Alcazar · Technical Blog

Technical notes, architecture writeups, and release stories.

RSS feed

Published Apr 21, 2026

When will quantum computing break cryptography?

Ask AI
ChatGPT ChatGPT Claude Claude Gemini Gemini Perplexity Perplexity Grok Grok Duck.ai Duck.ai

If you mean RSA, Diffie-Hellman, and elliptic-curve cryptography, the honest short answer is: probably not in 2026, probably not all at once, but very plausibly in the 2030s.

That is the part most people care about because those systems protect TLS handshakes, VPNs, SSH, certificates, passkeys, and blockchain signatures.

The other important part is this: you do not need to wait for a quantum computer to exist before the problem becomes real. If an attacker can copy encrypted traffic today and store it, they may be able to decrypt it later once a cryptographically relevant quantum computer exists. CISA, NSA, and NIST explicitly warn about this “harvest now, decrypt later” model.

So the practical answer is simple:

  • if your data only needs to stay secret briefly, the risk is later
  • if it needs to stay secret for 5 to 15 years, the risk is already here
  • if you still depend heavily on RSA or ECC, your migration clock has started

TL;DR

  • Shor's algorithm breaks the public-key systems the internet relies on most: RSA, DH, ECDH, ECDSA, and similar schemes.
  • AES and hash functions are in better shape. Grover's algorithm weakens them in theory, but it does not create the same practical emergency, and it does not mean everyone now needs bigger symmetric keys.
  • The scary part is not that a giant quantum computer exists today. It is that the resource estimates for breaking RSA-2048 and ECC-256 have been falling fast.
  • In 2019, a widely cited estimate put RSA-2048 at about 20 million noisy physical qubits. In 2025, Craig Gidney cut that to less than 1 million noisy qubits under similar surface-code assumptions.
  • In 2026, Google researchers estimated that breaking secp256k1-style ECC-256 could take about 1200 to 1450 logical qubits and fewer than 500,000 physical qubits on a fast superconducting architecture.
  • NIST already finalized the first core post-quantum standards in 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205).
  • NIST’s draft transition plan says common quantum-vulnerable public-key schemes should be deprecated after 2030 and disallowed after 2035.
  • The best plain-English answer is: treat the 2030s as the danger window for public-key cryptography, and plan as if long-lived secrets are already exposed.

Which crypto breaks first

Quantum computing does not threaten every cryptosystem equally.

CryptoWhat quantum doesPractical result
RSA, DH, ECDHShor's algorithm solves the math directlyBroken once a large enough fault-tolerant machine exists
ECDSA, EdDSA, ECCShor's algorithm solves discrete logs tooAlso broken, and often with fewer resources than RSA
AES-128Grover's algorithm gives limited practical helpStill broadly considered safe
AES-256Grover gives even more marginAlso safe, but not required as a PQ migration step
SHA-256Grover helps with preimage search in theoryStill broadly considered safe

This distinction matters because a lot of headlines say “quantum breaks encryption” as if every lock on the internet fails on the same day. The main break is in public-key cryptography: the part used to agree on keys, prove identity, sign software, and authenticate transactions. Once that layer falls, a lot of higher-level systems fall with it.

Symmetric crypto is a different story. Quantum attacks help, but they do not give the same kind of clean knockout. That is why agencies like the NSA’s CNSA 2.0 guidance still keep strong symmetric primitives while replacing RSA and ECC.

Why the timeline feels closer now

For years, the easy answer was “don’t worry, we would need millions of qubits.” That was never the whole story, and it has aged badly. What changed is not just hardware. The attack cost estimates got better much faster. Researchers found better arithmetic, better circuit layouts, and better ways to pay the error-correction overhead.

A short version of the trend:

  • In 2019, Gidney and Ekerå estimated RSA-2048 could be factored in about 8 hours with roughly 20 million noisy physical qubits.
  • In 2025, Gidney updated that estimate to less than a week with less than 1 million noisy physical qubits under similar assumptions.
  • In 2026, Google researchers estimated ECC-256 over secp256k1 at 1200 to 1450 logical qubits, under 500,000 physical qubits, and roughly 9 to 12 minutes on a fast-clock superconducting machine.

Those are not minor edits. They are order-of-magnitude moves.

They also reinforce an awkward point: ECC may fall before RSA in many real systems. The reason is simple. Shor cares a lot about key size, and elliptic-curve systems use much smaller keys than RSA for the same classical security.

That means modern systems that moved from RSA to ECDH or ECDSA for efficiency did the right thing for the classical internet, but may have moved into an easier quantum target.

Why this does not mean “the internet breaks next year”

Because these papers are not attacks you can run on today’s hardware.

They assume a machine with:

  • many error-corrected logical qubits
  • low enough physical error rates
  • stable control systems
  • enough scale to run large fault-tolerant circuits end to end

Current systems are making real progress in quantum error correction, which is the hard part. For example, Quantinuum reported experiments with 48 to 94 logical qubits in 2026. That is a real milestone, but it is still far from the thousands of logical qubits, deep circuits, and industrial-scale reliability needed for practical cryptanalysis.

So there are two facts to hold at once:

  1. A quantum computer that can break mainstream cryptography does not exist today.
  2. The distance to one looks shorter than it did a few years ago.

That is why the serious debate is no longer “if,” but “how wide the remaining window is.”

The most honest timeline

No one can give you a real date, and anybody who says ”2033” or ”2041” with confidence is pretending. But we can still say useful things.

NIST’s migration FAQ says estimates for a cryptographically relevant quantum computer range from around 2030 on the aggressive end, to 15 to 20 years, to 30+ years on the slow end.

The Global Risk Institute’s 2024 expert survey found a significant chance within 10 years and a majority view that it becomes likely within 15 years.

Germany’s BSI, taking a conservative mainstream view, says a cryptographically relevant quantum computer is likely within 15 years and reasonably expected by about 2040, with faster progress possible if newer qLDPC error-correction methods work well.

I also think Filippo Valsorda’s timeline piece adds a useful way to think about the uncertainty. He puts it like this:

The bet is not ‘are you 100% sure a CRQC will exist in 2030?’, the bet is ‘are you 100% sure a CRQC will NOT exist in 2030?’

That is a better framing than arguing over one magic year. Security teams do not need certainty. They need to decide whether the downside of being late is acceptable.

Put that together and the practical forecast looks like this:

  • Before 2030: possible but still an aggressive case
  • 2030 to 2035: a serious planning window, not a sci-fi one
  • Late 2030s: plausible even under more conservative assumptions
  • After 2040: still possible, but not a safe excuse to delay

That is why NIST IR 8547 proposes deprecating common quantum-vulnerable public-key schemes after 2030 and disallowing them after 2035.

Those dates are not proof that Q-Day is 2035. They are what a responsible migration schedule looks like when the risk window is uncertain and the replacement takes years.

Symmetric crypto is not the urgent problem

The common shortcut is: Grover gives a square-root speedup, so AES-128 becomes “really” 64 bits, therefore everybody should move to AES-256.

That is too simple. Grover attacks do not parallelize the way normal brute force does, which makes the practical cost much worse than the slogan suggests.

Filippo Valsorda’s note on 128-bit keys says it plainly:

“AES-128 is safe against quantum computers. SHA-256 is safe against quantum computers. No symmetric key sizes have to change as part of the post-quantum transition.”

That matches NIST’s PQC FAQ, which says it is quite likely Grover will provide little or no practical advantage against AES, and that current applications can continue using AES-128, AES-192, or AES-256.

Do not let arguments about symmetric key sizes slow down the migration away from RSA, ECDH, and ECDSA. The urgent work is on the public-key side.

What “break” really means in practice

For most companies, there are three separate questions hiding inside the headline.

1. When can attackers decrypt traffic they recorded earlier?

This is the earliest real risk for sensitive long-lived data. If your TLS sessions today use quantum-vulnerable key exchange, an attacker who records the traffic now may be able to read it later. That matters for diplomatic traffic, health records, corporate secrets, long-lived credentials, and anything with a long confidentiality shelf life. That is why key exchange is the first migration priority.

2. When can attackers forge signatures?

This comes later, but it is worse in some ways.

Once a machine can break ECDSA, RSA, or similar signature schemes quickly enough, it can forge software updates, fake identities, impersonate certificate holders, or steal from systems that expose public keys on-chain or in protocols.

That is a direct integrity problem, not just a privacy problem.

3. When does the average website need to care?

Honestly, not every site needs to panic today.

If you run a small site with short-lived sessions and no high-value archived data, quantum risk is not your top fire.

But if you operate infrastructure, VPNs, SSH fleets, PKI, code signing, hardware lifecycles, regulated data, or long-lived secrets, you should already be planning.

What to do now

The hard part is not choosing a year. The hard part is reducing dependence on RSA and ECC before the date matters.

A sane short checklist:

  1. Inventory where you use public-key cryptography: TLS, VPN, SSH, certificates, code signing, hardware roots of trust, document signing, blockchain keys.
  2. Separate key exchange from signatures in your plan. They migrate on different timelines.
  3. Move long-lived confidentiality use cases to the front of the queue.
  4. Prefer AES-256 and strong hashes for symmetric components.
  5. Start testing the NIST standards: ML-KEM, ML-DSA, and SLH-DSA.
  6. Expect hybrid deployments first. In many systems, the first practical step is hybrid TLS key exchange, not a full overnight switch of every certificate and signature stack.
  7. Build for crypto agility. The teams that suffer most will be the ones that hard-coded one algorithm family into everything.

My bottom line

If you want the shortest honest answer to the title question, here it is:

Quantum computing probably breaks the big public-key cryptosystems in the 2030s, with enough uncertainty that anyone protecting long-lived secrets should act now, not when the first machine shows up.

RSA and ECC are living on borrowed time. AES-256 is not the main problem. The migration has already started. The only thing still uncertain is whether the industry finishes in an orderly way or gets forced into it late.

← Back to Tech Log

Leave the right message behind

Set up encrypted messages, files, and instructions for the people who would need them most if something happened to you.

See the dead man's switch