When will quantum computers break current encryption?

Estimates vary, but most experts believe cryptographically relevant quantum computers (CRQCs) could emerge between 2030 and 2040. However, harvest now, decrypt later attacks mean sensitive data is already at risk if adversaries are storing encrypted information to decrypt once quantum computers become available.

What encryption methods are vulnerable to quantum attacks?

RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC)—the foundations of modern internet security—are all vulnerable to Shor's algorithm running on a sufficiently powerful quantum computer. Symmetric encryption like AES and hash functions are more resistant but still require larger key sizes.

What is post-quantum cryptography and is it ready?

Post-quantum cryptography (PQC) refers to encryption algorithms designed to resist attacks from both classical and quantum computers. NIST has already standardized several PQC algorithms including CRYSTALS-Kyber for key establishment and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures. Migration is beginning but will take years to complete across global infrastructure.

The Quantum Threat: How Quantum Computing Could Break Modern Encryption

What Is the Quantum Threat to Encryption?

The quantum threat refers to the looming possibility that sufficiently powerful quantum computers will one day crack the encryption protecting passwords, banking data, medical records, and state secrets. RSA and ECC—the algorithms guarding most of today's internet traffic—rely on mathematical problems that classical computers struggle to solve. Quantum machines don't play by those rules. This post breaks down how quantum computing undermines modern security, what's at stake, and what you can do now to stay ahead of the curve.

How Does Quantum Computing Break Encryption?

Quantum computers exploit quantum mechanics—superposition and entanglement—to process information in ways classical computers simply can't match. While your laptop manipulates bits as 0s or 1s, quantum bits (qubits) exist in multiple states simultaneously. That doesn't make them "faster" computers in the traditional sense. Instead, they solve specific problem types exponentially quicker.

Shor's algorithm, developed by mathematician Peter Shor in 1994, demonstrates how a quantum computer factors large integers efficiently. RSA encryption—the backbone of SSL/TLS certificates securing HTTPS websites—depends on the difficulty of factoring massive numbers. A sufficiently powerful quantum machine running Shor's algorithm could break RSA-2048 (the current standard) in hours rather than billions of years.

Elliptic Curve Cryptography (ECC), used by Bitcoin, Ethereum, and Apple's Secure Enclave, faces similar vulnerabilities. The Elliptic Curve Discrete Logarithm Problem—the mathematical foundation ECC relies upon—also falls to Shor's algorithm. The implications cascade across every system depending on these primitives.

Here's the thing: quantum computers capable of breaking current encryption don't exist yet. IBM's Condor processor boasts 1,121 qubits. Google's Willow chip made headlines for error correction breakthroughs. But breaking RSA-2048 requires roughly 20 million qubits running error-corrected operations. Current hardware sits thousands of times below that threshold.

That said, the threat isn't theoretical—it's a matter of timing. Data harvested today (often called "harvest now, decrypt later" attacks) gets stored by adversaries anticipating future quantum capabilities. Secrets with long shelf lives—government intelligence, infrastructure designs, sensitive personal archives—face immediate exposure risks even before quantum machines mature.

Which Encryption Methods Will Quantum Computers Crack?

Not all cryptography falls to quantum attacks. The vulnerability depends entirely on which mathematical problem secures the key exchange or signature. Symmetric encryption and certain hash-based methods survive quantum scrutiny better than their asymmetric counterparts.

Symmetric encryption—AES, ChaCha20—faces reduced security margins but remains viable. Grover's algorithm (quantum search) effectively halves the bit strength of symmetric keys. AES-256 drops to roughly AES-128-equivalent security. That's concerning, not catastrophic. Doubling key lengths restores protection.

Hash functions—SHA-256, SHA-3—similarly degrade but don't collapse. SHA-256 withstands quantum attacks better than RSA because finding collisions remains computationally demanding even with quantum assistance.

Asymmetric encryption—RSA, Diffie-Hellman, ECC—represents the real crisis point. These protocols secure key exchanges, digital signatures, and certificate validation. Their mathematical foundations crumble under Shor's algorithm.

Algorithm Type	Example	Quantum Vulnerability	Mitigation
RSA	RSA-2048, RSA-4096	Broken by Shor's algorithm	Replace with post-quantum alternatives
ECC	P-256, Curve25519	Broken by Shor's algorithm	Lattice-based or hash-based replacements
Diffie-Hellman	DH, ECDH	Broken by Shor's algorithm	CRYSTALS-Kyber key encapsulation
AES (symmetric)	AES-128, AES-256	Strength halved (Grover's)	Use AES-256 minimum
SHA-2/SHA-3 (hash)	SHA-256, SHA-3	Strength roughly halved	Increase output length

The catch? Most real-world systems combine multiple algorithm types. Your VPN handshake probably uses ECDH for key exchange and AES for data encryption. Quantum computers threaten the key exchange portion immediately—rendering the AES encryption irrelevant if the key gets exposed.

What Are Post-Quantum Cryptography Standards?

The National Institute of Standards and Technology (NIST) spent seven years evaluating quantum-resistant algorithms. In August 2024, NIST finalized its first three post-quantum cryptography (PQC) standards: FIPS 203, 204, and 205. These specifications give organizations concrete replacements for vulnerable classical algorithms.

CRYSTALS-Kyber (now ML-KEM in FIPS 203) replaces key encapsulation mechanisms. It's fast, compact, and efficient enough for TLS handshakes, VPN tunnels, and encrypted messaging. Unlike RSA or Diffie-Hellman, ML-KEM relies on lattice-based mathematics—specifically, the hardness of the Module Learning With Errors (MLWE) problem. No known quantum algorithm solves MLWE efficiently.

CRYSTALS-Dilithium (now ML-DSA in FIPS 204) handles digital signatures. Code signing, certificate authorities, and blockchain transactions transition to this lattice-based alternative. The signatures run larger than ECDSA—roughly 2-4KB versus 64 bytes—but the security trade-off proves worthwhile.

SPHINCS+ (now SLH-DSA in FIPS 205) offers a hash-based signature alternative. Hash functions enjoy better-understood security properties than lattice assumptions. SPHINCS+ signatures balloon to 8KB or larger—impractical for bandwidth-constrained environments but valuable for high-assurance scenarios requiring conservative security choices.

Worth noting: NIST continues evaluating additional algorithms. NIST's August 2024 announcement emphasized this is merely round one. Falcon—another lattice-based signature scheme—and several code-based candidates remain under consideration for future standardization.

When Will Quantum Computers Actually Threaten Encryption?

Predictions vary wildly. MIT Technology Review surveyed experts in early 2024—estimates ranged from five years to never. The consensus clusters around "cryptographically relevant quantum computers" (CRQC) arriving sometime between 2030 and 2040.

IBM's roadmap targets 100,000 qubits by 2033. That won't break RSA alone—error correction overhead demands millions of physical qubits for each logical qubit performing useful computation. But hardware improvements compound. Each generation brings better coherence times, lower error rates, and novel architectures.

Governments aren't waiting. The NSA's Commercial National Security Algorithm Suite 2.0 mandates post-quantum migration for national security systems by 2030. The timeline pressures contractors and vendors supporting classified infrastructure.

The private sector moves slower. Enterprise IT teams juggle thousands of legacy systems—mainframes running COBOL, embedded industrial controllers, aging VPN concentrators. Each requires cryptographic inventory, compatibility testing, and coordinated replacement. OpenSSL 3.2 added preliminary ML-KEM support in late 2023. Cloud providers—AWS, Azure, Google Cloud—offer opt-in post-quantum TLS configurations, but adoption remains voluntary.

Small organizations face particular challenges. Unlike Alphabet or JPMorgan Chase, most businesses lack dedicated cryptography teams. They depend on vendor updates—Chrome, Firefox, OpenSSL, Windows—to deliver quantum-resistant defaults. That dependency creates lag. Browser vendors balance compatibility concerns against security urgency. Breaking older clients by mandating PQC prematurely causes business disruption.

That said, procrastination carries risks. Migration timelines stretch years. Organizations handling data with 10-plus year confidentiality requirements—healthcare records, patent applications, classified intelligence—must start inventorying cryptographic dependencies now. The cost of rushed emergency replacement dwarfs orderly, planned transitions.

How Can You Prepare for the Quantum Threat?

Immediate action isn't panic—it's prudent risk management. Several concrete steps reduce exposure without requiring quantum physics expertise.

Audit cryptographic inventory. Map where your organization uses RSA, ECC, and Diffie-Hellman. Certificate transparency logs, network scanners, and software bill of materials (SBOM) tools help. Document key lengths, algorithm versions, and data sensitivity classifications. Focus attention on systems protecting information requiring decades-long confidentiality.

Prioritize "harvest now, decrypt later" risks. Intelligence agencies and sophisticated criminals vacuum encrypted traffic from undersea cables, Wi-Fi networks, and compromised routers. If your data remains sensitive in 2035, consider it already exposed. Separate truly long-term secrets from ephemeral communications requiring only short-term protection.

Enable hybrid post-quantum modes where available. Chrome, Edge, and Firefox support experimental post-quantum key exchange in TLS 1.3. Cloudflare's deployment combines X25519 (classical) with Kyber-768 (post-quantum). An attacker must break both simultaneously—protecting against current threats while future-proofing against quantum advances.

Pressure vendors for PQC roadmaps. Your security software, VPN appliances, and cloud providers should articulate migration plans. Request timelines for ML-KEM and ML-DSA support. Vote with procurement dollars—favor vendors demonstrating concrete post-quantum commitments.

Update key management practices. Quantum-resistant algorithms often require larger key sizes and different handling procedures. Hardware security modules (HSMs) from Thales and YubiHSM need firmware updates. Key rotation intervals may require adjustment. Test these operational changes before quantum emergencies force hasty implementations.

The quantum threat won't arrive as a sudden catastrophe. It emerges gradually—through better qubits, refined algorithms, and mounting decryption capabilities. Organizations treating post-quantum migration as standard technical debt—something to address "eventually"—risk discovering their encryption has already been broken by adversaries patient enough to wait.

Detroit's manufacturing heritage offers a relevant parallel. Automakers didn't retool overnight for electric vehicles. The transition required years of supply chain preparation, workforce training, and infrastructure investment. Post-quantum cryptography demands similar foresight. Start now. Test early. The alternative—discovering your "secure" communications were readable all along—isn't a risk worth taking.