The quantum computing timeline for breaking current encryption is closer than most people realize, with credible estimates placing cryptographically relevant quantum computers somewhere between 2030 and 2040. That window is tight enough that governments, banks, and security teams are already treating it as an active threat rather than a distant hypothetical. If you're responsible for data that needs to stay secret for more than a decade, this affects you right now.
Content Table
Why Quantum Computers Threaten Encryption
Classical computers break encryption by brute force, trying every possible key. With a 256-bit key, that's 2 256 combinations, which is computationally impossible for any classical machine. Quantum computers change the math entirely using two algorithms:
- Shor's algorithm : Factors large integers and computes discrete logarithms exponentially faster than classical methods. This directly breaks RSA, Diffie-Hellman, and elliptic curve cryptography (ECC) because their security depends on exactly those hard math problems.
- Grover's algorithm : Speeds up brute-force search with a quadratic speedup. A 256-bit symmetric key becomes roughly as hard to crack as a 128-bit key would be classically. Annoying, but manageable by doubling key lengths.
The critical distinction is this: Shor's algorithm doesn't just speed things up, it fundamentally dissolves the mathematical foundation that RSA and ECC are built on. A sufficiently powerful quantum computer running Shor's algorithm could factor the 2048-bit RSA keys used in HTTPS, email encryption, and digital signatures in hours rather than billions of years. This is what makes the quantum RSA threat so serious.
Realistic Quantum Computing Timeline
To break RSA-2048 using Shor's algorithm, researchers estimate you need roughly 4,000 logical qubits with very low error rates. Current state-of-the-art machines have thousands of physical qubits but far fewer logical (error-corrected) qubits because quantum systems are noisy and require many physical qubits to represent one reliable logical qubit.
Here is where the major players stand and where the field is projected to go:
| Milestone | Estimated Timeframe | What It Means |
|---|---|---|
| 1,000+ physical qubits (achieved) | 2023 (IBM Condor: 1,121 qubits) | Proof of scale, but error rates still too high for cryptographic tasks |
| Fault-tolerant logical qubits | 2027-2030 | First machines capable of sustained, reliable computation |
| Cryptographically relevant quantum computer (CRQC) | 2030-2040 | Can break RSA-2048 in hours; current public-key encryption is obsolete |
| Widespread CRQC availability | 2035-2045 | Nation-states and well-funded actors have routine access |
The U.S. National Institute of Standards and Technology (NIST) has been operating on the assumption that a CRQC is plausible within 10-15 years. That's not a guarantee, but it's the working threat model for critical infrastructure. Some independent researchers, including a 2022 paper from Craig Gidney and Martin Ekerå , showed that breaking RSA-2048 might require fewer resources than previously thought, making the timeline potentially shorter.
"Harvest Now, Decrypt Later": The Threat That's Already Here
Here's the part that makes the quantum computing threat urgent today, not in 2035. Adversaries don't need a quantum computer right now to exploit the future encryption vulnerability. They just need to collect encrypted data now and store it until a CRQC exists.
This "harvest now, decrypt later" strategy means:
- Intelligence agencies (and likely some criminal organizations) are already intercepting and archiving encrypted traffic.
- Any data encrypted with RSA or ECC today that needs to remain secret for 10+ years is already at risk.
- Healthcare records, legal documents, government communications, financial data, and long-term intellectual property are prime targets.
This is why the White House issued a National Security Memorandum in 2022 directing U.S. federal agencies to begin inventorying their cryptographic systems and planning migration. The threat isn't theoretical once adversaries start collecting your ciphertext today.
What Breaks and What Survives
Not all encryption is equally vulnerable. Understanding which algorithms are at risk helps you prioritize your data migration plan.
| Algorithm | Type | Quantum Threat | Verdict |
|---|---|---|---|
| RSA-2048 / RSA-4096 | Public-key | Broken by Shor's algorithm | Replace |
| ECC (P-256, P-384) | Public-key | Broken by Shor's algorithm | Replace |
| Diffie-Hellman / ECDH | Key exchange | Broken by Shor's algorithm | Replace |
| AES-128 | Symmetric | Weakened by Grover's (effective 64-bit) | Upgrade to AES-256 |
| AES-256 | Symmetric | Weakened to ~128-bit effective strength | Acceptable for now |
| SHA-256 | Hash | Marginally weakened by Grover's | Acceptable, SHA-384+ preferred |
For a deeper look at how these algorithms actually work under the hood, the Advanced Encryption Guide covering AES, RSA, ECC, and post-quantum cryptography walks through the mechanics in plain language.
Post-Quantum Cryptography: The New Standards
Post-quantum cryptography (PQC) refers to classical algorithms (running on regular computers) that are believed to be resistant to attacks from both classical and quantum computers. These are not quantum algorithms. They're designed to be hard for quantum computers to crack.
In August 2024, NIST finalized its first set of post-quantum cryptography standards after a multi-year evaluation process:
- ML-KEM (formerly CRYSTALS-Kyber): Key encapsulation mechanism for key exchange. Replaces ECDH and RSA-based key exchange.
- ML-DSA (formerly CRYSTALS-Dilithium): Digital signature algorithm. Replaces RSA and ECDSA signatures.
- SLH-DSA (formerly SPHINCS+): Hash-based signature scheme. A conservative backup option with different mathematical assumptions.
A fourth algorithm, FALCON (now FN-DSA), is also being standardized for use cases where signature size matters. These algorithms are based on mathematical problems like lattice problems and hash functions, which have no known efficient quantum algorithm for solving them.
It's also worth understanding how zero-knowledge architecture fits into future-proofing. Systems where the server never has access to your plaintext or decryption keys are inherently more resilient, because even if transport encryption is broken, there's nothing useful to decrypt on the server side. You can read more about how zero-knowledge encryption protects your private data in practice.
Migration Planning: What to Actually Do
Future-proofing your systems against the quantum computing threat is a multi-year project, not a single patch. Here's a practical framework for migration planning:
Step 1: Inventory your cryptographic dependencies
Before you can fix anything, you need to know what you're running. Audit every system for:
- TLS certificate algorithms (RSA vs. ECC)
- Code signing and authentication mechanisms
- Encrypted data at rest (especially long-lived archives)
- Key exchange protocols in internal and external APIs
Step 2: Classify data by sensitivity lifetime
Not all data needs the same urgency. Prioritize based on how long the data needs to stay confidential:
- High priority (migrate now): Government secrets, health records, financial data, intellectual property with 10+ year value
- Medium priority (plan for 2-3 years): Business communications, contracts, authentication systems
- Lower priority: Short-lived session data, public content
Step 3: Adopt hybrid encryption during transition
Hybrid schemes combine a classical algorithm (like ECDH) with a post-quantum algorithm (like ML-KEM). This protects against both classical attackers today and quantum attackers tomorrow. It's the recommended approach during the transition period because PQC algorithms are still relatively new and may have undiscovered weaknesses.
Step 4: Update your key management practices
Longer-lived cryptographic keys carry more risk. Shorten key rotation cycles, implement forward secrecy wherever possible, and ensure your key management infrastructure can support new algorithm types.
Step 5: Follow NIST and vendor timelines
NIST has published a clear deprecation schedule: RSA and ECC should be phased out by 2030 for most applications, with a hard deadline of 2035 for federal systems. Major vendors like Microsoft, Google, and AWS are publishing their own PQC migration roadmaps. Align your internal timelines with these.
For organizations thinking about how secure communication fits into their broader security posture, privacy best practices for digital communication covers the operational side of keeping sensitive data protected across the tools your team actually uses.
Share sensitive files with AES-256 encryption before quantum computing makes RSA obsolete
SecretNote encrypts your files entirely in the browser using AES-256-GCM with a zero-knowledge architecture, so the server never touches your decryption key. As the quantum computing timeline shortens and RSA-based systems become vulnerable, symmetric AES-256 remains the safer choice for protecting files you share today.
Share an Encrypted File →
Research from Google's Craig Gidney and Martin Ekerå estimates that breaking RSA-2048 using Shor's algorithm would require roughly 4,000 logical (error-corrected) qubits running for about 8 hours. Current machines have thousands of physical qubits but far fewer reliable logical qubits, because quantum error correction requires many physical qubits to produce one stable logical qubit. That gap is the main engineering barrier right now.
AES-256 is weakened but not broken by quantum computing. Grover's algorithm reduces its effective security from 256 bits to roughly 128 bits, which is still considered computationally secure against any known attack. AES-128, however, would drop to an effective 64-bit security level, which is too weak. The general recommendation is to use AES-256 for any data that needs long-term protection, and that guidance holds in a post-quantum world.
Harvest now, decrypt later means an adversary collects your encrypted data today and stores it until a quantum computer powerful enough to break the encryption exists. You should be worried if your data needs to stay confidential for more than 10 years. Healthcare records, legal documents, financial data, and government communications are the highest-risk categories. The threat is real enough that the U.S. government issued a national security directive in 2022 specifically addressing it.
NIST finalized its first post-quantum cryptography standards in August 2024. The primary ones are ML-KEM (for key exchange, replacing ECDH and RSA key exchange) and ML-DSA (for digital signatures, replacing RSA and ECDSA). NIST recommends federal agencies begin transitioning now and complete migration away from RSA and ECC by 2030 for most systems, with a hard cutoff of 2035. Private organizations should align their data migration plans with these timelines.
Yes, but the impact depends on how the app handles key exchange. Most end-to-end encrypted apps use elliptic curve Diffie-Hellman for key exchange, which is vulnerable to Shor's algorithm. The message content itself may be encrypted with AES (less vulnerable), but the key negotiation can be broken. Signal, for example, announced work on post-quantum key exchange using CRYSTALS-Kyber in 2023. Apps that haven't upgraded their key exchange protocols are exposed to harvest now, decrypt later attacks on stored message archives.
For most individuals and small businesses, the practical steps are: use AES-256 (not AES-128) for stored data, keep your software and TLS certificates updated so you benefit automatically when vendors roll out post-quantum upgrades, avoid storing highly sensitive data in formats that rely solely on RSA or ECC encryption for long-term protection, and watch for your key vendors (cloud providers, certificate authorities, VPN providers) publishing PQC migration timelines. You don't need to rebuild your stack today, but you should be aware of your exposure.