When will quantum computers be able to break encryption?

Most expert estimates place cryptographically relevant quantum computers in the 2030-2040 range. NSA has set a 2035 deadline for migration. Google says it could happen by 2029, with at least a 10% probability by 2032. Academic consensus centers around a median of 2035. Breaking RSA-2048 requires roughly 10,000 logical qubits or about 1 million physical qubits with error correction. Current systems have 100-400 physical qubits.

Is Bitcoin safe from quantum computers?

Bitcoin uses elliptic curve cryptography (ECC) for wallet security, which is highly vulnerable to quantum attack via Shor's algorithm. As of 2026, Bitcoin has no post-quantum migration plan and community governance makes rapid change difficult. Wallets with exposed public keys would be the first targets. Ethereum is in a similar position. Both rank as 'Very High' vulnerability with no active migration.

What is harvest now decrypt later?

Harvest now, decrypt later (HNDL) is a strategy where nation-states record encrypted internet traffic today with the intention of decrypting it later when quantum computers become powerful enough. The NSA, Google, and others have confirmed this is happening. Even if quantum computers are 10-15 years away, data encrypted today could be unlocked in the 2030s or 2040s.

What is post-quantum cryptography and is it ready?

Post-quantum cryptography (PQC) refers to encryption algorithms designed to resist quantum attacks. NIST finalized its first PQC standards in August 2024: ML-KEM (Kyber) for encryption, ML-DSA (Dilithium) for signatures, and SLH-DSA (SPHINCS+) as a backup. Chrome is testing hybrid PQC, AWS and Azure offer PQC options, and the US government has a 2035 mandatory deadline. However, 90% of companies still have no PQC plan.

What should I do to prepare for the quantum threat?

For individuals: keep software updated, use AES-256 for sensitive long-term files, don't fall for quantum-proof product scams, and if you hold Bitcoin watch for PQC fork announcements. For businesses: inventory cryptographic dependencies, ask vendors about PQC roadmaps, and require crypto-agility in new systems. For investors: cybersecurity vendors like Thales, Cisco, and Palo Alto will sell PQC upgrades, quantum computing companies benefit from urgency, and big tech captures migration consulting spend.

Quantum Encryption Threat: When Does Security Break?

How Modern Encryption Works (and Why Quantum Breaks It)

Almost everything you do online is protected by asymmetric encryption — RSA and ECC (elliptic curve cryptography). These rely on mathematical problems that classical computers find essentially impossible to solve: factoring very large numbers (RSA) and computing discrete logarithms on elliptic curves (ECC).

A sufficiently powerful quantum computer running Shor's algorithm solves both of these problems in polynomial time. What takes a classical computer billions of years takes a quantum computer hours or days.

Classical computer vs. RSA-2048:
Estimated time to crack: ~300 trillion years. The universe is only 13.8 billion years old. You're safe.

Quantum computer vs. RSA-2048 (with Shor's algorithm):
Estimated time to crack: ~8 hours with a sufficiently large, error-corrected quantum computer. Not safe.

Here's the critical distinction most coverage misses:

Asymmetric encryption (RSA, ECC) — vulnerable. This is what protects key exchange, digital signatures, certificates, and cryptocurrency wallets. Quantum breaks it completely.

Symmetric encryption (AES-256) — mostly safe. Grover's algorithm on a quantum computer only halves the effective key space. AES-256 drops to the equivalent of AES-128, which still requires 2¹²⁸ operations to brute-force. That's still practically unbreakable.

If you're encrypting files locally with AES-256, quantum computing is not your problem. If you're relying on RSA or ECC for anything — and you almost certainly are, even if you don't know it — that's where the risk lives.

The Timeline — When Does This Actually Happen?

Nobody knows exactly when a quantum computer will be powerful enough to break RSA-2048. But several credible organizations have published estimates. Here's how they line up, ordered by urgency:

Google (optimistic)

2029

Google quantum team

~10% by 2032

NSA mandate

2035 deadline

Academic consensus

Median ~2035

Conservative estimate

After 2040

The technical requirements: Breaking RSA-2048 needs roughly 10,000 logical qubits or approximately 1 million physical qubits with error correction. Current state-of-the-art systems have 100–400 physical qubits. That's a gap of roughly 1,000x — significant, but quantum hardware is advancing rapidly.

The Honest Assessment

We're probably 8–15 years out, but the uncertainty range is wide enough that anyone who gives you a single date is guessing. The NSA isn't setting a 2035 deadline because they think it'll happen in 2036. They're setting it because they think there's a real chance it happens sooner, and migration takes years.

Harvest Now, Decrypt Later

Nation-states are recording encrypted internet traffic right now. This isn't speculation. The NSA, Google, and multiple intelligence agencies have confirmed that state-level actors are capturing and storing encrypted data today, planning to decrypt it when quantum computers become available.

This is the part most people miss when they hear "quantum is 10–15 years away" and tune out. The threat window for long-lived secrets has already opened.

Think about what data needs to stay secret for more than a decade:

State secrets — diplomatic cables, intelligence operations, military communications
Medical records — genomic data, psychiatric records, insurance histories
Financial data — trade secrets, merger plans, long-term investment strategies
Intellectual property — proprietary research, patents in development, source code

If any of this is transmitted over standard RSA/ECC-encrypted channels today, and an adversary captures it, they just need to wait. The data doesn't expire. The math won't forget.

What's Actually At Stake

Government / Military

Classified communications, nuclear codes, diplomatic cables, intelligence networks. VERY HIGH vulnerability. Active migration underway but massive legacy systems remain.

Financial Services

Banking transactions, trading systems, payment networks, SWIFT messaging. HIGH but the sector is actively migrating. Major banks have PQC pilots running.

Healthcare

Patient records, genomic data, insurance databases, clinical trial data. HIGH and most providers are NOT migrating. HIPAA doesn't yet require PQC.

Cryptocurrency

Bitcoin and Ethereum use ECC with no PQC migration plan. Community governance makes rapid change extremely difficult. VERY HIGH vulnerability.

Enterprise / Corporate

VPNs, TLS connections, code signing, internal PKI. MEDIUM risk — vendor-dependent. Most will inherit PQC from cloud providers and OS updates.

Personal / Consumer

Browser HTTPS, messaging apps (Signal, iMessage), email encryption. LOW near-term risk. Apps will update automatically. Signal already uses PQC.

Who's Preparing (Sector Vulnerability Table)

Sector	Current Encryption	Quantum Vulnerable?	Migration Status	Risk Level
US Government	RSA-2048, AES-256, Suite B	RSA/ECC: Yes	Active — CNSA 2.0 mandate, 2035 deadline	Medium (migrating)
Big Tech (Google, Apple, Meta)	TLS 1.3, ECDHE, AES-GCM	Key exchange: Yes	Active — Chrome shipping hybrid PQC, Apple iMessage PQC	Low (leading)
Banking / Finance	RSA-2048, 3DES (legacy), AES	RSA: Yes, legacy: Yes	Pilot stage — JPMorgan, HSBC running PQC trials	Medium-High
Healthcare	TLS, AES, vendor-dependent	TLS handshake: Yes	No plan — no regulatory requirement yet	High
Bitcoin / Crypto	ECDSA (secp256k1)	Completely: Yes	No plan — governance deadlock, no upgrade path	Very High
Enterprise SaaS	TLS 1.2/1.3, AES-256	Key exchange: Yes	Early — AWS/Azure offer PQC options, most ignore	Medium
Consumer Apps	Platform TLS, E2E (some)	TLS handshake: Yes	Active — Signal, iMessage already using PQC	Low

The Solution — Post-Quantum Cryptography (PQC)

The good news: we already have replacement algorithms. NIST finalized its first post-quantum cryptography standards in August 2024, after an 8-year evaluation process. These are designed to resist both classical and quantum attacks.

ML-KEM (Kyber) — Key encapsulation mechanism. Replaces RSA/ECDH for key exchange. Already being tested in Chrome and AWS.
ML-DSA (Dilithium) — Digital signature algorithm. Replaces RSA/ECDSA for signing documents, certificates, and code.
SLH-DSA (SPHINCS+) — Hash-based signature backup. Slower but based on extremely well-understood math. The "insurance policy" standard.

What's already happening:

Chrome is testing X25519Kyber768, a hybrid that combines classical and post-quantum key exchange. AWS and Azure both offer PQC TLS options. Apple shipped PQC in iMessage (PQ3 protocol). Signal deployed the PQXDH protocol. The US government has set a mandatory 2035 migration deadline.

What's not happening:

According to multiple surveys, roughly 90% of companies have no PQC migration plan. Most enterprises don't know which cryptographic algorithms they use, let alone have a roadmap to replace them. The standards exist. The tooling exists. The urgency doesn't — yet.

What Should You Actually Do?

If You're an Individual

Keep your software updated. Your browser, phone OS, and messaging apps will adopt PQC automatically. Chrome, Safari, Signal, and iMessage are already rolling it out. You don't need to do anything special.

Use AES-256 for sensitive files you plan to store long-term. VeraCrypt, 7-Zip, or native OS encryption with AES-256 is quantum-resistant today.

Don't fall for "quantum-proof VPN" scams. Any consumer product claiming quantum protection right now is marketing, not security. Your VPN provider will update when the underlying TLS standard updates.

If you hold Bitcoin, pay attention to PQC fork announcements. When (not if) the community eventually addresses this, early awareness matters.

If You Run a Business

Inventory your cryptographic dependencies. Most companies don't know where RSA and ECC live in their stack. Start mapping it now — every TLS certificate, VPN connection, code signing key, and API authentication flow.

Ask your vendors about PQC roadmaps. If your cloud provider, SaaS tools, and security vendors don't have an answer, that's a red flag.

Require crypto-agility in new systems. Any new architecture should be designed to swap cryptographic algorithms without rebuilding. This is cheap now and expensive later.

Prioritize long-lived data. If you handle medical records, legal documents, financial data, or anything with a 10+ year sensitivity window, the harvest-now-decrypt-later threat applies to you today.

If You're an Investor

Cybersecurity vendors like Thales, Cisco, and Palo Alto Networks are already building PQC upgrade paths into their products. Every enterprise migration is a sales cycle.

Quantum computing companies benefit from the urgency narrative regardless of timeline. IBM, Google, IonQ, and Rigetti are the obvious names.

Big tech captures the consulting spend. Microsoft, AWS, and Google will sell PQC migration services to enterprises that don't know where to start — which is most of them.

The Bottom Line

Threat Level

Real but not imminent. The 8–15 year window gives time to prepare — but not to procrastinate.

Biggest Near-Term Risk

Harvest now, decrypt later. Nation-states are capturing encrypted data today. This is already happening.

Who Should Worry Now

Anyone with data that needs to stay secret for 10+ years: governments, healthcare, finance, crypto holders.

Who Can Relax

Individuals using modern browsers and messaging apps. Your software will update automatically.

The Action

Start PQC planning now. Migrate over 5–10 years. Don't panic, but don't ignore it either.

The Scam to Avoid

Any consumer product claiming to be "quantum-proof" today. The standards just shipped. Nobody has a finished consumer product yet.

Stay Informed

We publish original research on AI, cybersecurity, and the trends reshaping technology. No spam, no hype — just clear analysis you can actually use.

The Quantum Encryption Threat