Quantum computers will eventually break some types of encryption, but not all of it, and not yet. The encryption most at risk protects internet traffic, banking transactions, and encrypted messaging today. It relies on math problems that classical computers can’t solve in any reasonable timeframe but that a sufficiently powerful quantum computer could crack. The timeline for when this becomes possible is debated, but major organizations are already racing to replace vulnerable systems before it happens.
Which Encryption Is Vulnerable
The encryption at risk falls into a category called asymmetric or public-key cryptography. This includes RSA and elliptic curve cryptography (ECC), two systems that secure virtually every encrypted connection on the internet. When you see the padlock icon in your browser, load a banking app, or send an encrypted message, these systems are doing the work of establishing a secure connection.
Both RSA and ECC get their security from the same basic principle: they rely on math problems that are extraordinarily hard for regular computers to solve. RSA depends on the difficulty of factoring enormous numbers into their prime components. ECC depends on a related problem involving points on a curve. A classical computer trying to break a 2048-bit RSA key would need longer than the age of the universe.
A quantum computer changes this entirely. An algorithm published by mathematician Peter Shor in 1994 can solve both of these problems efficiently using quantum mechanics. It works by exploiting a quantum computer’s ability to evaluate many possibilities simultaneously through superposition, then using interference patterns to extract the answer. For RSA, this means factoring those enormous numbers becomes tractable. For ECC, the same approach solves the underlying curve problem. Both systems would be completely broken, not just weakened.
Why AES and Other Symmetric Encryption Survives
Not all encryption works the same way. Symmetric encryption, where both sides share the same secret key, faces a different and much less severe quantum threat. The best known quantum attack against AES (the most widely used symmetric cipher) is Grover’s algorithm, which effectively cuts the security level in half. AES-256, for example, would drop from 256-bit security to roughly 128-bit security, requiring about 2^128 quantum operations instead of 2^256 classical ones.
That sounds dramatic, but 128-bit security is still considered unbreakable in practice. It’s the level AES-128 provides against classical computers today. The fix is simple: use longer keys. AES-256 in a post-quantum world still offers more than enough protection, with no need to replace the algorithm itself.
How Far Away Is the Threat
The gap between today’s quantum hardware and what’s needed to break encryption is enormous. A 2025 estimate from quantum computing researcher Craig Gidney suggests that a 2048-bit RSA key could be factored in under a week using fewer than a million noisy physical qubits. An earlier 2019 estimate from the same researcher put the requirement at 20 million qubits for an eight-hour attack. The difference reflects improvements in how algorithms and error correction are designed, but both numbers remain far beyond current hardware.
IBM’s 2026 quantum roadmap targets processors with up to 360 qubits capable of running 7,500 gate operations. That’s roughly three orders of magnitude short of even the most optimistic attack estimates, and the quality of those qubits matters as much as the quantity. Quantum computers need extensive error correction because individual qubits are unreliable, and building a million coordinated, error-corrected qubits is an engineering challenge no one has solved yet.
The Cloud Security Alliance set a public countdown to April 14, 2030, as its estimate for when a quantum computer could break current cybersecurity infrastructure. That date is aggressive compared to most expert predictions, but it serves its intended purpose: creating urgency for organizations that need years to transition their systems.
The “Harvest Now, Decrypt Later” Problem
Even though no quantum computer can break encryption today, the threat isn’t entirely in the future. Intelligence agencies and other adversaries are widely believed to be capturing and storing encrypted communications right now, with the intention of decrypting them once quantum computers become powerful enough. This strategy is known as “harvest now, decrypt later.”
A Federal Reserve research paper highlighted this risk specifically for blockchain and distributed ledger networks, noting that while these systems can upgrade their cryptography going forward, previously recorded transactions remain permanently vulnerable. Anyone with a copy of the encrypted data can simply wait. The same logic applies to any intercepted communication: diplomatic cables, trade secrets, medical records, personal messages. If the information will still be sensitive in 10 or 15 years, it’s already at risk from harvesting.
This is the reason governments aren’t waiting until quantum computers arrive to act. Data with a long shelf life needs quantum-resistant protection now, even though the decryption threat is still years away.
Post-Quantum Cryptography Is Already Here
The replacement for vulnerable encryption algorithms isn’t theoretical. NIST finalized its first set of post-quantum cryptography (PQC) standards in 2024, based on mathematical problems that are believed to be hard for both classical and quantum computers. These new algorithms run on existing hardware. They don’t require any special quantum technology, just software updates.
Performance benchmarks show the transition is practical. On modern server hardware, post-quantum algorithms add less than 5% latency, making immediate adoption feasible for cloud services. Key generation is actually faster than RSA for leading algorithms like Kyber, which generates keys over 1,000 times quicker. The main trade-off is size: post-quantum algorithms produce larger keys and signatures, which increases the data exchanged during a TLS handshake (the process that establishes a secure connection) by up to seven times. In practice, this translates to handshakes that are 22 to 55% slower than current methods, depending on the algorithm chosen.
For most internet users, this slowdown will be imperceptible. Bandwidth-constrained environments like IoT devices or satellite links face bigger challenges, since some post-quantum algorithms require significantly more data packets to complete a connection.
Government Transition Deadlines
The NSA has published a concrete timeline for migrating U.S. national security systems to quantum-resistant algorithms under its CNSA 2.0 framework. The full transition is expected by 2035, but intermediate deadlines are much sooner:
- Software and firmware signing: exclusively quantum-resistant by 2030
- Web browsers, servers, and cloud services: exclusively quantum-resistant by 2033
- VPNs and routers: exclusively quantum-resistant by 2030
- Operating systems: exclusively quantum-resistant by 2033
- Legacy and custom applications: updated or replaced by 2033
These deadlines reflect how long large-scale cryptographic transitions actually take. Replacing encryption across an entire organization, supply chain, or government network is a multi-year project involving hardware upgrades, software patches, protocol changes, and extensive testing. Organizations that haven’t started planning are already behind the NSA’s recommended schedule, which calls for beginning the transition immediately.
What About Quantum Key Distribution
Quantum key distribution (QKD) is a fundamentally different approach that uses quantum physics, rather than math, to secure communications. Instead of relying on problems that are hard to solve, QKD generates encryption keys using photons. Any attempt to intercept the key disturbs the quantum state, alerting both parties to the eavesdropping.
It sounds ideal, but QKD has significant practical limitations. It requires dedicated fiber-optic connections or line-of-sight laser transmitters between users. It can’t be deployed as a software update or run over existing networks. It lacks flexibility for upgrades or security patches because it’s entirely hardware-based. The NSA has explicitly stated it does not recommend QKD for protecting national security systems, favoring software-based post-quantum algorithms instead. For the vast majority of organizations and individuals, PQC algorithms running on standard computers and phones will be the path forward.