Forem: Quantum Sequrity

Why Quantum Computers Threaten Classical Encryption

Quantum Sequrity — Tue, 28 Apr 2026 13:00:26 +0000

Why Quantum Computers Threaten Classical Encryption

Education

Why Quantum Computers Threaten Classical Encryption

12 min read

The Foundation of Modern Encryption

Nearly every secure communication on the internet today relies on a small set of mathematical problems that are extraordinarily difficult for classical computers to solve. Online banking, email encryption, VPNs, HTTPS, code signing, and secure messaging all depend on the assumption that these problems will remain hard to crack. That assumption is about to be challenged.

To understand the quantum threat, you first need to understand what classical encryption actually relies on. There are two major categories of hard problems at the heart of modern public-key cryptography:

Integer Factorization (RSA)

RSA, the most widely deployed public-key algorithm, relies on the difficulty of factoring the product of two large prime numbers. Given two primes p and q, computing their product n = p * q is trivial. But given only n, finding p and q is computationally infeasible when n is sufficiently large (2048 bits or more). The best known classical algorithms for factoring, such as the General Number Field Sieve, require sub-exponential time. For RSA-2048, this translates to an estimated computational effort that would take billions of years on the fastest supercomputers.

Discrete Logarithm Problem (DH, ECDH, ECDSA, DSA)

Diffie-Hellman key exchange, elliptic curve Diffie-Hellman (ECDH), ECDSA, and DSA all rely on variants of the discrete logarithm problem. In the finite field setting, given a generator g, a prime p, and a value g^x mod p, finding x is computationally hard. The elliptic curve variant replaces modular arithmetic with operations on points of an elliptic curve, where finding the scalar multiplier from a known base point and result point is similarly intractable. ECC achieves equivalent security to RSA with much smaller key sizes: a 256-bit ECC key provides roughly the same security as a 3072-bit RSA key.

These mathematical problems have served as the bedrock of internet security for decades. RSA was published in 1977. Diffie-Hellman was described in 1976. ECC gained widespread adoption in the 2000s. All of them share one critical vulnerability: they can be solved efficiently by a sufficiently powerful quantum computer.

Shor's Algorithm: Breaking Public-Key Cryptography

In 1994, mathematician Peter Shor published a quantum algorithm that factors integers and computes discrete logarithms in polynomial time. This was a theoretical bombshell. On a classical computer, factoring a 2048-bit number is practically impossible. On a quantum computer running Shor's algorithm, it becomes feasible.

Shor's algorithm works by exploiting quantum mechanical properties, specifically superposition and entanglement, to find the period of a modular exponential function. Once the period is known, classical number theory can extract the prime factors. The key insight is that quantum computers can evaluate many possibilities simultaneously through superposition, and quantum interference amplifies the correct answers while canceling out wrong ones.

What does "polynomial time" mean in practice? For factoring, the best classical algorithms run in sub-exponential time, roughly proportional to e^(n^1/3) where n is the bit length. Shor's algorithm runs in time proportional to n^3. The difference is staggering. Doubling the key size from 2048 to 4096 bits makes classical factoring dramatically harder, but only modestly increases the work for Shor's algorithm.

What Shor's Algorithm Breaks
RSA (all key sizes), DSA, ECDSA, ECDH, Diffie-Hellman, and any cryptosystem whose security depends on integer factorization or discrete logarithms. Increasing key sizes does not help: Shor's algorithm scales polynomially regardless of key length.

It is important to be precise: Shor's algorithm requires a fault-tolerant quantum computer with a sufficient number of logical qubits. Current quantum computers are noisy and error-prone, with qubit counts in the low thousands. Running Shor's algorithm against RSA-2048 is estimated to require several thousand logical qubits, which in turn require millions of physical qubits due to error correction overhead. We are not there yet, but progress is steady.

Grover's Algorithm: Weakening Symmetric Encryption

Published in 1996 by Lov Grover, Grover's algorithm provides a quadratic speedup for unstructured search problems. In the context of cryptography, this means a brute-force search over a key space of size N takes only sqrt(N) operations on a quantum computer instead of N operations on a classical computer.

The practical impact on symmetric encryption is straightforward: Grover's algorithm effectively halves the security level. AES-128, which provides 128 bits of security against classical attacks, provides only 64 bits of security against a quantum attacker. Sixty-four bits is well within brute-force range and therefore insecure.

However, AES-256, with 256 bits of classical security, would still provide 128 bits of security against quantum attacks. 128 bits of security remains far beyond any feasible brute-force attack, classical or quantum. This is why the cryptographic community considers AES-256 to be quantum-safe, provided the key is properly generated and managed.

The same logic applies to hash functions. SHA-256 provides 128 bits of collision resistance against quantum attackers (down from 128 bits classically, since collision search benefits from a different quantum speedup). SHA-3 and BLAKE3 with 256-bit outputs similarly remain secure. The general guidance is to double the output size of symmetric primitives to maintain the same security margin against quantum attacks.

Which Algorithms Are Vulnerable?

The quantum threat is not uniform. It specifically targets public-key (asymmetric) algorithms whose security is based on factoring or discrete logarithms. Here is the breakdown:

Broken by Quantum Computers

RSA (all key sizes: 1024, 2048, 3072, 4096) -- integer factorization, broken by Shor's algorithm
DSA -- discrete logarithm in finite fields, broken by Shor's algorithm
ECDSA (P-256, P-384, P-521) -- elliptic curve discrete logarithm, broken by Shor's algorithm
ECDH / X25519 -- elliptic curve Diffie-Hellman, broken by Shor's algorithm
Diffie-Hellman (classical, finite field) -- discrete logarithm, broken by Shor's algorithm
Ed25519 / Ed448 -- elliptic curve signatures, broken by Shor's algorithm

Resistant to Quantum Computers (with sufficient key/output sizes)

AES-256 -- 128-bit quantum security via Grover's, still considered safe
AES-192 -- 96-bit quantum security, considered adequate
SHA-3 (256-bit and above) -- reduced but still sufficient security margins
SHA-512 -- adequate collision resistance against quantum
BLAKE3 (256-bit output) -- 128-bit quantum collision resistance
HMAC with 256-bit+ keys -- unaffected by known quantum algorithms beyond Grover's

The critical takeaway: symmetric algorithms and hash functions survive the quantum transition with larger key/output sizes. Public-key cryptography based on factoring or discrete logs does not survive at any key size. For a deeper introduction to the algorithms designed to replace them, see our guide on what post-quantum cryptography is.

Timeline: When Will This Happen?

Predicting when a cryptographically relevant quantum computer (CRQC) will exist is inherently uncertain. Estimates vary widely among experts:

Conservative estimates (15-20+ years): Many physicists and engineers point to the enormous engineering challenges of building fault-tolerant quantum computers at scale. Error correction overhead, qubit stability, and manufacturing consistency remain fundamental obstacles.
Aggressive estimates (5-10 years): Some researchers and industry leaders believe rapid advances in qubit quality, error correction codes, and hybrid architectures could accelerate timelines significantly. Quantum computing investment has grown substantially, with major programs funded by governments and technology companies worldwide.

The honest answer is that nobody knows for certain. But this uncertainty itself is part of the threat. NIST noted in its report on post-quantum cryptography (NIST IR 8105, published in 2016) that the transition to quantum-resistant algorithms would take years or decades to complete across the global IT infrastructure. Waiting for certainty about quantum computing timelines means starting the migration too late.

The "Harvest Now, Decrypt Later" Threat

Even if large-scale quantum computers are a decade or more away, there is an immediate and concrete threat that exists today. It is called "Harvest Now, Decrypt Later" (HNDL), also known as "Store Now, Decrypt Later."

How HNDL Works
An adversary intercepts and stores encrypted communications today, while they are still protected by classical encryption. The adversary archives this data and waits. When a sufficiently powerful quantum computer becomes available, they use Shor's algorithm to recover the encryption keys and decrypt everything they have collected. The data does not need to be valuable today. It only needs to be valuable when it is eventually decrypted.

Consider what types of data remain sensitive for years or decades: classified government communications, long-term trade secrets, medical records, legal documents, financial data, intellectual property, and personal information subject to privacy regulations. All of this data, if encrypted today with RSA or ECC alone, is potentially harvestable.

Nation-state intelligence agencies have the storage capacity, network access, and strategic motivation to conduct HNDL operations at scale. This is not speculative; multiple government cybersecurity agencies have publicly warned about this threat. We cover this topic in detail in our post on the Harvest Now, Decrypt Later attack.

Why Organizations Must Act Now

The argument for immediate action does not depend on quantum computers arriving tomorrow. It depends on three factors:

1. Migration Takes Years

Transitioning an organization's cryptographic infrastructure is not a software update. It involves inventorying every system that uses public-key cryptography, updating protocols, replacing certificates, testing interoperability, and retraining staff. For large enterprises and government agencies, this process takes 5 to 15 years. NIST began its post-quantum cryptography standardization process in 2016, and the first standards (FIPS 203, FIPS 204, and FIPS 205) were finalized on August 13, 2024 -- an eight-year effort just for standardization alone.

2. Data Has a Long Shelf Life

If your encrypted data needs to remain confidential for 10, 20, or 30 years, and a quantum computer could emerge within that window, then that data is already at risk. The protection window of your encryption must exceed the combined time until a quantum computer exists plus the time to actually perform the decryption. For many types of sensitive data, this calculation already fails.

3. Compliance Is Moving

Regulatory and compliance frameworks are beginning to incorporate post-quantum requirements. Organizations that wait will face both security risk and compliance gaps. The U.S. government has already directed federal agencies to begin transitioning to post-quantum cryptography.

The NIST Post-Quantum Solution

Recognizing the quantum threat, NIST launched its Post-Quantum Cryptography Standardization Process in 2016, evaluating submissions from researchers worldwide. After multiple rounds of analysis and public review, NIST finalized three standards on August 13, 2024:

FIPS 203 (ML-KEM) -- Module-Lattice Key Encapsulation Mechanism, replacing RSA/ECDH for key exchange. Based on the hardness of the Module Learning With Errors problem. See our detailed explanation of how ML-KEM works.
FIPS 204 (ML-DSA) -- Module-Lattice Digital Signature Algorithm, replacing RSA/ECDSA/DSA for digital signatures. Also based on lattice problems.
FIPS 205 (SLH-DSA) -- Stateless Hash-Based Digital Signature Algorithm, providing a conservative alternative for signatures based purely on hash function security.

These algorithms are designed so that no known quantum algorithm can break them efficiently. Their security is based on mathematical problems (lattice problems for ML-KEM and ML-DSA, hash function properties for SLH-DSA) that are believed to be hard for both classical and quantum computers. For a complete walkthrough of these standards, see our NIST FIPS 203/204/205 guide.

The Hybrid Approach: Belt and Suspenders

Because post-quantum algorithms are relatively new compared to classical algorithms that have been studied for decades, many security experts recommend a hybrid approach: combining a post-quantum algorithm with a classical algorithm so that the system remains secure even if one of them is broken.

For example, combining ML-KEM (quantum-resistant) with X25519 (classically proven) for key exchange means an attacker must break both the lattice problem and the elliptic curve discrete logarithm problem. If quantum computers never materialize, X25519 provides tried-and-true security. If they do, ML-KEM provides the quantum resistance. Neither failure mode leaves data exposed.

This is the approach QNSQY takes for all encryption operations. We discuss the rationale in depth in our post on why hybrid encryption matters.

What You Should Do Today

Regardless of when you believe quantum computers will arrive, the following steps reduce your risk:

Inventory your cryptographic dependencies. Know which systems use RSA, ECC, DH, DSA, and similar algorithms. Identify where keys are exchanged, where signatures are verified, and where long-term secrets are stored.
Prioritize data by sensitivity and lifespan. Data that must remain confidential for 10+ years is at the highest risk from HNDL attacks and should be migrated first.
Begin adopting post-quantum or hybrid encryption for new systems. New deployments should use NIST-standardized algorithms (ML-KEM, ML-DSA) in hybrid mode with classical algorithms.
Encrypt stored data with quantum-resistant algorithms. Files and archives encrypted today with RSA or ECC alone are vulnerable. Re-encrypting with hybrid PQC provides long-term protection.
Follow NIST guidance. NIST IR 8105 and the FIPS 203/204/205 standards provide authoritative guidance on algorithm selection and migration planning.

Summary

Classical public-key encryption, the kind that protects nearly all internet communications today, is built on mathematical problems that quantum computers can solve efficiently. Shor's algorithm breaks RSA, ECC, DH, and DSA. Grover's algorithm weakens symmetric encryption but does not break it at 256-bit key sizes. The timeline for a cryptographically relevant quantum computer is uncertain, but the "Harvest Now, Decrypt Later" threat means data encrypted today is already at risk. NIST has published new post-quantum standards to address this. The migration will take years. The time to start is now.

Sources

NIST IR 8105 -- Report on Post-Quantum Cryptography (2016)
NIST Post-Quantum Cryptography Standardization Process
NIST FIPS 203 -- Module-Lattice-Based Key-Encapsulation Mechanism Standard (2024)
NIST FIPS 204 -- Module-Lattice-Based Digital Signature Standard (2024)
NIST FIPS 205 -- Stateless Hash-Based Digital Signature Standard (2024)
Shor, P. "Algorithms for Quantum Computation: Discrete Logarithms and Factoring." Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 1994.
Grover, L. "A Fast Quantum Mechanical Algorithm for Database Search." Proceedings of the 28th Annual ACM Symposium on Theory of Computing, 1996.

Protect Your Data Against Quantum Threats

QNSQY uses ML-KEM + X25519 hybrid encryption by default, providing quantum resistance today.

Originally published at quantumsequrity.com.

What is Post-Quantum Cryptography?

Quantum Sequrity — Mon, 27 Apr 2026 13:00:49 +0000

What is Post-Quantum Cryptography?

Education

What is Post-Quantum Cryptography?

14 min read

What Cryptography Actually Protects

Before we talk about "post-quantum" anything, it helps to understand what cryptography does for you right now, every single day, without you ever thinking about it.

When you check your bank balance on your phone, cryptography prevents the person sitting next to you at the coffee shop from seeing your account number. When your doctor sends your blood test results to a specialist, cryptography keeps that data private as it crosses the internet. When a company stores its customer database, cryptography makes sure that a hacker who steals the hard drive gets a pile of unreadable noise instead of millions of credit card numbers.

Cryptography is not just about passwords or spy movies. It protects banking transactions (trillions of dollars per day flow through encrypted channels), medical records (governed by laws like HIPAA in the US and GDPR in Europe), government communications (military orders, diplomatic cables, intelligence reports), legal documents (attorney-client privilege relies on encrypted email and storage), and personal data (your photos, messages, browsing history, and location data).

All of this protection depends on mathematical problems that are very hard for computers to solve. The entire system works because breaking the math would take a conventional computer longer than the age of the universe. Post-quantum cryptography exists because quantum computers threaten to change that equation.

Key Point: Post-quantum cryptography runs on regular computers today. You do not need a quantum computer to use it. You need it to defend against quantum computers.

What Quantum Computers Actually Change

A quantum computer is not just a faster version of your laptop. It works on fundamentally different principles. Where a classical computer stores information as bits (each bit is either 0 or 1), a quantum computer uses qubits, which can exist in a superposition of both 0 and 1 simultaneously. This allows quantum computers to explore many possible solutions at the same time, rather than checking them one by one.

For most everyday tasks (browsing the web, editing documents, playing games), quantum computers offer no advantage. They are not universally faster. But for certain very specific mathematical problems, they are devastatingly effective.

The two quantum algorithms that matter for cryptography are:

Shor's Algorithm (1994): This can factor large numbers and compute discrete logarithms exponentially faster than any known classical algorithm. RSA, ECDH, DSA, and every other widely-used public-key algorithm today relies on one of these two problems. Shor's algorithm breaks all of them. An RSA-2048 key that would take a classical supercomputer 300 trillion years to break could fall in hours on a sufficiently large quantum computer.
Grover's Algorithm (1996): This provides a quadratic speedup for unstructured search problems. It effectively halves the security of symmetric algorithms like AES. AES-256, which has 256-bit security against classical computers, would have 128-bit security against a quantum attacker. 128-bit security is still considered strong enough to be safe, so AES-256 does not need to be replaced. The threat is specifically to public-key algorithms.

The critical distinction: Shor's algorithm does not just speed up existing attacks. It fundamentally changes the game. Problems that were computationally impossible become easy. This is why we cannot simply use bigger RSA keys. No matter how large you make the key, Shor's algorithm scales to crack it. We need entirely different math.

The Three Families of Post-Quantum Cryptography

Post-quantum cryptography (PQC) uses mathematical problems that remain hard even for quantum computers. There are three major families, each based on different math. This diversity is important: if one family turns out to have an unexpected weakness, the others provide backup.

1. Lattice-Based Cryptography

This is the most widely adopted family and includes the primary NIST standards (ML-KEM for encryption, ML-DSA for signatures). Lattice problems involve finding short or close vectors in high-dimensional geometric structures called lattices.

Think of a lattice as a grid of evenly spaced points, like the intersections on graph paper. In two dimensions, you can easily see the pattern and find the closest point to any location. But extend this to hundreds or thousands of dimensions, and the problem becomes extraordinarily difficult. No known quantum algorithm provides a significant speedup for lattice problems.

The specific problem used by ML-KEM is called "Module Learning With Errors" (Module-LWE). You are given a system of approximate equations (equations with small random errors added) and need to recover the hidden variables. The added noise makes this problem brutally hard in high dimensions. Lattice-based algorithms are fast and produce reasonably compact keys, which is why they won the NIST competition.

2. Code-Based Cryptography

Code-based cryptography uses error-correcting codes, the same mathematical structures used to fix transmission errors in wireless communications, satellite links, and data storage. The hard problem is "decoding a random linear code." You are given a noisy codeword and must figure out the original message, but without knowing the specific error-correcting structure that was used to encode it. This problem has been studied since the 1970s (the McEliece cryptosystem dates to 1978) and remains hard for quantum computers.

NIST selected HQC (Hamming Quasi-Cyclic) as a backup standard for key encapsulation. Code-based algorithms tend to have larger key sizes than lattice-based ones, but they offer cryptographic diversity. If lattice problems are somehow broken, code-based alternatives provide a safety net.

3. Hash-Based Signatures

Hash-based signatures are the most conservative approach. Their security depends only on the properties of hash functions (like SHA-3), which are well-understood and have been studied for decades. NIST standardized SLH-DSA (based on SPHINCS+) as FIPS 205 for exactly this reason: even if lattice math turns out to have unforeseen weaknesses, hash-based signatures remain secure.

The trade-off is that hash-based signatures are larger (tens of kilobytes per signature) and slower to generate than lattice-based signatures. They serve as a critical backup rather than a primary choice for high-volume operations.

The NIST Standardization Process

The standards for post-quantum cryptography did not come from a single company or research lab. They emerged from one of the most thorough and transparent evaluation processes in the history of cryptography.

In 2016, NIST (the U.S. National Institute of Standards and Technology) published a call for proposals. They asked the global cryptography community to submit algorithms that could resist quantum computers. Eighty-two teams from universities, government labs, and private companies worldwide responded.

Over the next eight years, NIST ran three rounds of public evaluation. During each round, cryptographers worldwide tried to break the submitted algorithms. They published papers, presented attacks, and debated trade-offs. Algorithms that showed weaknesses were eliminated. After Round 1 (2017-2019), 26 algorithms advanced. After Round 2 (2019-2020), 15 survived. After Round 3 (2020-2022), NIST selected the winners.

In August 2024, NIST published the first three final standards:

Standard	Algorithm (Original Name)	Family	Purpose
FIPS 203	ML-KEM (CRYSTALS-Kyber)	Lattice	Key encapsulation (establishing shared secrets)
FIPS 204	ML-DSA (CRYSTALS-Dilithium)	Lattice	Digital signatures (proving identity and integrity)
FIPS 205	SLH-DSA (SPHINCS+)	Hash-based	Digital signatures (conservative backup)

Additional standards are in progress. FIPS 206 (draft) (FN-DSA, based on FALCON) covers lattice-based signatures with smaller signature sizes. NIST also selected HQC as a backup key encapsulation mechanism from the code-based family, providing algorithm diversity. The selection of algorithms from multiple mathematical families is a deliberate strategy: if one family of math turns out to be weaker than expected, the others still provide protection.

Post-Quantum vs. Quantum Cryptography

These two terms sound similar but refer to completely different things. Confusing them is one of the most common mistakes people make.

Term	What It Is	Hardware Required	Practical Today?
Post-Quantum Cryptography	Software algorithms that run on regular computers, using math that quantum computers cannot crack	Your existing laptop, phone, or server	Yes. NIST standards published. Widely deployed.
Quantum Cryptography (QKD)	Uses quantum physics (individual photons) to distribute keys. An eavesdropper disturbs the quantum state, alerting the parties.	Specialized quantum hardware, fiber optic links, single-photon detectors	Limited. Point-to-point only. Very expensive. Cannot protect stored data.

Post-quantum cryptography is what you can use right now, on your existing hardware, to protect your files and communications. It is a software solution. Quantum Key Distribution (QKD) is a physics experiment that works over short distances between specialized equipment. QKD cannot protect a file sitting on your hard drive, cannot work over the general internet, and costs orders of magnitude more than software-based solutions.

How We Got Here: A Brief History

The story of post-quantum cryptography begins with a single paper. In 1994, mathematician Peter Shor, then at AT&T Bell Labs, published "Algorithms for Quantum Computation: Discrete Logarithms and Factoring." This paper demonstrated that a quantum computer could factor large integers and compute discrete logarithms in polynomial time. The implications were staggering: RSA, Diffie-Hellman, and all elliptic curve cryptography would be broken.

At the time, quantum computers were purely theoretical. No one had built one that could run Shor's algorithm on anything larger than trivially small numbers. But cryptographers recognized that if large quantum computers were ever built, the consequences for global security would be catastrophic. Every encrypted communication in the world would become retroactively vulnerable.

Research into "quantum-resistant" or "post-quantum" algorithms began almost immediately. Lattice-based cryptography, one of the primary post-quantum approaches, draws on mathematical work dating back to the 1990s. The Ajtai-Dwork cryptosystem (1997) and the NTRU encryption scheme (1998) were among the earliest practical proposals. Code-based cryptography is even older; the McEliece cryptosystem dates to 1978, predating the quantum threat by 16 years.

For the next two decades, post-quantum cryptography remained an active but niche research area. That changed in 2016, when NIST issued its formal call for proposals. The eight-year evaluation that followed brought post-quantum cryptography from the academic realm into the world of international standards. The publication of FIPS 203, 204, and 205 in August 2024 marked the transition from research to deployment.

The Hybrid Approach: Belt and Suspenders

Most security organizations recommend using post-quantum algorithms alongside classical algorithms, not as a replacement. This is called the "hybrid" approach, and it is the most conservative strategy available.

The logic is simple. Classical algorithms like X25519 have been studied for over 15 years and deployed in billions of devices. We are extremely confident they are secure against regular computers. Post-quantum algorithms like ML-KEM have passed rigorous evaluation and are believed to be secure against quantum computers, but they are newer and have seen less real-world deployment.

By combining both, you get protection that is at least as strong as the stronger of the two. If ML-KEM has a hidden flaw, X25519 still protects your data against classical attackers. If a quantum computer breaks X25519, ML-KEM still protects your data against quantum attackers. An adversary must break both to succeed.

NIST published specific guidance on hybrid approaches in SP 800-227. QNSQY implements this approach in every encryption: ML-KEM + X25519 for key encapsulation, ML-DSA + Ed25519 for digital signatures. Both key components are fed into a key derivation function so that the final encryption key depends on both algorithms being secure.

Common Myths About the Quantum Threat

"Quantum computers are decades away, so this is not urgent"

The quantum computer itself may be decades away, but the threat is already here. The "harvest now, decrypt later" strategy means adversaries can record encrypted data today and store it until quantum computers can decrypt it. If your data must remain secret for 15 years, and a quantum computer arrives in 15 years, you needed quantum-safe encryption yesterday. NIST began the standardization process in 2016 specifically because cryptographic transitions take many years. Waiting until quantum computers exist would leave a multi-year gap during which all encrypted data is retroactively vulnerable.

"We can just use bigger RSA keys"

Shor's algorithm breaks RSA in polynomial time. This means the attack scales efficiently regardless of key size. Doubling the RSA key size does not double the difficulty for a quantum attacker. It adds only a modest increase to the computation time. There is no RSA key size large enough to resist a quantum computer running Shor's algorithm. The mathematical structure that makes RSA work is the same structure that makes it vulnerable. The only solution is different math entirely, which is what post-quantum algorithms provide.

"AES-256 is enough"

AES-256 is quantum-safe as an encryption algorithm. Grover's algorithm only reduces its effective security from 256 bits to 128 bits, which is still strong. But AES-256 is a symmetric cipher. Both the sender and receiver must already possess the same secret key. The hard part is establishing that shared key over an insecure channel. This is where RSA, ECDH, and other public-key algorithms come in, and these are the algorithms that quantum computers break. ML-KEM replaces the quantum-vulnerable key agreement step. AES-256 handles the actual data encryption. They solve different problems and are both necessary.

"Only governments need to worry about this"

Government agencies are the most obvious targets, but healthcare organizations hold patient data that must remain confidential for decades under HIPAA. Law firms hold attorney-client privileged communications with no expiration date. Financial institutions hold transaction data and account information that criminals can monetize. Pharmaceutical companies hold drug research data worth billions. Any organization with long-lived sensitive data faces the same fundamental risk.

What Should You Do About It?

The urgency of switching to post-quantum cryptography depends on how long your data needs to stay secret. Think about three questions:

How long does this data need to remain confidential? Medical records might be sensitive for 50+ years. A corporate strategy document might matter for 5 years. A credit card number expires in 3 years.
How soon could a quantum computer break current encryption? Expert estimates range from 10 to 20 years, though some believe it could happen sooner.
Could someone be recording this data now to decrypt later? Nation-state intelligence agencies have both the motivation and the storage capacity to do this.

If the sensitivity lifetime of your data exceeds the expected arrival of quantum computers, you should already be using post-quantum cryptography. For most sensitive data (medical records, legal documents, government secrets, long-term business plans), the math says the time to switch is now.

Practically, transitioning does not have to be painful. Tools like QNSQY use post-quantum algorithms by default, with no configuration required. You encrypt a file, and it automatically receives ML-KEM + X25519 hybrid protection. The free tier provides full post-quantum encryption with ML-KEM-512.

The Performance Question

A common concern about post-quantum cryptography is performance. Post-quantum algorithms generally have larger keys and signatures than their classical counterparts. An ML-KEM-768 public key is 1,184 bytes, compared to 32 bytes for X25519. An ML-DSA-65 signature is 3,293 bytes, compared to 64 bytes for Ed25519.

However, the computational speed tells a different story. ML-KEM key generation and encapsulation are faster than RSA operations at comparable security levels. On modern hardware, an ML-KEM-768 encapsulation takes approximately 40 microseconds. AES-256-GCM data encryption, which runs at several gigabytes per second on hardware with AES-NI support, dominates the total encryption time for any file larger than a few kilobytes. The post-quantum key agreement step is a one-time cost per encryption, and it is negligible compared to the data encryption itself.

For network protocols like TLS, the larger key sizes add bytes to the handshake, but real-world deployments (Google Chrome, Cloudflare) have confirmed that the impact on page load times is imperceptible to users. The additional 1-2 kilobytes in the TLS handshake are absorbed within the noise of normal network latency.

For data encryption specifically, the overhead is even less significant. QNSQY stores the ML-KEM ciphertext and X25519 public key in the file header, adding roughly 1,200 bytes to the total file size. For a 1 MB file, that is 0.12% overhead. For a 100 MB file, it rounds to zero.

Sources

Learn More About Security

Originally published at quantumsequrity.com.

Shor's Algorithm in Plain English: How Quantum Breaks RSA and Why Post Quantum Cryptography Replaces It

Quantum Sequrity — Sun, 26 Apr 2026 17:53:03 +0000

Shor's Algorithm in Plain English: How Quantum Breaks RSA and Why Post Quantum Cryptography Replaces It

Category: Education

Shor's Algorithm in Plain English: How Quantum Breaks RSA and Why Post Quantum Cryptography Replaces It

11 min read

The One Paragraph Version

Shor's algorithm is a quantum program, written in 1994 by mathematician Peter W. Shor, that can factor large numbers and solve discrete logarithms exponentially faster than any known classical algorithm. RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC, including ECDSA and Ed25519) all rely on the assumption that these math problems are intractable for a normal computer. Shor's algorithm shows that a sufficiently large quantum computer would solve them in hours, not the billions of years current encryption assumes. That is why the world needs Post Quantum Cryptography (PQC), and why NIST finalized FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) on August 13, 2024.

Why RSA Works Today (And Why It Will Not Tomorrow)

RSA encrypts data by picking two large prime numbers, multiplying them to get a big composite number N, and using N as part of a public key. If an attacker can factor N back into those two primes, they can read every message encrypted with the key. The best classical algorithm we know, the General Number Field Sieve, takes sub-exponential time. On a laptop, factoring a 2048-bit RSA key would take longer than the age of the universe.

Shor's algorithm changes the equation. It reduces factoring to a problem called period finding, which a quantum computer can solve efficiently using the quantum Fourier transform. The polynomial time cost (roughly cubic in the number of bits) means doubling the RSA key size does not double the attack time, it merely adds a modest amount. There is no RSA key size that survives Shor.

Discrete Logarithms: The Same Story for Diffie-Hellman and ECC

Diffie-Hellman key exchange and the entire Elliptic Curve Cryptography family (ECDH, ECDSA, Ed25519, X25519) rely on a problem called the discrete logarithm problem. Given the result of modular exponentiation, find the exponent. On classical machines, this is hard. Shor's algorithm cracks it in the same polynomial time as factoring.

This is why the cryptographic community cannot "just pick a bigger curve" to survive quantum. The math that makes elliptic curves efficient is the same math that makes them vulnerable.

The Actual Mechanics, Without the Math

Skipping the linear algebra, Shor's algorithm works in three phases:

Reduce the problem to period finding. Factoring N is equivalent to finding the period of a particular function f(x) that involves modular exponentiation of a random base.
Run the period finder on a quantum computer. Prepare a superposition over many inputs, apply f(x) in parallel across the entire superposition, then apply the quantum Fourier transform to extract the period.
Classical post-processing. A small amount of classical math converts the period into the factors of N.

The heavy lifting, the part that would crush any classical computer, happens in step 2. This is where quantum's exponential speedup lives.

How Big a Quantum Computer Do You Need?

This is the critical question for post-quantum timing. Estimates for breaking RSA-2048 with Shor range widely. A well-cited 2021 analysis by Craig Gidney and Martin Ekera (arXiv:1905.09749) estimates around 20 million noisy physical qubits for a day-scale attack, with specific assumptions about error-corrected code distance.

For comparison, the largest quantum processors publicly announced as of April 2026 are:

System	Qubits	Type	Cryptographically relevant?
IBM Condor (Dec 2023)	1,121	Superconducting	No
Google Willow (Dec 2024)	105	Superconducting	No
Zuchongzhi 3.0 (Mar 2025)	105	Superconducting	No
Atom Computing (Oct 2023)	1,180	Neutral atom	No

None of these can run Shor on a real RSA key. The Global Risk Institute 2025 expert survey puts the likelihood of a cryptographically relevant quantum computer within 10 years between 28 percent (pessimistic) and 49 percent (optimistic), the highest 10-year estimate in the survey's seven-year history.

What PQC Does Instead

Post Quantum Cryptography uses mathematical problems that neither classical nor quantum computers are known to solve efficiently. The standardized families are:

Lattice-based (ML-KEM, ML-DSA, FN-DSA). Relies on the Learning With Errors and related problems on high-dimensional lattices.
Hash-based (SLH-DSA, LMS). Relies only on the security of the underlying hash function.
Code-based (HQC, Classic McEliece). Relies on the hardness of decoding random linear codes.

Each family uses a different hard problem, giving defense in depth against a future mathematical breakthrough in any one family.

What You Should Do About It

If you are running a system that needs to protect data for more than a few years, the answer is hybrid PQC. Combine a classical algorithm like X25519 with a post-quantum algorithm like ML-KEM. An attacker must break both, not either, to read your data. Signal deployed this approach in September 2023 with PQXDH. Google Chrome shipped it by default in Chrome 131 in November 2024. Cloudflare reports over 60 percent of human-initiated TLS traffic now uses hybrid ML-KEM.

Frequently Asked Questions

When did Peter Shor publish Shor's algorithm?

Peter W. Shor's algorithm was presented at the 35th Annual Symposium on Foundations of Computer Science (FOCS) in November 1994, with an expanded journal version appearing in SIAM Journal on Computing 26(5) in 1997.

Does Shor's algorithm break symmetric encryption like AES?

No. Shor's algorithm attacks public-key cryptography that relies on integer factorization or discrete logarithms. Symmetric ciphers like AES are affected by Grover's algorithm, which provides only a quadratic speedup, effectively halving the key strength. AES-256 remains secure even in a post-quantum world.

How many qubits are needed to run Shor on RSA-2048?

Estimates vary widely. Craig Gidney and Martin Ekera's 2021 analysis (arXiv:1905.09749) estimates approximately 20 million noisy physical qubits for a day-scale attack. The exact number depends on error correction assumptions and implementation choices. As of April 2026 no quantum computer approaches this scale.

Is hybrid PQC slower than classical encryption?

The overhead is small. ML-KEM-768 hybrid with X25519 adds roughly 1 to 2 kilobytes per TLS handshake and a handful of milliseconds of CPU time. For most applications this is unmeasurable.

Sources

Protect Your Data Before Q-Day Arrives

QNSQY's NIST-standardized post-quantum encryption protects files against both current and quantum-era threats.

Originally published at quantumsequrity.com.

Forem: Quantum Sequrity

Why Quantum Computers Threaten Classical Encryption

Why Quantum Computers Threaten Classical Encryption

Why Quantum Computers Threaten Classical Encryption

The Foundation of Modern Encryption

Integer Factorization (RSA)

Discrete Logarithm Problem (DH, ECDH, ECDSA, DSA)

Shor's Algorithm: Breaking Public-Key Cryptography

Grover's Algorithm: Weakening Symmetric Encryption

Which Algorithms Are Vulnerable?

Broken by Quantum Computers

Resistant to Quantum Computers (with sufficient key/output sizes)

Timeline: When Will This Happen?

The "Harvest Now, Decrypt Later" Threat

Why Organizations Must Act Now

1. Migration Takes Years

2. Data Has a Long Shelf Life

3. Compliance Is Moving

The NIST Post-Quantum Solution

The Hybrid Approach: Belt and Suspenders

What You Should Do Today

Summary

Sources

Related Articles

Protect Your Data Against Quantum Threats

What is Post-Quantum Cryptography?

What is Post-Quantum Cryptography?

What is Post-Quantum Cryptography?

What Cryptography Actually Protects

What Quantum Computers Actually Change

The Three Families of Post-Quantum Cryptography

1. Lattice-Based Cryptography

2. Code-Based Cryptography

3. Hash-Based Signatures

The NIST Standardization Process

Post-Quantum vs. Quantum Cryptography

How We Got Here: A Brief History

The Hybrid Approach: Belt and Suspenders

Common Myths About the Quantum Threat

"Quantum computers are decades away, so this is not urgent"

"We can just use bigger RSA keys"

"AES-256 is enough"

"Only governments need to worry about this"

What Should You Do About It?

The Performance Question

Sources

Related Articles

Shor's Algorithm in Plain English: How Quantum Breaks RSA and Why Post Quantum Cryptography Replaces It

Shor's Algorithm in Plain English: How Quantum Breaks RSA and Why Post Quantum Cryptography Replaces It

Shor's Algorithm in Plain English: How Quantum Breaks RSA and Why Post Quantum Cryptography Replaces It

The One Paragraph Version

Why RSA Works Today (And Why It Will Not Tomorrow)

Discrete Logarithms: The Same Story for Diffie-Hellman and ECC

The Actual Mechanics, Without the Math

How Big a Quantum Computer Do You Need?

What PQC Does Instead

What You Should Do About It

Frequently Asked Questions

Frequently Asked Questions

When did Peter Shor publish Shor's algorithm?

Does Shor's algorithm break symmetric encryption like AES?

How many qubits are needed to run Shor on RSA-2048?

Is hybrid PQC slower than classical encryption?

Sources

Related Articles

Protect Your Data Before Q-Day Arrives