The Quantum Horizon
The computers that could unravel today's crypto — and the standards racing to replace it.
01 Why a quantum computer scares RSA and ECC
The public-key crypto securing the internet rests on problems that are hard for classical computers: factoring huge numbers (RSA) and elliptic-curve discrete logs (ECC). In 1994 mathematician Peter Shor showed that a sufficiently large quantum computer could solve both problems efficiently. Shor's algorithm does not chip away at RSA — it demolishes it, turning an infeasible computation into a merely large one.
This is not a minor tuning problem. It means RSA, Diffie-Hellman, and ECC — the entire foundation of key exchange and digital signatures — would be broken outright by a capable quantum machine. Every TLS handshake, code signature, and public-key-encrypted secret built on them becomes readable.
The saving grace, for now, is engineering. Shor's algorithm requires a large, fault-tolerant quantum computer — likely millions of stable physical qubits to correct errors — and today's machines have only a few hundred noisy qubits. No one has factored a cryptographically relevant number. But the direction of travel is clear, and the field is treating the threat as a matter of when, not if.
02 Grover's algorithm and the symmetric reprieve
Symmetric crypto and hashing get off far lighter. The relevant quantum attack is Grover's algorithm (1996), which speeds up brute-force search — but only quadratically. It effectively halves the security level of a symmetric key: a quantum attacker running Grover against AES-128 would need roughly the work of a classical attack on a 64-bit key, and against AES-256 roughly a 128-bit effort.
The response is refreshingly simple: use bigger keys. AES-256 retains about 128 bits of security against Grover, which is comfortably out of reach. Hash functions are similar — prefer longer digests like SHA-384 or SHA-512 for long-term margin.
| Primitive | Quantum threat | Response |
|---|---|---|
| RSA / ECC / DH | Shor — completely broken | Replace with post-quantum algorithms |
| AES-128 | Grover — halved to ~64-bit | Move to AES-256 |
| AES-256 | Grover — ~128-bit remaining | Already safe |
| SHA-256 / SHA-3 | Grover — reduced margin | Use longer digests where paranoid |
03 Harvest now, decrypt later
If large quantum computers are still years away, why act now? Because of an attack that is happening in the present tense: harvest now, decrypt later (sometimes "store now, decrypt later").
An adversary does not need a quantum computer today to benefit from one tomorrow. They can record vast volumes of encrypted traffic now — VPN sessions, TLS connections, intercepted messages — and simply archive it. When a capable quantum computer arrives, they retroactively decrypt everything protected by RSA or ECC key exchange. Intelligence agencies with the storage budgets to do this are widely assumed to be doing exactly that.
This reframes the timeline. The relevant question is not "when will quantum computers break RSA?" but "how long must my data stay secret, and will that window overlap with the arrival of quantum computers?" Anything with a long confidentiality lifetime — state secrets, medical records, genetic data, source code, long-term contracts — is at risk today, even though the decryption happens later.
04 The NIST post-quantum standards
Anticipating this, NIST ran a multi-year open competition, starting in 2016, to standardize post-quantum cryptography (PQC) — algorithms based on math believed hard for both classical and quantum computers. In August 2024 it published the first finalized standards:
- FIPS 203 — ML-KEM, based on CRYSTALS-Kyber. A key-encapsulation mechanism for establishing shared keys — the post-quantum replacement for Diffie-Hellman/ECDHE.
- FIPS 204 — ML-DSA, based on CRYSTALS-Dilithium. A digital signature scheme — a replacement for RSA and ECDSA signatures.
- FIPS 205 — SLH-DSA, based on SPHINCS+. A hash-based signature scheme offering a conservative, structurally different backup.
Kyber and Dilithium are both lattice-based, drawing security from the hardness of problems over mathematical lattices. Lattice schemes are efficient but come with a cost: larger keys and ciphertexts than ECC, which complicates fitting them into existing protocols. The field also stays humble — an earlier candidate, SIKE, was classically broken in 2022, a reminder that "post-quantum" does not mean "proven unbreakable."
05 Crypto-agility: designing for the swap
The deepest lesson of the quantum transition is not about any single algorithm — it is about crypto-agility: building systems that can swap cryptographic algorithms without a painful rewrite. Historically, algorithms got hard-coded into protocols and products, so migrating away from MD5, SHA-1, or SSL 3.0 took a decade or more. Post-quantum migration cannot afford that pace.
Practitioners are deploying PQC in hybrid mode first: combining a classical algorithm with a post-quantum one so a connection stays secure as long as either holds. In 2023 and 2024, Google Chrome and Cloudflare rolled out hybrid key exchange combining X25519 with ML-KEM (X25519MLKEM768) across a large share of TLS traffic — the largest real-world PQC deployment to date. Hybrids hedge against the chance that a young post-quantum algorithm harbors an undiscovered flaw.
Assume every algorithm you deploy will someday be broken. Design so that replacing it is a configuration change, not an archaeology project.
⌘ Field Glossary
- Shor's algorithm
- A 1994 quantum algorithm that efficiently factors integers and solves discrete logarithms, breaking RSA, Diffie-Hellman, and ECC once a large fault-tolerant quantum computer exists.
- Grover's algorithm
- A 1996 quantum search algorithm giving only a quadratic speedup, effectively halving symmetric key strength. Countered simply by doubling key length (use AES-256).
- Harvest now, decrypt later
- An attack in which adversaries record encrypted traffic today to decrypt it once quantum computers mature. It puts long-lived secrets at risk in the present.
- Post-quantum cryptography (PQC)
- Cryptographic algorithms designed to resist both classical and quantum attacks. Standardized by NIST in 2024 as FIPS 203, 204, and 205.
- ML-KEM (Kyber)
- The lattice-based key-encapsulation standard (FIPS 203), derived from CRYSTALS-Kyber. The post-quantum replacement for Diffie-Hellman key exchange.
- ML-DSA (Dilithium)
- The lattice-based digital signature standard (FIPS 204), derived from CRYSTALS-Dilithium. A post-quantum replacement for RSA and ECDSA signatures.
- Crypto-agility
- Designing systems so cryptographic algorithms can be replaced with minimal disruption. Often deployed via hybrid classical-plus-PQC modes during the transition.
Knowledge Check
Field Assessment
01 Which cryptographic systems does Shor's algorithm break, and how badly?
02 What is the effect of Grover's algorithm on AES-256?
03 Why is 'harvest now, decrypt later' a threat even before large quantum computers exist?