How Quantum Computing Threatens Modern Encryption and What Comes Next
Quantum computers could break RSA and ECC encryption within decades. Learn how Shor's algorithm works, which systems are vulnerable, and how post-quantum standards are taking shape.
A Machine That Breaks Math
In October 2019, Google announced that its 53-qubit Sycamore processor had completed a specific computation in 200 seconds that would take the world's fastest classical supercomputer approximately 10,000 years. IBM disputed the claim, arguing the classical estimate was inflated. But the broader point stood: quantum computers solve certain problems using fundamentally different physics, and the performance gap grows exponentially with scale.
The problem for cybersecurity is straightforward. Modern encryption relies on mathematical problems that classical computers cannot solve efficiently. Quantum computers, using different algorithms, can. When sufficiently powerful quantum machines exist, the cryptographic foundations of internet security will break.
How Quantum Computers Differ from Classical Machines
A classical computer stores information in bits, each representing either 0 or 1. A quantum computer uses qubits, which exploit two quantum mechanical properties: superposition and entanglement.
Superposition allows a qubit to exist in a combination of 0 and 1 simultaneously. Entanglement links qubits so that the state of one instantly correlates with the state of another, regardless of distance. These properties allow quantum computers to explore many possible solutions in parallel rather than checking them one at a time.
- A system of n qubits can represent 2^n states simultaneously—10 qubits represent 1,024 states at once
- Quantum algorithms exploit interference to amplify correct answers and cancel wrong ones
- Not all problems benefit from quantum speedup—quantum computers are not universally faster
- The speedup is dramatic only for specific problem structures, including integer factoring and discrete logarithms
That specificity is both good and bad news. Bad because factoring and discrete logarithms are exactly the problems that secure RSA, Diffie-Hellman, and Elliptic Curve Cryptography. Good because symmetric encryption (AES) and hash functions are far less affected.
Shor's Algorithm: The Cryptographic Threat
Peter Shor, then at Bell Labs, published his quantum factoring algorithm in 1994. The algorithm exploits quantum parallelism to find the period of a modular exponential function—a step that, once completed, yields the prime factors through classical post-processing.
| Cryptosystem | Hard Problem | Classical Attack Complexity | Quantum Attack (Shor's) | Status |
|---|---|---|---|---|
| RSA-2048 | Integer factoring | ~2^112 operations | ~2^20 operations (polynomial) | Broken by large quantum computer |
| Diffie-Hellman | Discrete logarithm | ~2^112 operations | Polynomial with Shor's variant | Broken by large quantum computer |
| ECDSA (256-bit) | Elliptic curve discrete log | ~2^128 operations | Polynomial with Shor's variant | Broken by large quantum computer |
| AES-256 | Key search | 2^256 operations | 2^128 operations (Grover's) | Weakened but still secure |
| SHA-256 | Collision finding | 2^128 operations | 2^85 operations (Grover's) | Weakened but still secure |
The asymmetry is stark. Public-key systems based on factoring or discrete logs are catastrophically vulnerable. Symmetric systems and hash functions lose roughly half their security in bit terms but remain usable with larger key sizes.
When Will Quantum Computers Be Large Enough?
Running Shor's algorithm against RSA-2048 would require approximately 4,000 error-corrected logical qubits. Each logical qubit requires many physical qubits for error correction—estimates range from 1,000 to 10,000 physical qubits per logical qubit, depending on hardware quality. That means a cryptographically relevant quantum computer needs millions of physical qubits.
The current state of quantum hardware as of early 2025:
- IBM's Condor processor: 1,121 superconducting qubits
- Google's Sycamore: 53 qubits (used in the 2019 quantum supremacy demonstration)
- Quantinuum's trapped-ion systems: approximately 56 qubits with industry-leading error rates
- Error rates for individual operations remain around 0.1% to 1%—far too high for running Shor's algorithm without massive error correction overhead
Most expert surveys place the timeline for a cryptographically relevant quantum computer between 2035 and 2050. Some researchers are more pessimistic, suggesting fundamental engineering barriers could delay it further. Nobody credible claims it will never happen.
The Harvest Now, Decrypt Later Problem
State intelligence agencies and sophisticated adversaries may already be collecting encrypted data transmissions—diplomatic cables, military communications, trade secrets, personal data—and storing them. When a sufficiently powerful quantum computer becomes available, they can decrypt the archived data retroactively.
This "harvest now, decrypt later" strategy means the quantum threat is not a future problem. It is a present one. Data that needs to remain confidential for 10, 20, or 30 years is already at risk if transmitted under quantum-vulnerable encryption today.
| Data Type | Required Confidentiality Period | Quantum Risk Window |
|---|---|---|
| Military/intelligence communications | 25–50+ years | Already at risk |
| Health records | Lifetime of patient (50+ years) | Already at risk |
| Trade secrets | 10–30 years | At risk if quantum arrives by 2045 |
| Financial transactions | 3–7 years | Low risk unless quantum arrives by 2032 |
| Web browsing (general) | Minimal | Low risk for most users |
NIST's Post-Quantum Standards
The U.S. National Institute of Standards and Technology began evaluating post-quantum cryptographic algorithms in 2016, receiving 82 submissions from research teams worldwide. After three rounds of analysis, NIST announced its first selections in July 2022 and published final standards in August 2024.
The selected algorithms rely on mathematical problems with no known efficient quantum solutions:
- ML-KEM (formerly CRYSTALS-Kyber): A key encapsulation mechanism based on the Module Learning With Errors problem over lattices. Recommended for general encryption and TLS key exchange.
- ML-DSA (formerly CRYSTALS-Dilithium): A digital signature scheme, also lattice-based. Recommended as the primary signature algorithm.
- SLH-DSA (formerly SPHINCS+): A stateless hash-based signature scheme. Included as a conservative backup—its security relies only on hash function properties, not lattice assumptions.
- FN-DSA (formerly FALCON): An NTRU lattice-based signature scheme selected for applications requiring smaller signatures than ML-DSA.
Lattice-based cryptography dominates the selections. The underlying problems involve finding short vectors in high-dimensional lattices—a task believed hard for both classical and quantum computers. The "believed" is important. These problems lack the centuries of study that factoring has received.
The Migration: Harder Than It Sounds
Replacing cryptographic algorithms across the global internet is not a software update. It touches every protocol, every library, every hardware security module, and every certificate authority. The migration timeline will span a decade or more.
Hybrid approaches are already being deployed. Google's Chrome browser began testing a hybrid key exchange combining X25519 (classical ECC) with ML-KEM (post-quantum) in 2023. Cloudflare followed. Apple announced PQ3, a post-quantum protocol for iMessage, in February 2024. Signal adopted the PQXDH protocol using ML-KEM in September 2023.
- Hybrid schemes ensure that even if the post-quantum algorithm is broken, the classical algorithm provides a fallback
- Post-quantum keys and signatures are significantly larger than their classical counterparts—ML-KEM public keys are 1,568 bytes versus 32 bytes for X25519
- The larger sizes increase bandwidth, latency, and storage requirements, particularly for constrained IoT devices
- Legacy systems—embedded devices, industrial control systems, satellites—may be impossible to update and will require gateway-based protection
The transition is underway. It is also the largest coordinated change in cryptographic infrastructure since the internet adopted public-key cryptography in the 1990s. The organizations that start early will be protected. Those that wait may find their encrypted archives exposed by a technology that, when Shor published his paper in 1994, seemed purely theoretical.
Related Articles
cybersecurity
Endpoint Detection and Response (EDR): How Modern Threat Defense Works
An encyclopedic guide to Endpoint Detection and Response covering real-time monitoring, behavioral analysis, threat hunting, and how EDR platforms differ from traditional antivirus solutions.
10 min read
cybersecurity
How Antivirus Software Works: Detection Methods and Protection
Understand how antivirus software works, including signature-based detection, heuristic analysis, behavioral monitoring, and real-time protection mechanisms.
8 min read
cybersecurity
How Blockchain Consensus Mechanisms Validate Transactions
Blockchain networks use Proof of Work, Proof of Stake, and other consensus mechanisms to validate transactions without central authority. Compare their tradeoffs and energy costs.
9 min read
cybersecurity
How Cloud Security Misconfigurations Happen and How to Prevent Them
Misconfiguration is the leading cause of cloud data breaches. Learn how S3 buckets get exposed, IAM policies fail, and what the Shared Responsibility Model means for your security.
9 min read