up:: The Threat MOC

Is the Quantum Threat Overhyped?

The honest answer is that the quantum threat is both overhyped and underprepared for at the same time, and holding those two facts together is the whole point. No cryptographically relevant quantum computer exists today, the hardware engineering may be many years off, a respected minority of researchers argue it may never work at all, and some vendors absolutely inflate the danger to raise money or sell products. Every one of those skeptic points is fair, and a serious practitioner should be able to state them without flinching. What the skeptic case cannot dissolve is the timing problem: harvest-now-decrypt-later means data encrypted today can be recorded now and decrypted the day a machine arrives, migration across a large enterprise takes many years, and the NIST standards are already published and cheap to adopt. The calibrated position is to treat the arrival date as genuinely uncertain and still standardize and migrate on the near horizon, because the cost of being early is small and the cost of being late is unrecoverable.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016 (motivates preparing before a quantum computer exists, driven by long data lifetimes and long migration times), csrc.nist.gov/pubs/ir/8105/final.

The short version:

  1. The skeptic case is real: no CRQC exists, fault-tolerant hardware is a genuinely hard and unsolved engineering problem, and a credible minority (notably Gil Kalai) argues noise may make it fundamentally unworkable.
  2. Vendor overhype is also real. Some firms exaggerate imminence to raise funding or sell “quantum-safe” products, and specific arrival-date claims deserve the scrutiny in How to Tell Real Quantum Progress From Hype.
  3. The rebuttal that survives all of that is timing. HNDL moves the deadline to today for any data that must stay secret for years, so the machine’s arrival date does not have to be known to justify acting.
  4. Migration is slow. Cryptography is buried across an enterprise, and inventory-plus-replacement realistically takes many years, so a late start cannot be recovered by hurrying later.
  5. The standards are published, tested, and inexpensive to adopt, which makes them cheap insurance against a low-probability-per-year, catastrophic-if-it-lands event.
  6. Mosca’s inequality is the tool that turns this from a debate into arithmetic: if data-secrecy-lifetime plus migration-time exceeds time-to-CRQC, you are already exposed.

What is the strongest skeptic case against the quantum threat?

The strongest skeptic case is not a single objection but a stack of them, and a fair steelman states each at full strength before answering any of it. The pillars:

  1. No cryptographically relevant quantum computer exists. Today’s devices have on the order of hundreds to low thousands of noisy physical qubits. Breaking RSA-2048 with Shor’s algorithm is estimated to need thousands of stable logical qubits, each built from many noisy physical ones through error correction, which is orders of magnitude beyond current machines. The threat is a projection, not a demonstration.
  2. Fault tolerance is an unsolved engineering problem. The path from noisy qubits to a large error-corrected machine depends on staying below an error-correction threshold at enormous scale. That is a hard engineering claim, and treating it as a foregone conclusion overstates what has actually been built.
  3. A credible minority argues it may never work. Mathematician Gil Kalai has argued for over a decade that the noise in quantum systems is not merely an obstacle to be engineered away but a fundamental barrier, on the grounds that the correlated noise which accompanies quantum evolution defeats the error correction fault tolerance depends on. This is a real scientific position held by a serious researcher.
  4. Vendors and consultants have incentives to exaggerate. Quantum-hardware startups raise capital on imminence, and some security vendors market “quantum-safe” products by inflating the near-term danger. A financial interest in urgency does not make the threat fake, but it does mean specific timeline claims deserve skeptical reading.

Stated together, the skeptic case is genuinely strong on one question: nobody can honestly promise the year the machine arrives, and some who name a year are selling something. That much is correct, and a practitioner who pretends otherwise loses credibility. The mistake is treating “the date is uncertain” as if it meant “the risk can be deferred,” which is where the rebuttal begins.

Source: G. Kalai, “How Quantum Computers Fail: Quantum Codes, Correlations in Physical Systems, and Noise Accumulation,” arXiv:1106.0485, June 2011, arxiv.org/abs/1106.0485.

Does Gil Kalai’s noise argument hold up?

Kalai’s argument is the most serious version of the skeptic case, and it deserves an honest hearing rather than a dismissal. His claim, developed across a series of papers, is that fault-tolerant quantum computing fails not for lack of engineering effort but because the noise in quantum systems is inherently correlated in ways that scale with the computation, so the error rates rise faster than error correction can suppress them, and quantum supremacy in the noisy regime becomes unreachable. It is a mathematically framed position, not a hand-wave, and it targets exactly the assumption that fault tolerance is achievable in principle.

The mainstream response does not claim Kalai has been refuted so much as that the field has continued to clear milestones his framework would seem to make hard. Error-corrected logical qubits with demonstrably suppressed error rates below the physical baseline have been shown experimentally, and the threshold theorem that fault tolerance rests on remains the consensus theoretical foundation. The honest framing is that this is an open scientific question where the burden has shifted: the skeptic position is a minority view held against a large and growing body of experimental progress, and it is prudent to weight it as a real but low-probability chance that the machine never arrives, rather than as a reason to assume it will not.

For risk purposes, a low-but-nonzero probability of a catastrophic, irreversible outcome is exactly the profile that justifies cheap insurance. Even if Kalai turns out to be right, the cost of having migrated to standardized post-quantum algorithms is modest. If he turns out to be wrong and no preparation was made, the loss is unbounded. The asymmetry, not the probability estimate, is what settles the practical decision.

Source: G. Kalai, “How Quantum Computers Fail: Quantum Codes, Correlations in Physical Systems, and Noise Accumulation,” arXiv:1106.0485, June 2011, arxiv.org/abs/1106.0485.

Why does harvest-now-decrypt-later make the arrival date almost irrelevant?

Harvest-now-decrypt-later is the reason the skeptic’s strongest point, uncertainty about the arrival date, does not translate into a reason to wait. The attack is simple and passive: an adversary records encrypted traffic today, stores it cheaply, and holds it until a CRQC exists to decrypt it. The confidentiality of the data is broken retroactively, at the moment of capture, even though the decryption happens years later.

That structure moves the deadline from “when the machine arrives” to “now,” for any data that has to stay secret across that gap:

  1. Long-lived secrets are already exposed. Health records, financial data, state secrets, intellectual property, and biometric data often need to stay confidential for a decade or more. If such data crosses the wire today under RSA or ECDH key exchange, and a CRQC arrives within that secrecy window, the data captured today is compromised.
  2. The attacker does not need the machine yet. The recording is passive and cheap, and it can be done at scale now by any adversary with the patience to store ciphertext. The expensive part, the quantum computer, is deferred to the attacker’s convenience.
  3. The victim cannot un-send captured traffic. Once ciphertext is recorded, no future action protects it. The only defense is to have used post-quantum key establishment before capture, which is why the migration deadline for confidentiality is not the CRQC date but the start of the secrecy window.

This is why “the machine is decades away” is not reassurance for confidentiality. The relevant question is whether the data being sent today needs to stay secret past the arrival date, and for a large class of data the answer is yes, which means the exposure is present-tense.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

Why is migration so slow that a late start cannot be recovered?

Cryptographic migration is slow because cryptography is embedded everywhere and visible almost nowhere, so the discovery and replacement work dwarfs the algorithm swap itself. The reason a late start is unrecoverable is that the timeline is dominated by scale and dependency, not by effort you can add at the end. The drivers:

  1. Cryptography is buried in the stack. Keys and algorithms live inside protocols, libraries, hardware security modules, firmware, embedded devices, third-party products, and code nobody has looked at in years. You cannot replace what you have not found, so the first phase is a full inventory that most organizations have never done.
  2. Dependencies serialize the work. A certificate cannot move until its issuing CA moves, a device cannot update until its vendor ships a post-quantum firmware, and a protocol cannot switch until both endpoints support the new algorithm. Much of the timeline is spent waiting on parties you do not control.
  3. Long-lived systems resist change. Industrial controllers, medical devices, satellites, and cars in the field have lifespans measured in decades and rarely receive cryptographic updates, so their migration is a hardware-refresh problem rather than a software patch.

Because those factors are structural, the realistic enterprise timeline runs to many years, and the work cannot simply be compressed into the final stretch once a CRQC is announced. That is the second half of why the arrival date being uncertain does not license waiting: even if the machine is a decade out, an organization whose migration takes most of a decade needs to be starting now to finish in time. This is the exact logic Mosca’s inequality formalizes.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final.

What is the calibrated, non-hype position?

The calibrated position is to reject both the “quantum breaks everything tomorrow” panic and the “it is all hype, ignore it” dismissal, and to act on a risk calculation rather than a prediction. It has three moves that hold regardless of the arrival date:

  1. Treat the date as genuinely uncertain, and stop arguing about it. Whether a CRQC arrives in 10 years, 20, or never is unknowable, and the decision does not depend on resolving it. What matters is the combination of your data’s secrecy lifetime, your migration time, and the plausible range of arrival dates.
  2. Apply Mosca’s inequality. If the number of years your data must stay secret plus the number of years your migration takes is greater than the number of years until a CRQC exists, you are already exposed. Because the first two terms alone often add to a decade or more, you can be exposed today even under optimistic arrival estimates.
  3. Adopt the standards as cheap insurance. ML-KEM for key establishment and ML-DSA for signatures are finalized, tested, and shipping in mainstream libraries. Deploying them, ideally with the crypto-agility to change algorithms cleanly later, is inexpensive relative to the catastrophic, irreversible downside of being wrong about the timeline.

The two sides of the ledger, held together:

Skeptic point (fair)Calibrated rebuttal
No CRQC exists todayTrue, but HNDL exposes long-lived data captured now
Fault tolerance may be decades offThe arrival date is uncertain, so migration time plus data lifetime drives the deadline
Kalai’s noise argument may prove it never worksA real minority view against growing experimental progress; a low-probability catastrophe justifies cheap insurance
Some vendors overhype for fundingRead specific timeline claims critically; the HNDL and migration logic stands on NIST reasoning, not vendor marketing
Adopting PQC seems prematureThe standards are published, tested, and cheap to deploy, so early adoption costs little

The tell of a calibrated source is that it can say plainly which claims are hype (a specific near-term Q-Day date, “quantum breaks all cryptography including your hashes,” a product that makes you “quantum-proof” by tomorrow) and still conclude that migrating now is correct. Hype and complacency are two failure modes of the same mistake, which is letting a guess about the arrival date drive a decision that the risk arithmetic already settles. Get the arithmetic right and the arrival date stops being the argument.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov/pubs/ir/8105/final; NIST, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” FIPS 203, August 2024, FIPS 203.

Common misconceptions

  1. “No quantum computer can break RSA, so the threat is fake.” True that none exists today, but confidentiality is already exposed through HNDL, because data recorded now is decrypted whenever the machine arrives within its secrecy window.
  2. “Skeptics like Kalai have proven it will never work.” They have not. Kalai’s noise argument is a serious minority position, and the field has kept clearing milestones his framework would make hard. It is a real but low-probability chance, which risk management treats as a reason for cheap insurance, not for complacency.
  3. “If it is decades away, we can start migrating later.” Migration realistically takes many years because cryptography is buried across the stack and gated by dependencies you do not control, so a late start cannot be recovered by hurrying at the end.
  4. “Vendors hype it, so the whole thing is a scam.” Some vendors do overhype, and their specific timeline claims deserve scrutiny. That is a reason to read arrival-date claims critically, and the underlying HNDL and migration-timing problems stand on published NIST reasoning independent of any vendor.
  5. “Adopting post-quantum cryptography is expensive and premature.” The algorithms are standardized and shipping in mainstream libraries, so adoption is inexpensive relative to the unbounded, irreversible cost of being late.

Questions people ask

Is the quantum threat overhyped? Parts of the messaging are. Specific near-term Q-Day dates and “quantum-proof” product claims are often hype. The underlying risk is not, because harvest-now-decrypt-later and multi-year migration make the timing problem present-tense regardless of the exact arrival date.

Does a quantum computer that breaks RSA exist yet? No. Today’s machines are far below the thousands of stable logical qubits Shor’s algorithm would need against RSA-2048. The threat is a projection, and the case for acting rests on data lifetimes and migration time, not on a machine existing today.

Who are the credible quantum skeptics? The most cited is mathematician Gil Kalai, who argues that correlated noise is a fundamental barrier to fault tolerance rather than an engineering nuisance. It is a serious minority view, weighed against a large body of experimental progress toward error-corrected qubits.

If the machine might never arrive, why migrate now? Because the downside is asymmetric. If it never arrives, the cost of having migrated to standardized algorithms is modest. If it arrives and no preparation was made, the loss is unbounded and irreversible, and the harvested data is already gone.

What is the calibrated position in one sentence? Treat the arrival date as unknowable, run Mosca’s inequality on your own data lifetime and migration time, and adopt the published standards now as cheap insurance against a catastrophic, irreversible event.

How do I tell hype from real quantum progress? Read specific claims against milestones and primary sources rather than press releases, which is exactly the job of How to Tell Real Quantum Progress From Hype. A calibrated source names which claims are inflated and still concludes that migrating now is correct.

Doesn’t a machine with thousands of qubits mean RSA is nearly broken? Not if it’s a quantum annealer. D-Wave’s thousands of qubits are analog optimization elements that can’t run Shor’s algorithm, so they’re the wrong kind of qubit for cryptanalysis, and they don’t compare to the error-corrected logical qubits a CRQC needs. The recurring “annealer factored a number” and “close to RSA” headlines are the subject of Quantum Annealing and the D-Wave Question.


Everything here is the map, given freely. When your team needs its own exposure sized against a realistic arrival range and sequenced onto a post-quantum path, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.