When quantum computers get powerful enough, most of today's encryption breaks — not science fiction, a scheduled engineering milestone with a date range attached. Below: the actual timeline, who's exposed, and what to do about it before Q-Day arrives.
This page, your bank login, the text you sent an hour ago — almost everything you do online runs through asymmetric encryption, meaning RSA and ECC (elliptic curve cryptography). Both lean on math problems that classical computers simply choke on: factoring enormous numbers (RSA) and untangling discrete logarithms on elliptic curves (ECC).
Shor's algorithm is the reason this page exists. Run it on a quantum computer big enough to matter and both of those problems fall in polynomial time instead of exponential time — the difference between a job that never finishes and one that finishes by dinner.
Classical computer vs. RSA-2048:
Estimated time to crack: ~300 trillion years. The universe is only 13.8 billion years old. You're safe.
Quantum computer vs. RSA-2048 (with Shor's algorithm):
Estimated time to crack: ~8 hours with a sufficiently large, error-corrected quantum computer. Not safe.
Every secure connection you use is actually running two different kinds of math side by side — and a quantum computer only breaks one of them:
Asymmetric encryption (RSA, ECC) — vulnerable. This is what protects key exchange, digital signatures, certificates, and cryptocurrency wallets. Quantum breaks it completely.
Symmetric encryption (AES-256) — mostly safe. Grover's algorithm only halves the effective key space, so AES-256 degrades to the strength of AES-128 — still 2128 operations to brute-force, a number no computer, quantum or otherwise, is going to finish counting to.
If you're encrypting files locally with AES-256, quantum computing is not your problem. If you're relying on RSA or ECC for anything — and you almost certainly are — that's where the risk lives.
Nobody knows exactly when a quantum computer will be powerful enough to break RSA-2048. Google, the NSA, and the academic mainstream have each put a number on the calendar, and the numbers don't agree. Ordered below from most alarmed to least:
The technical requirements: Breaking RSA-2048 needs roughly 10,000 logical qubits or approximately 1 million physical qubits with error correction. Current state-of-the-art systems have 100–400 physical qubits — a gap of roughly 1,000x. That's a real gap, but it's not the kind that tends to survive a decade in this field; qubit counts have a habit of making five-year forecasts look conservative.
We're probably 8–15 years out, but the uncertainty range is wide enough that anyone who gives you a single date is guessing. The NSA isn't setting a 2035 deadline because they think it'll happen in 2036. They're setting it because they think there's a real chance it happens sooner, and migration takes years.
Nation-states are recording encrypted internet traffic right now — the NSA, Google, and multiple intelligence agencies have confirmed that state-level actors are capturing and storing encrypted data today, planning to decrypt it once quantum computers are available.
Most people hear "10 to 15 years away" and file it under someday. For anything that has to stay secret longer than that, the clock started the moment the traffic got captured — the threat window for long-lived secrets has already opened.
Some data needs to stay secret for a lot longer than a decade:
If any of this is transmitted over standard RSA/ECC-encrypted channels today, and an adversary captures it, they just need to wait — the data doesn't expire, and the math won't forget it.
| Sector | Current Encryption | Quantum Vulnerable? | Migration Status | Risk Level |
|---|---|---|---|---|
| US Government | RSA-2048, AES-256, Suite B | RSA/ECC: Yes | Active — CNSA 2.0 mandate, 2035 deadline | Medium (migrating) |
| Big Tech (Google, Apple, Meta) | TLS 1.3, ECDHE, AES-GCM | Key exchange: Yes | Active — Chrome shipping hybrid PQC, Apple iMessage PQC | Low (leading) |
| Banking / Finance | RSA-2048, 3DES (legacy), AES | RSA: Yes, legacy: Yes | Pilot stage — JPMorgan, HSBC running PQC trials | Medium-High |
| Healthcare | TLS, AES, vendor-dependent | TLS handshake: Yes | No plan — no regulatory requirement yet | High |
| Bitcoin / Crypto | ECDSA (secp256k1) | Completely: Yes | No plan — governance deadlock, no upgrade path | Very High |
| Enterprise SaaS | TLS 1.2/1.3, AES-256 | Key exchange: Yes | Early — AWS/Azure offer PQC options, most ignore | Medium |
| Consumer Apps | Platform TLS, E2E (some) | TLS handshake: Yes | Active — Signal, iMessage already using PQC | Low |
Replacement algorithms already exist. NIST finalized its first post-quantum cryptography standards in August 2024, after an 8-year evaluation process, and they're built to resist both classical and quantum attacks.
What's already happening:
Chrome is testing X25519Kyber768, a hybrid that combines classical and post-quantum key exchange. AWS and Azure both offer PQC TLS options. Apple shipped PQC in iMessage (PQ3 protocol). Signal deployed the PQXDH protocol. The US government has set a mandatory 2035 migration deadline.
What's not happening:
Multiple surveys put the number at roughly 90% of companies with no PQC migration plan. Most enterprises can't even list which cryptographic algorithms they're running, let alone map a path off them. The standards exist, the tooling exists — the urgency doesn't, not yet.
Keep your software updated. Your browser, phone OS, and messaging apps will adopt PQC automatically. Chrome, Safari, Signal, and iMessage are already rolling it out. You don't need to do anything special.
Use AES-256 for sensitive files you plan to store long-term. VeraCrypt, 7-Zip, or native OS encryption with AES-256 is quantum-resistant today.
Don't fall for "quantum-proof VPN" scams. Any consumer product claiming quantum protection right now is marketing, not security. Your VPN provider will update when the underlying TLS standard updates.
If you hold Bitcoin, pay attention to PQC fork announcements. When — not if — the community finally addresses this, the people watching for the announcement move their coins first.
Inventory your cryptographic dependencies. Most companies don't know where RSA and ECC live in their stack. Start mapping it now — every TLS certificate, VPN connection, code signing key, and API authentication flow.
Ask your vendors about PQC roadmaps. If your cloud provider, SaaS tools, and security vendors don't have an answer, that's a red flag.
Require crypto-agility in new systems. Any new architecture should be designed to swap cryptographic algorithms without rebuilding. This is cheap now and expensive later.
Prioritize long-lived data. If you handle medical records, legal documents, financial data, or anything with a 10+ year sensitivity window, the harvest-now-decrypt-later threat applies to you today.
Cybersecurity vendors like Thales, Cisco, and Palo Alto Networks are already building PQC upgrade paths into their products. Every enterprise migration is a sales cycle.
Quantum computing companies benefit from the urgency narrative regardless of timeline. IBM, Google, IonQ, and Rigetti are the obvious names.
Big tech captures the consulting spend. Microsoft, AWS, and Google will sell PQC migration services to enterprises that don't know where to start — which is most of them.
When a real post-quantum deadline lands — or the next “quantum-proof” product scam shows up — I break down what it actually means for your data. Plain English, no fear-selling.
— Scott Covert, who actually built this. I work with these tools hands-on every day. If something here sparked a question, a project, or a “wait — can you build that for me?”, that's the best message I get. Reach me, pitch a collab, or book a consult.