up:: 00 Field Guide Map

The Threat

The quantum threat to cryptography is the risk that a large, fault-tolerant quantum computer will run two specific algorithms, Shor’s and Grover’s, against the public-key and symmetric cryptography that secures nearly all digital infrastructure, breaking the public-key half outright and forcing bigger keys on the symmetric half. The machine that finishes the threat, a cryptographically relevant quantum computer, does not exist in 2026, yet the exposure is already live because sensitive data recorded today can be decrypted the day such a machine turns on. This pillar teaches the whole domain in three moves: what the machine is, exactly how it breaks today’s cryptography, and how to reason about which of your own data is at risk and how soon you have to move.

Map of content

A short overview of the quantum threat, and the index that routes you to every note in this section. Skim it to get oriented, then follow the links to go deep.

The short version:

  • The threat has three parts that only add up to urgency together: a quantum computer, the two algorithms that aim it at cryptography, and the shelf-life of your sensitive data. Remove any one and the urgency changes completely.
  • Shor’s algorithm is the catastrophe. It efficiently solves factoring and discrete logarithms, the exact math behind RSA, ECC, and Diffie-Hellman, so a big enough machine ends public-key cryptography.
  • Grover’s algorithm is the manageable half. It only speeds up brute-force search, which halves the effective strength of ciphers like AES-256 and hashes like SHA-256, and a longer key restores the margin.
  • No CRQC exists yet, and qubit-count press releases don’t mean one is close, because the metric that matters is error-corrected logical qubits, not raw physical ones.
  • The reason to act now is the arithmetic of Mosca’s theorem plus harvest-now-decrypt-later: migration takes years, harvested data is exposed retroactively, and there’s no patch for what an adversary already collected.

If you have been through Foundations, you already know the locks: the symmetric ciphers, the public-key math, the signatures and certificates the whole digital world runs on. This section is about the thing that picks them, and it walks all three parts of the threat before it lets you reason about a single system of your own.

What is the quantum threat to cryptography?

The quantum threat is a hardware capability, not a new attack technique. It’s the point at which a quantum computer becomes large and stable enough to run Shor’s algorithm against real-world key sizes, RSA-2048 or larger and 256-bit or larger elliptic curves, in a practical amount of time. Everything else follows from that one threshold.

Picture today’s cryptography as two different kinds of lock. The public-key locks are like a padlock whose combination is sealed inside a hard math puzzle, and their whole security is that the puzzle takes a classical computer longer than the age of the universe to solve. The symmetric locks are simpler: a huge keyspace with no shortcut, where the only way in is to try keys. A quantum computer treats these two locks completely differently, and understanding that difference is the single most useful thing in this whole section.

The threat is real, foreseeable, and paced by three independent facts:

  1. A machine. A quantum computer stores information in qubits that hold a blend of 0 and 1 through superposition, and it works through many possibilities at once in a way an ordinary computer never will. The physics is covered only as far as you need it in the machine.
  2. The algorithms that aim it at cryptography. A quantum computer is not automatically a code-breaker. It becomes one through two specific algorithms, and they do wildly different amounts of damage, covered in how it breaks today’s cryptography.
  3. The shelf-life of your data. Sensitive information has a required secrecy lifetime, and that’s what turns a distant machine into a present-day deadline, covered in the risk models.

How does a quantum computer break today’s cryptography?

A quantum computer breaks cryptography through exactly two algorithms, and the entire migration hinges on how different they are. Shor’s algorithm gives an exponential speedup against the specific math behind public-key cryptography, so RSA, ECC, and Diffie-Hellman fall completely and have to be replaced. Grover’s algorithm gives only a quadratic (square-root) speedup against blind search, so symmetric ciphers and hashes survive with bigger parameters. The honest headline runs deeper than “quantum breaks encryption”: quantum shatters the public-key half and merely dents the symmetric half.

That asymmetry decides what breaks and what survives, which is the first thing to get straight:

CryptographyExamplesQuantum attackVerdictResponse
Public-key encryption / key exchangeRSA, DH, ECDH, X25519Shor’sBrokenReplace with ML-KEM
Public-key signaturesRSA signatures, ECDSA, Ed25519Shor’sBrokenReplace with ML-DSA / SLH-DSA
Symmetric encryptionAES-128Grover’sWeakenedMove to AES-256
Symmetric encryptionAES-256Grover’sSafeKeep
Hash functionsSHA-256, SHA-2, SHA-3Grover’sMostly safeKeep, or SHA-384 for high assurance

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016, csrc.nist.gov.

The pattern is the whole point. Everything in the “broken” rows is public-key and gets replaced with a new post-quantum standard; everything in the “weakened” or “safe” rows is symmetric and gets upsized or kept. That’s why The Transition is overwhelmingly a public-key migration, and why “we need a new cipher for everything” is the wrong reading. The full inventory of what falls is in Quantum-Vulnerable Algorithm.

Why does Shor’s algorithm end public-key cryptography?

Shor’s algorithm ends public-key cryptography because it solves the two hard problems all of it rests on, and it solves them in polynomial time. Peter Shor published it in 1994, so RSA has been broken in theory for more than thirty years while the hardware to execute the break still doesn’t exist.

The genius is that Shor’s never attacks factoring head-on. It converts factoring into a period-finding problem, then measures that period directly using the quantum Fourier transform. Factoring is secretly a question about the frequency of a repeating pattern, and quantum mechanics lets you measure that frequency instead of searching for it, which is why the speedup is exponential rather than incremental. The same machinery, pointed at a slightly different function, solves the discrete-logarithm problem too, so one algorithm takes down both the factoring-based systems (RSA) and the discrete-log ones (ECC, DH) in a single stroke.

When Shor’s runs against a real key, it hands back the private key from the public key. That collapses both jobs public-key cryptography does at once:

  1. Key establishment fails, which is a confidentiality problem, because the shared secret behind an encrypted session becomes recoverable. This is the driver of harvest-now-decrypt-later.
  2. Signatures fail, which is a trust problem, because an attacker can forge any signature and impersonate any identity. This is the driver of real-time trust attacks.

One counterintuitive fact matters for planning: elliptic-curve cryptography is an easier quantum target than RSA at comparable classical strength, because it needs fewer logical qubits. The short keys that make ECC efficient today are the same keys that make it fall first.

Source: Peter W. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM Journal on Computing 26(5), 1997, arXiv:quant-ph/9508027.

Why does Grover’s algorithm only dent symmetric cryptography?

Grover’s algorithm only dents symmetric cryptography because a square-root speedup on blind search is far weaker than what Shor’s does to public-key math. Lov Grover published it in 1996. It finds a target inside N possibilities in about √N steps instead of up to N, and against a cipher that means halving the effective security bits: an n-bit key drops to roughly n/2 bits of brute-force resistance.

Halving sounds alarming until you run the numbers. AES-128 drops to about 64 bits of effective strength, which is below the comfort line, so that’s the one symmetric primitive worth moving off of. AES-256 drops to about 128 bits, which stays comfortably out of reach for any conceivable machine. NIST states the remedy plainly: Grover’s speedup “does not render cryptographic technologies obsolete,” and “doubling the key size will be sufficient to preserve security.” Two facts make the real picture even more comfortable than that rule implies:

  1. Grover barely parallelizes. The √N speedup is fundamentally serial, so a thousand quantum machines buy about a 31x speedup rather than a thousandfold one. Classical brute force splits cleanly across machines; Grover’s does not, which erodes much of its edge.
  2. The circuits are enormous and deep. Running Grover’s against AES at scale demands fault-tolerant hardware executing extraordinarily long serial computations, which is why NIST assesses symmetric primitives as far less affected by quantum attacks than the public-key algorithms, needing only larger keys rather than replacement.

So the entire symmetric response is a parameter change: standardize on AES-256, keep SHA-256 for most work, and reach for SHA-384 where you want extra margin. Nothing needs a brand-new algorithm family the way public-key does.

Source: NIST, NISTIR 8105, csrc.nist.gov; Lov K. Grover, “A fast quantum mechanical algorithm for database search,” 1996, arXiv:quant-ph/9605043.

When will a quantum computer be able to break RSA?

No quantum computer can break RSA today, and none is close, because the hardware is off by orders of magnitude on every axis that matters: qubit count, error rate, and how long the qubits stay coherent. The threshold is a CRQC, and the whole question turns on one distinction the headlines routinely blur. Physical qubits are the noisy hardware, and leading machines have reached the low thousands of them. Logical qubits are error-corrected qubits built from hundreds to thousands of physical ones, and a CRQC needs thousands of logical qubits, which today means millions of high-quality physical ones. That ratio is the core reason no CRQC exists.

Peer-reviewed resource estimates put concrete numbers on the gap, and they’re a moving research target rather than a fixed wall:

TargetAttackLogical qubitsPhysical qubitsRuntimeSource
RSA-2048factoring~6,10020 million noisy8 hoursGidney and Ekerå, 2021
RSA-2048factoring (optimized)not statedunder 1 million noisyunder 1 weekGidney, 2025
ECC P-256discrete log~2,330millions after correctionnot statedRoetteler et al., 2017

Sources: Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” Quantum 5, 433, 2021, arXiv:1905.09749. Craig Gidney, “How to factor 2048 bit RSA integers with less than a million noisy qubits,” 2025, arXiv:2505.15917. Martin Roetteler, Michael Naehrig, Krysta M. Svore, Kristin Lauter, “Quantum resource estimates for computing elliptic curve discrete logarithms,” 2017, arXiv:1706.06752.

The physical-qubit estimate has dropped fast as the engineering improves, from twenty million in 2019 to under a million by 2025, so the timeline is best treated as a band rather than a date. Credible assessments put a capable machine plausibly in the 2030 to 2040 range, and U.S. federal policy fixes a planning horizon regardless of the exact arrival: NIST IR 8547 deprecates RSA and elliptic-curve cryptography by 2030 and disallows them by 2035, and CNSA 2.0 sets a parallel timeline for national-security systems. How close the machine actually is, measured in logical qubits and fidelity, is what sets the clock in the risk models.

Source: NIST, “Transition to Post-Quantum Cryptography Standards,” NIST IR 8547 (initial public draft), 2024, nvlpubs.nist.gov.

Which of my data is actually at risk, and how soon?

Knowing that a quantum computer will eventually break RSA isn’t actionable on its own. The risk models turn that fact into a real answer to the only question that matters to you: which data is at risk, and how soon do you have to move. There are two threat clocks, and they run on completely different schedules, which is the distinction teams get wrong most often.

The first clock is already ticking. The second doesn’t start until the machine is real:

Harvest Now, Decrypt LaterTrust forgery (Non-HNDL)
Core questionCan data encrypted now be read later?Can identity or trust be forged once the math breaks?
What it threatensConfidentialityIntegrity and authentication
When it bitesThe exposure is live now, collection is happening todayOnly once a CRQC actually exists
Cryptographic driversRSA key transport, DH, ECDH, X25519RSA signatures, ECDSA, Ed25519, the certificate ecosystem
Worst caseRetroactive breach of long-lived secretsPKI collapse, universal certificate forgery
Primary replacementML-KEMML-DSA / SLH-DSA

Source: NIST IR 8547 (initial public draft), 2024, nvlpubs.nist.gov.

HNDL is the one that surprises people, because it makes waiting expensive today. An adversary records your encrypted traffic now, stores it cheaply, and decrypts it years later once a CRQC can break the key exchange that set up the session. That harvesting is measurable already: a 2026 survey of 8,443 real-world Nginx TLS configurations found 28.9% relied on RSA key exchange with no forward secrecy, so any session recorded against those endpoints can be decrypted retroactively once the server’s long-term key is recovered.

Source: Balaji et al., “Operationalising Post-Quantum TLS,” 2026, arXiv:2605.17955.

Trust forgery runs on the later clock but is a present-day planning problem for one reason: it needs a live machine to execute, yet the migration to prevent it takes 3 to 7 years, so an organization starting late could still be mid-migration when the machine arrives. Its worst case, PKI collapse, breaks a Certificate Authority’s root signing key and makes every certificate under it forgeable at once, with a recovery measured in years.

How do you turn the threat into your own deadline?

You turn the abstract threat into a personal deadline with Mosca’s theorem, which is one line of arithmetic: X + Y > Z. If the years your data must stay secure (X), plus the years it takes you to migrate (Y), exceed the years until a capable quantum computer arrives (Z), then you are already too late. The theorem works because Z is uncertain, not in spite of it. You don’t need to predict the arrival date to know which assets are too important to gamble on.

Three models stack into a prioritized queue:

  1. Mosca’s theorem is the clock. It tells you when, by comparing required secrecy lifetime plus migration time against the break horizon.
  2. HNDL and Non-HNDL are the two kinds of exposure. They tell you what kind of risk you carry and on which clock.
  3. Blast radius sizes the damage. It tells you how bad, separating a contained weakness from one that takes the whole estate down with it.

Put together, the clock tells you when, the exposure types tell you what kind, and blast radius tells you how bad. That’s a prioritized migration queue, which is exactly what Doing the Work picks up. The industry survey estimates that feed the Z variable live in the Quantum Threat Timeline, and the machine the clock counts down to is the CRQC.

Common misconceptions

  • “Quantum computers break all encryption.” They break public-key cryptography. Symmetric encryption (AES-256) and hashing (SHA-256, SHA-3) survive with larger parameters, so the transition is overwhelmingly a public-key migration.
  • “A qubit-count record means RSA is about to fall.” The metric that matters is error-corrected logical qubits with enough circuit depth. Today’s thousands of noisy physical qubits are far below the millions needed, and raw counts on noisy machines aren’t CRQC progress.
  • “There’s nothing to do until a quantum computer exists.” Harvested data is exposed retroactively and migration takes years, so waiting for the machine guarantees you finish too late for anything already collected. That’s the Mosca argument.
  • “RSA is stronger than elliptic-curve crypto, so it survives longer.” Against a quantum attacker the opposite holds. ECC needs fewer logical qubits to break, so ECC P-256 is an easier target than RSA-2048.
  • “Shor’s and Grover’s are basically the same quantum attack.” Conflating them is the most common quantum-crypto error. Shor’s breaks public-key math outright; Grover’s only speeds up brute-force search, which a longer key handles.
  • “Only nation-states can afford to harvest encrypted traffic.” Cloud cold storage costs a fraction of a cent per gigabyte per month, so warehousing large volumes of ciphertext sits well within reach of ordinary commercial actors.

Questions people ask

What is the difference between Shor’s and Grover’s algorithms? Shor’s gives an exponential speedup that solves factoring and discrete logarithms, so it breaks public-key cryptography (RSA, ECC, Diffie-Hellman) completely. Grover’s gives a quadratic speedup on blind search, so it only halves the strength of symmetric ciphers and hashes, which a bigger key restores. Shor means new algorithms; Grover means larger parameters.

Does a quantum computer exist that can break encryption today? No. Breaking RSA-2048 needs thousands of error-corrected logical qubits, realized as roughly a million or more high-quality physical qubits, and today’s leading machines have only reached the low thousands of noisy physical qubits. The gap is large and the bottleneck is error correction, not raw qubit count.

If the machine is years away, why migrate now? Because of harvest-now-decrypt-later and lead time. Data recorded today decrypts when a CRQC arrives, and a full migration across a large estate takes years, so Mosca’s X + Y > Z can already be true for your most sensitive data.

Does quantum computing break AES-256? No. AES-256 faces only Grover’s algorithm, which halves its effective strength to about 128 bits, which stays safe. The one symmetric primitive worth moving off is AES-128, which drops to about 64 bits.

Which of my systems are most at risk? The public-key layer that establishes encrypted sessions and signs certificates, not the bulk symmetric encryption. Long-lived confidential data protected by RSA, DH, or ECDH key exchange carries live HNDL risk, and roots of trust signed with quantum-vulnerable keys carry the highest blast radius.

What replaces the broken cryptography? The NIST post-quantum standards: ML-KEM for key establishment, and ML-DSA with SLH-DSA for signatures. They rest on lattice and hash-based problems with no known efficient quantum attack. The full set is in the new standards.

When do U.S. regulations require the migration? NIST IR 8547 deprecates RSA and elliptic-curve cryptography by 2030 and disallows them by 2035, and CNSA 2.0 sets a parallel timeline for national-security systems. The full picture is in the mandates.

Go deeper

The threat only makes sense in three moves, in order, and each is its own sub-domain hub.

The machine, what a quantum computer is: Quantum Computing MOC covers how a qubit, superposition, entanglement, and error correction build a machine that can eventually threaten cryptography, with only as much physics as you need.

Breaking today’s cryptography, the two algorithms: Breaking Today’s Cryptography MOC covers Shor’s and Grover’s, the very different damage each does, and the full list of what actually falls.

Reasoning about the risk, the models: Quantum Risk Models MOC covers Mosca’s theorem (the clock), HNDL and Non-HNDL (the two kinds of exposure), blast radius (the damage), the CRQC the clock counts down to, and the Quantum Threat Timeline.

The wider lens: Quantum Risk Beyond Cryptography names the non-cryptographic quantum-risk categories (sensing, communications, analytics, and strategic capability) while keeping the cryptographic risk as the one your team acts on now.

The honest counter-case: Is the Quantum Threat Overhyped gives the skeptic’s steelman its full weight and then works through the rebuttal, so the urgency rests on evidence rather than on marketing. Field notes: What a Quantum Computer Can Actually Break (the clean myth-vs-fact on Q-Day, Bitcoin, and what actually breaks) · The 40-Year Warning (the field knew cryptography had to stay replaceable and mostly didn’t build for it).

Going deeper on the symmetric side: Grover on AES is the full treatment of what Grover’s algorithm does to the Advanced Encryption Standard, why AES-128 drops to about 64-bit strength and AES-256 stays safe at about 128-bit, and why NIST views Grover as far less threatening than a naive read suggests.

Who is actually collecting: Store-Now-Decrypt-Later Actor Landscape is the sober, sourced case for who is plausibly harvesting encrypted traffic today, grounded in federal assessments and the economics of bulk collection rather than in unprovable attribution, so the HNDL argument stands on verifiable ground.

Why there’s no warning: The No-Warning Problem explains why a cryptographically relevant quantum computer is unlikely to be announced, the classified-versus-public capability gap, and why the rational trigger is Mosca’s timing rather than a headline that may never come.

Blockchain risk: Bitcoin and Blockchain Quantum Risk is the sober, sourced treatment of what a quantum computer actually threatens in Bitcoin: ECDSA signatures broken by Shor’s, SHA-256 mining only dented by Grover’s, exposed versus hash-protected addresses, the estimated exposed supply, and the post-quantum soft-fork fix.

The way out of here is The Transition. Once you know what breaks and how urgently, the next question is what replaces it.


Everything here is the map, given freely. When your team needs the threat turned into a risk picture built for your own systems, data lifetimes, and deadline, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.