Quantum computing threatens the public-key cryptography that secures the modern internet.
The threat is narrower — and more dangerous
Most people hear “quantum computers will break encryption” and picture every secret instantly spilling onto the internet. That is not the technically accurate version. The sharper version is worse in a more specific way: a sufficiently powerful quantum computer could break the public-key systems used to establish secure sessions, verify identities, issue certificates, and sign code. That means the risk is not just privacy. It is trust.
“Most traditional public key cryptography (PKC) algorithms in use today will be vulnerable to attack.” — UK NCSC
That matters because today’s internet is built on those systems. HTTPS, VPNs, software signing, PKI, and secure key exchange all depend on cryptography that quantum algorithms such as Shor’s algorithm are expected to hit hard. The result is not merely faster hacking. It is the potential failure of the mechanisms that prove a website is real, a software update is legitimate, or a message came from who it claims to come from.
What quantum actually breaks
The first major target is public-key cryptography: RSA, Diffie-Hellman, ECDH, ECDSA, EdDSA, and the surrounding certificate and signature infrastructure. These systems rely on mathematical problems such as factoring and discrete logarithms. Known quantum algorithms make those problems dramatically easier in principle, which is why standards bodies and cyber agencies are focused on replacing them.
The second category is symmetric cryptography and hashes — systems like AES and SHA. These are not safe by magic, but they are not hit the same way. The UK NCSC says their security is “not significantly impacted” in the same sense as public-key cryptography, and the National Academies notes that Grover’s algorithm weakens brute-force resistance rather than causing the kind of collapse Shor causes for RSA and ECC. In plain English: AES gets squeezed; RSA gets broken.
What that means in practice
- RSA, ECDH, ECDSA, EdDSA, and similar public-key systems are the main danger zone. They underpin secure key exchange, authentication, certificates, and signatures.
- AES and secure hash functions are in a different bucket. They may need stronger parameters for long-term protection, but they are not expected to fail the way RSA and ECC would.
- Digital signatures are a huge part of the story. A cryptographically relevant quantum computer would not just decrypt traffic; it could help forge certificates, impersonate trusted services, and sign malicious software as if it were legitimate.
What this does not mean
- No cryptographically relevant quantum computer exists today. Current systems are not yet capable of breaking RSA-2048 or modern ECC in the real world.
- Not every encrypted file on Earth becomes readable overnight. The near-term concern is strongest for high-value data with long secrecy lifetimes — intelligence, health, financial, legal, industrial, and government data that still matters years from now.
- This is not “all encryption dies.” It is a looming failure of today’s public-key cryptography, plus a weakening of some symmetric assumptions. That distinction is the difference between hype and reality.
The real danger starts before Q-Day
The most immediate quantum computing encryption threat is not a cinematic one-day collapse. It is harvest now, decrypt later. Adversaries can capture encrypted traffic today, store it, and wait for future quantum capability to make some of it readable. Canada’s cyber guidance says this is an immediate concern for information with a long lifespan. The UK NCSC makes the same point: the attack is most worth doing when the data is valuable enough to matter years later.
There is also a second problem that gets less attention and deserves more: integrity. Confidentiality is about hiding data. Integrity is about proving something is genuine. If quantum systems can forge certificates or signatures, attackers could impersonate trusted websites, push fake updates, or sign malicious code with what appears to be a valid identity. Unlike the archive-and-decrypt problem, that integrity risk arrives when a sufficiently powerful machine actually exists.
Why “hundreds of qubits” is the wrong metric
A lot of quantum headlines are sloppy because they treat raw qubit counts like horsepower. That is not how this works. A machine with hundreds of noisy physical qubits is not automatically anywhere near breaking RSA. The real issue is whether engineers can build a fault-tolerant system with enough logical qubits, low enough error rates, and enough sustained operations to run the relevant algorithms at scale. The UK NCSC explicitly says many engineering and physical challenges still have to be overcome.
That is why the current moment is tricky. Google said in 2025 that RSA-2048 could theoretically be broken by a quantum computer with around 1 million noisy qubits running for one week, while IBM’s public roadmap targets a large-scale fault-tolerant machine by 2029, with “quantum advantage” in narrower applications by the end of 2026. Those are not proof that RSA falls tomorrow. They are proof that the resource estimates are getting more concrete and the engineering race is moving from abstract theory toward system design.
The migration is already global
This is not a fringe debate anymore. The transition to post-quantum cryptography is already being treated as a live cyber policy issue across major economies.
- United States: NIST finalized its first three post-quantum cryptography standards in August 2024 — FIPS 203, 204, and 205 — and selected HQC in 2025 as a backup encryption algorithm. NIST’s own guidance says organizations should begin migrating now.
- United Kingdom: The NCSC’s roadmap says organizations should complete discovery and planning by 2028, early high-priority migration by 2031, and complete migration by 2035.
- European Union: The Commission says all Member States should start transitioning by the end of 2026, and critical infrastructure should be transitioned as soon as possible, no later than the end of 2030.
- Canada: The Canadian Centre for Cyber Security says organizations should prepare now, especially where long-lived sensitive data and authentication systems are involved.
- France: ANSSI recommends a progressive transition strategy and explicitly supports hybrid post-quantum mitigation, especially for systems that must protect information beyond 2030 or are likely to remain in service after 2030 without updates.
- Singapore: CSA has already published a Quantum-Safe Handbook and Quantum Readiness Index to help organizations assess and plan migration.
- China: Reuters reported on March 19, 2026 that China is expected to develop national post-quantum cryptography standards within three years, with finance and energy identified as priority sectors.
What organizations should do now
The first move is not buying a “quantum-safe” sticker from a vendor. It is finding your cryptography. U.S. guidance from CISA, NSA, and NIST says organizations should establish a quantum-readiness roadmap, inventory where vulnerable cryptography is used, talk to vendors, and prioritize the most sensitive assets first. That is blunt because it has to be: you cannot migrate what you have not mapped.
The second move is to prioritize what will hurt most if it ages badly. Long-lived confidential data, PKI, certificate chains, code-signing systems, device identities, trust anchors, VPNs, and authentication flows should move toward the front of the line. Canada’s guidance is especially clear that confidentiality and integrity have different failure modes and both matter.
The third move is to design for cryptographic agility. NIST says products, services, and protocols will need updates, and organizations must identify vulnerable algorithms and plan replacements. France’s ANSSI recommends hybrid approaches in many cases during the transition. In practical terms, that means building systems that can swap algorithms without ripping apart the whole stack.
The fourth move is to stop waiting for certainty. The standards are no longer hypothetical. They exist. NIST’s first three finalized PQC standards are published, and governments are already setting timelines. The migration problem now is not theoretical cryptography. It is procurement, software support, legacy systems, embedded devices, PKI sprawl, and time.
A blunt checklist
- Inventory every place you rely on RSA, ECC, DH, certificates, and digital signatures.
- Classify which data must stay secret for years, not just weeks.
- Push vendors for post-quantum cryptography roadmaps and implementation plans.
- Treat PKI, software signing, and trust anchors as top-tier migration targets.
- Use hybrid approaches where they make sense during transition, especially for long-lived protection.
- Fold PQC into normal refresh cycles now instead of waiting for a crisis later.
The bottom line
Quantum computers are not about to vaporize every lock on the internet in a single day. But that does not make the threat small. The real issue is that the public-key cryptography behind secure browsing, identity, certificates, signatures, and trust has an expiry date, and the migration away from it will take years. By the time a cryptographically relevant quantum computer is sitting in front of everyone, the organizations that delayed will already be late.
The serious response is not panic. It is precision: know what quantum breaks, know what it does not, and start replacing the parts of your security stack that cannot survive it. That is what NIST, the UK NCSC, EU institutions, Canada, France, Singapore, and other governments are already telling organizations to do. The post-quantum cryptography transition has started. The only real question is who is still pretending it has not.