How Quantum Computing Will Break Encryption

What is actually true, what is still theoretical, and what organisations should be doing right now

Quantum computing will break the encryption that protects most of the internet's secure communications. This is not conjecture. It is a mathematical certainty, given a sufficiently powerful quantum computer. The question that matters for security professionals is not whether this will happen, but when, and what needs to be done before it does. 

This article separates what is established fact from what is still theoretical, explains the specific threat mechanisms in accessible terms, and describes what organisations and individuals should be doing right now. The urgency is real but calibrated. 

The threat is real. The timeline is uncertain. The preparation requirement is immediate. "Harvest now, decrypt later" attacks mean that data encrypted today with RSA or ECC may be decrypted in the future by an adversary who stored it. For data with long-term sensitivity, state secrets, medical records, financial assets, the quantum threat is already relevant today. 

The Cryptographic Threat: What Shor's Algorithm Does 

In 1994, mathematician Peter Shor published an algorithm that, running on a sufficiently powerful quantum computer, can factor large integers exponentially faster than any known classical algorithm. This matters because RSA encryption, which protects the majority of internet communications including HTTPS, VPNs, digital signatures, and PKI, relies on the mathematical difficulty of factoring large numbers. A classical computer would take billions of years to factor a 2048-bit RSA key. A sufficiently powerful quantum computer running Shor's algorithm could do it in hours. 

ECC (Elliptic Curve Cryptography), which is used in many modern systems including TLS 1.3 and blockchain, is similarly vulnerable. Shor's algorithm can solve the elliptic curve discrete logarithm problem with the same exponential speedup. AES symmetric encryption, by contrast, is less severely affected: Grover's algorithm provides a quadratic speedup against AES, which is addressed by simply doubling the key length (AES-256 instead of AES-128).

The cryptographic systems at risk from a sufficiently powerful quantum computer include RSA, ECC, Diffie-Hellman, and DSA, the algorithms that underpin HTTPS, digital certificates, code signing, VPNs, and PKI. AES-256 is considered quantum-resistant with its current key length. The problem is that RSA and ECC are everywhere. 

The Current State: How Far Are We? 

Quantum computing in 2026 has not yet broken RSA. The largest quantum computers currently available have hundreds to low thousands of physical qubits, with significant error rates. Breaking 2048-bit RSA with Shor's algorithm is estimated to require millions of logical (error-corrected) qubits. Error correction in quantum computing requires many physical qubits per logical qubit, potentially thousands. 

IBM, Google, and IonQ are leading the development of quantum hardware. IBM has published a roadmap toward error-corrected quantum computing. Google's Willow chip (2024) demonstrated meaningful progress in quantum error correction. No credible estimate places cryptographically relevant quantum computing, capable of breaking 2048-bit RSA, before the early 2030s at the earliest, and many experts place it significantly later. 

The caveat: classified quantum computing programmes may be further advanced than public knowledge indicates. State-level adversaries with specific intelligence-gathering motivations have significant incentives to accelerate quantum development and withhold progress disclosures. 

"Harvest now, decrypt later" attacks 

The most immediate practical threat is not the existence of a cryptographically relevant quantum computer today. It is that adversaries, most plausibly nation-state intelligence agencies, are intercepting and storing encrypted communications today, with the intention of decrypting them when quantum capability becomes available. For data that retains its value over a 10- 20 year horizon- diplomatic communications, long-term financial strategies, medical research, intellectual property- the threat is present now.

The data you encrypt today with RSA-2048 and store for 15 years may be decryptable in 2040. If that data has value in 2040, the quantum threat is relevant to your decisions in 2026. This is the framing that moves post-quantum migration from a future problem to a present one for certain data categories. 

Post-Quantum Cryptography: The Response 

NIST (the US National Institute of Standards and Technology) finalised its first post-quantum cryptography standards in August 2024. The standardised algorithms, ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures, are the algorithms that should replace RSA and ECC in new systems and be migrated to in existing ones. 

ML-KEM (CRYSTALS-Kyber) 

The standard for key encapsulation and key exchange. Replaces RSA and Diffie-Hellman for establishing shared secrets. Based on the learning-with-errors problem, which is believed to be hard for both classical and quantum computers. Already available in recent versions of OpenSSL, Go's standard library, and several major VPN implementations. 

ML-DSA (CRYSTALS-Dilithium) 

The standard for digital signatures. Replaces ECDSA and RSA signatures for code signing, certificate authorities, and document signatures. Also lattice-based and believed to be quantum-resistant. 

The migration challenge 

Post-quantum algorithms have larger key sizes and signature sizes than their classical equivalents. This has performance and bandwidth implications for systems that exchange keys or verify signatures at scale. The migration from RSA and ECC to post-quantum algorithms is not a drop-in replacement in most systems; it requires engineering work, protocol updates, and in some cases hardware changes. 

• TLS libraries: TLS 1.3 can be extended to support post-quantum key exchange through hybrid approaches (combining classical and post-quantum algorithms). Browser vendors have begun deploying hybrid PQ/classical TLS. 

• Certificate authorities and PKI: the CA/Browser Forum is working on post-quantum certificate standards. The transition will require new root certificates and re-issuance of all existing certificates to new algorithms. 

• Code signing: software supply chain security requires post-quantum code signing to prevent future decryption of software update authentication. 

• VPNs and remote access: IPsec and TLS-based VPNs need post-quantum key exchange. Enterprise VPN vendors are beginning to publish post-quantum migration roadmaps. 

The post-quantum migration is not a single project. It is a multi-year programme of cryptographic hygiene: auditing every system that uses RSA or ECC, prioritising those that handle long-term sensitive data, and sequencing the migration by risk and feasibility. NIST has published the standards. The engineering work is the security industry's job. 

What Organisations Should Do Now 

• Conduct a cryptographic inventory: Identify every system that uses RSA, ECDSA, or Diffie-Hellman. This includes TLS certificates, VPNs, code signing systems, SSH keys, email encryption (S/MIME, PGP), and any custom cryptographic implementations. 

• Prioritise by data sensitivity and retention period: Systems handling data that will remain sensitive for 10+ years are the highest priority for post-quantum migration. State secrets, medical records, long-term financial data, and intellectual property fall in this category. 

• Assess vendor readiness: For every cryptographic system in the inventory, identify when the vendor plans to support post-quantum algorithms. Build vendor roadmap requirements into procurement and contract renewal processes. 

• Begin hybrid migration where possible: Deploy hybrid classical/post-quantum key exchange in TLS and VPN systems where supported. This protects against both classical and quantum threats simultaneously. 

• Update cryptographic standards documentation: Ensure that internal security standards specify post-quantum algorithm requirements for new systems. Preventing new classical-only RSA deployments is easier than migrating existing ones. 

• Monitor NIST and NCSC guidance: Both agencies are publishing ongoing post-quantum migration guidance. Security teams should be tracking and implementing this guidance as it evolves.