Quantum computing is no longer a theoretical curiosity. Major technology companies and governments are investing billions in building quantum computers, and the progress is accelerating. For most applications, this is exciting news. For encryption, it is a looming crisis. Quantum computers, once sufficiently powerful, will be able to break the public-key encryption that secures virtually everything on the internet. This is not a question of if, but when.
The Quantum Threat Explained
Today's public-key cryptography relies on mathematical problems that are extraordinarily hard for classical computers to solve. RSA depends on the difficulty of factoring very large numbers. ECC (Elliptic Curve Cryptography) depends on the difficulty of the discrete logarithm problem on elliptic curves. Classical computers would need billions of years to solve these problems for key sizes currently in use.
Quantum computers change this equation with two algorithms:
- Shor's Algorithm: Discovered by mathematician Peter Shor in 1994, this quantum algorithm can factor large numbers and solve discrete logarithm problems exponentially faster than any known classical algorithm. A sufficiently large quantum computer running Shor's algorithm could break a 2048-bit RSA key in hours rather than billions of years. This renders RSA, ECC, DSA, and Diffie-Hellman key exchange fundamentally insecure.
- Grover's Algorithm: This quantum algorithm provides a quadratic speedup for searching unstructured databases, which translates to effectively halving the key length of symmetric encryption algorithms. AES-256 would become equivalent to AES-128 against a quantum attacker, and AES-128 would become equivalent to AES-64. Importantly, AES-256 at an effective 128 bits of security remains computationally infeasible to brute-force. Symmetric encryption is weakened but not broken.
The key distinction is this: asymmetric encryption (public-key) is broken by quantum computers. Symmetric encryption (AES) is weakened but survives. This means that doubling symmetric key lengths provides adequate protection, but entirely new algorithms are needed for public-key operations.
What's at Risk
The scope of the quantum threat is vast because public-key cryptography is embedded in nearly every digital security system:
- TLS/HTTPS: Every secure web connection uses public-key cryptography for the handshake. If the key exchange is broken, the session keys can be derived, and the entire communication can be decrypted.
- Digital Signatures: Code signing, document signing, software update verification, and blockchain transactions all rely on digital signature algorithms (RSA, ECDSA) that are vulnerable to quantum attack.
- Email Encryption: PGP and S/MIME use RSA or ECC for key exchange and signing. Both would be broken.
- VPNs and SSH: Secure remote access protocols rely on public-key cryptography for authentication and key exchange.
- Cryptocurrency: Bitcoin and Ethereum use ECDSA for transaction signing. A quantum computer could forge transactions by deriving private keys from public keys.
What is NOT fundamentally at risk: AES-256 encryption for data at rest, SHA-256 and other hash functions (weakened by Grover's algorithm but not broken), and properly implemented symmetric encryption in general. If you encrypt a file with AES-256 today, it will likely remain secure against quantum attacks.
The "Harvest Now, Decrypt Later" Threat
Perhaps the most urgent concern is not about future encryption but about data being transmitted today. Intelligence agencies and sophisticated adversaries may be recording encrypted communications now with the intention of decrypting them once quantum computers become available. This strategy is known as "harvest now, decrypt later" (HNDL), and there is strong evidence that it is already happening.
This matters most for data with long-term sensitivity:
- Government and Military Secrets: Classified information that must remain secret for decades.
- Medical Records: Patient health information remains sensitive for a lifetime.
- Financial Data: Trade secrets, merger negotiations, and strategic plans could be valuable years after they were transmitted.
- Personal Communications: Private conversations that could be used for blackmail or political leverage decades later.
- Legal Communications: Attorney-client privileged communications that could undermine legal proceedings.
The HNDL threat means that the quantum threat is not a future problem. It is a present problem for anyone transmitting data that needs to remain confidential for more than 10 to 15 years.
Post-Quantum Cryptography
The cryptographic community has been preparing for the quantum era for over a decade. In 2016, NIST (the National Institute of Standards and Technology) launched a multi-year process to evaluate and standardize post-quantum cryptographic (PQC) algorithms, algorithms that are resistant to both classical and quantum attacks.
In 2024, NIST finalized three primary standards:
- ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism): Based on the CRYSTALS-Kyber algorithm. This is the primary replacement for RSA and ECDH key exchange. It is based on the mathematical hardness of lattice problems, which are believed to be resistant to quantum algorithms. ML-KEM is fast, has relatively small key sizes (compared to other PQC schemes), and is already being deployed in experimental TLS connections.
- ML-DSA (Module-Lattice-Based Digital Signature Algorithm): Based on CRYSTALS-Dilithium. The primary replacement for RSA and ECDSA digital signatures. Also lattice-based, it provides a good balance of performance and security for general-purpose signing.
- SLH-DSA (Stateless Hash-Based Digital Signature Algorithm): Based on SPHINCS+. A hash-based signature scheme that provides a backup standard based on different mathematical assumptions than lattice-based schemes. If lattice problems turn out to be easier than expected, SLH-DSA provides a fallback based on the well-understood security of hash functions. It has larger signatures but is based on more conservative assumptions.
These algorithms have undergone years of public scrutiny and cryptanalysis. While no algorithm can be proven secure (we can only say that no one has broken it yet), the PQC standards represent the best available defense against quantum attacks.
What You Should Do Now
The quantum transition will take years, but preparation should begin today. Here is what is actionable at different levels:
- For Individuals: Use AES-256 for file and disk encryption (already quantum-resistant for practical purposes). Use services that are adopting post-quantum cryptography, such as Signal (which has already deployed the PQXDH protocol) and Chrome (which supports hybrid post-quantum key exchange with ML-KEM). Keep your software updated, as PQC support is being rolled out through regular updates.
- For Organizations: Conduct a cryptographic inventory to identify where public-key algorithms are used. Prioritize data with long-term confidentiality requirements for migration. Plan for hybrid deployments that use both classical and post-quantum algorithms during the transition period. Test PQC algorithms in non-production environments.
- Watch for Hybrid TLS: Major browsers and servers are deploying "hybrid" key exchange, combining a classical algorithm (like X25519) with a PQC algorithm (like ML-KEM). This provides security against both classical and quantum attacks during the transition. If either algorithm holds, the connection is secure.
- Stay Informed, Do Not Panic: Current estimates suggest that cryptographically relevant quantum computers are still 10 to 20 years away, though timelines are uncertain. The threat is real but not imminent for most people. The migration to PQC is underway, and it will happen gradually through software updates to the services and protocols you already use.
The quantum threat to encryption is serious but manageable. The cryptographic community has anticipated this challenge and developed solutions. The transition will be one of the largest cryptographic migrations in history, but it is already in progress. Your role is to support it by keeping your systems updated, choosing services that take post-quantum security seriously, and ensuring that your most sensitive long-term data uses quantum-resistant encryption today.