths and Weaknesses of Quantum Computing (arXiv, 1997)
  6. Post-Quantum Cybersecurity Resources (CNSA 2.0) (NSA, 2022)
Cite this entry
"Grover's algorithm." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/grovers-algorithm@misc{pqwiki-grovers-algorithm, title = {Grover's algorithm}, howpublished = {\url{https://postquantum.wiki/grovers-algorithm}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }