In 1994, American mathematician Peter Shor developed a quantum algorithm with the potential to dismantle major cryptography schemes. If realized in quantum hardware, Shor’s algorithm would factor large integers at incomprehensible speeds. Some cryptography circles refer to this milestone as “Q-day,” that is, the quantum encryption apocalypse.
For context, cryptographic algorithms, like RSA encryption, essentially “scramble” our data to protect sensitive information. Not even the world’s best supercomputers are capable of cracking these encryptions. But quantum computers are poised to outperform their classical counterparts—incidentally, with regard to the exact mathematical problems that secure encryption algorithms, such as the integer factorization problem, the discrete logarithm problem, and the elliptic-curve discrete logarithm problem.
The very prospect of the quantum apocalypse has driven various stakeholders to consider what that could be like and how to prepare for Q-day. For instance, in 2015, the U.S. National Institute of Standards and Technology (NIST) initiated programs to develop post-quantum cryptography (PQC) standards.
To be clear, no existing quantum computer has definitively proven it runs Shor’s algorithm. But last week saw two “bombshell” independent announcements about quantum encryption from Google and a Caltech spinoff startup. The results, both preprints, have yet to weather independent verification and empirical testing. Still, they present a clear message: the quantum encryption apocalypse might come sooner than we think.
But it’s difficult to immediately grasp what all of this means. So we asked the experts. In this Giz Asks, physicists, engineers, and mathematicians in quantum computing discuss the looming quantum encryption apocalypse. Will such a thing even happen? If so, when and how? Most importantly, how should we prepare for Q-day?
The following responses may have been lightly edited and condensed for clarity.
Henry Yuen
Theoretical computer scientist, Columbia University.
It is difficult to make high-confidence predictions about when quantum computers capable of running Shor’s algorithm will come online. For industry, governments, financial institutions, and society, the pertinent question should be, “Can one be highly confident that Shor’s algorithm won’t come online in the next five years?” If not, then we need to move with great urgency to secure our digital infrastructure to be secure against quantum attack. This will require enormous coordinated effort between industry, academia, and government.
Although NIST has recommended replacement cryptosystems that are conjectured to be secure against quantum attack, we should not view the matter of having quantum-safe cryptography as being a solved problem. All it takes is one brilliant quantum algorithm—a Shor 2.0, if you will—that might put us back at square one. We will need to spend more time stress-testing the recommended post-quantum encryption schemes, as well as coming up with alternative cryptosystems, in order to maximize the chances that we can defend ourselves against quantum attacks.
Paul Davies
Theoretical physicist, Arizona State University; author of Quantum 2.0, a book that describes “the copious good news concerning quantum information technology.”
Quantum mechanics undermines many popular cryptographic methods. But it also contains the solution. Exploiting entanglement, information can be teleported from A to B with complete security because any attempt to eavesdrop irreversibly and detectably corrupts the transmitted data and thus gives the game away. Importantly, the inescapable data mutilation isn’t merely a technical disruption but a law of nature, so there is no evading it.
However, it is not necessary to use fancy quantum cryptography technology such as entanglement to avoid the looming quantum apocalypse. There are many quantum-proof encryption protocols, an obvious example being the one-time pad. They may not be as convenient as current methods but they can be secure for all practical purposes.
What none of these considerations address is the vulnerability of existing and past data that, if vacuumed up by a bad actor, sits like a time bomb awaiting the advent of a quantum computer to break into that vast database and uncover many secrets. The scope for intimidation, blackmail, and cyberwarfare is obvious. For the individual, my advice is to permanently erase as much past data as you can, e.g., that’s stored in the cloud, and copy all essential data onto storage devices that never again connect to the internet.
Tim Palmer
Theoretical physicist at Oxford University who devised the alternative model Rational Quantum Mechanics (RaQM).
The ability to break RSA encryption assumes that the quantum advantage of Shor’s algorithm will continue on computers with thousands of (error-corrected) qubits. This in turn assumes quantum mechanics itself holds at these scales. I believe it doesn’t.
Although the public thinks of quantum mechanics as a wildly discontinuous theory (think “quantum jump” and “quantum leap”), it turns out that quantum mechanics depends on the continuum of numbers more vitally than does classical physics. RaQM is a much simpler theory than quantum mechanics, without the deep mysteries of superposition and nonlocality. It achieves this by banishing the continuum from quantum physics. As a result, RaQM reveals the information content of the wavefunction explicitly: in particular, when more than a few hundred qubits are entangled, there is not enough information in the quantum wavefunction to allocate even one bit of information to each Hilbert Space dimension. When this happens, the quantum advantage of Shor’s algorithm will saturate and cannot be improved by entangling more qubits.
So the reason I am excited by the Google announcement is because it will hasten the day that quantum mechanics may be shown, experimentally, to fail. If this happens, I will have a much simpler theory to take its place—one where the mysteries of quantum mechanics are explained by simple number theory.
Sophie Schmieg
Senior staff cryptography engineer at Google.
The encryption currently used to keep information confidential and secure could be broken by a large-scale quantum computer in coming years. We can mitigate this quantum threat to encryption by taking the necessary migration steps now. With NIST and IETF having published their PQC standards, we have a way to protect our computing infrastructure before a quantum computer is ready. Many widely used cryptographic libraries have implemented these algorithms in the last few years, even if some gaps that need to be addressed by cryptography engineers remain.
We now need to empower general software engineers to undertake the transition. Hardcoded TLS ciphers need to be swapped to their PQC counterpart (X25519MLKEM768), SSH versions need to be updated, configurations for access token signatures need to be changed from ECDSA to MLDSA, and more. Policymakers and regulators can support this transition by clearly communicating the urgency of the PQC migration for their systems, for critical infrastructure, and for the private sector. They can also play a key role by providing resources and guidance to ease the PQC migration. And, of course, researchers need to continue to study these schemes to ensure that they are secure and to find more efficient replacement algorithms where possible.
Dustin Moody
Mathematician at NIST who manages NIST efforts for PQC development.
I view the “quantum apocalypse” as a serious, looming threat that requires action. However, it is not an apocalypse, as we have the tools to deal with it if the world adopts them quickly enough. One of my jobs at NIST is to manage the development of PQC standards designed to protect sensitive data for the long term against the attack of a quantum computer. We developed these standards in an open process with the help of cryptographers worldwide, and they are ready for use right now. But publishing the standards is only the beginning—the real work lies in widespread adoption.
The key challenge is timing: it could take years or even decades to fully transition the world’s digital infrastructure, so preparation needs to begin well before the threat fully materializes. No one knows how long it will take to develop a quantum computer that can break current encryption methods, and the timeline may be shorter than we’d prefer.
Transitioning to these new solutions will be complex, but it is essential for maintaining global digital trust. For most people, these changes should happen largely behind the scenes as service providers and software developers integrate the new standards into their products. Organizations should prioritize “crypto-agility”—the ability to quickly swap out cryptographic systems—and begin by conducting a comprehensive inventory of where and how public-key cryptography is used. By identifying vulnerable points and prioritizing high-value data today, they can carry out a deliberate, phased migration that reduces risk over time.
Bill Fefferman
Theoretical computer scientist at the University of Chicago.
To guard against the threat that quantum computers will pose to cryptography, there is only one solution: we urgently need to replace our existing cryptography with “post-quantum” cryptographic schemes such as those that have recently been standardized by NIST.
There are a couple of reasons why we can’t afford to delay this implementation. First, the timeline to build large-scale quantum computers is uncertain. There is no widespread consensus among experts, but experimental progress has been rapid and there is no reason to expect it to slow down. Second, we need to counter the threat of “harvest now and decrypt later” attacks. The idea is that attackers can download and store encrypted information that is widely available online. This data will not be accessible to them today but will be when large-scale quantum computers arrive that can break the encryption. Consequently, we should be particularly mindful to use post-quantum encryption methods to encrypt digital information that needs to be kept secure over long periods of time, such as financial records, legal documents, or personal identity data.
That said, there is still much work to be done to understand the capabilities of future quantum computers. Unlike the pre-quantum security of current encryption schemes, which has been backed by many decades of experience, we are far less confident about the security of current post-quantum schemes. Therefore, it is crucial that governments, companies, and policymakers prioritize investment in quantum computation research so that we can clearly understand whether these new cryptographic schemes are truly secure against future quantum attacks and, if not, develop new schemes that are quantum secure. In the meantime, being prepared by implementing currently available post-quantum cryptographic schemes is much better than using encryption methods that are not capable of any protection at all.
Dave Taku
Vice President, Global Head of Product Management & UX, RSA Security.
While the current generation of quantum computing presents no practical threat to commercial-grade encryption key lengths, innovation continues to progress at a steady pace. But we aren’t on the verge of a quantum apocalypse—if organizations begin to prepare now. NIST mandates that all federal and critical systems should implement PQC by 2035. Given the current state of the technology, that date should provide ample time before PQC presents any real risk.
Organizations can begin to prepare now by evaluating “PQC-ready” cryptographic modules that already support the new standards. This will make any future transition easier once PQC is well-established, or if any new breakthrough in quantum computing dramatically accelerates NIST’s timeline. Where classical algorithms are employed, increasing the key length, along with proper key management, is a practical solution that exponentially increases the computational power required, even for quantum computers (note: all major web browsers already support 4096-bit RSA keys). Long-lived data can also be ‘double-wrapped’ to provide additional defense in depth against ‘harvest now, decrypt later’ attacks, although I’d advise this degree of security only for data that would still be valuable to adversaries long after the initial attack.
Finally, as with anything else, take a pragmatic risk-based approach to your data security. While we should all prepare now for the post-quantum future, the biggest risk that organizations face today comes from much less sophisticated attacks—weak passwords, phishing, and social engineering. Address those challenges immediately even as you work toward NIST’s 2035 deadline.
