When will quantum computers break RSA?

Best estimates: 10–25 years for an attack on 2048-bit RSA. The hardware isn't close yet, but the trajectory is real. The honest answer is uncertainty; planning for 10 years out is prudent because the data being encrypted now might still be valuable then.

Is my browser already using post-quantum crypto?

If it's Chrome, Edge, Firefox, or Safari with recent updates, partially yes — connecting to PQ-capable servers uses hybrid key exchange. Server adoption is uneven; Google, Cloudflare, and major CDNs serve PQ-hybrid TLS, while smaller sites mostly don't yet.

Should I be using Kyber and Dilithium today?

If you're a developer building new systems, yes — use hybrids where possible. If you're a user of established products, the transition is happening below you. Don't replace working classical crypto with pure-PQ; use both in hybrid configurations.

What's the difference between QKD and PQC?

QKD uses quantum physics for key exchange and requires special hardware and dedicated links. PQC uses classical algorithms that resist quantum attacks; it runs on existing infrastructure. PQC is what's being widely deployed; QKD is a niche solution for specific high-security physical links.

Is post-quantum crypto definitely secure?

Believed to be secure based on hard problems (lattice problems, code problems, hash properties). Less battle-tested than RSA/ECC because they're newer. Cryptanalytic advances against lattice-based schemes have happened (and led to algorithm withdrawals during the NIST competition). Hybrid modes provide insurance against future breaks.

Quantum Cryptography Explained: Post-Quantum Algorithms and What "Harvest Now, Decrypt Later" Means

Quantum computers — when sufficiently large — will break RSA, ECC, and Diffie-Hellman in polynomial time. The hardware doesn't exist yet at the required scale, but the math is settled: every public-key system the modern Internet runs on is vulnerable. The response is post-quantum cryptography, and the transition is already underway.

Quantum cryptography is the area of cryptography concerned with threats from quantum computers and the algorithms designed to resist them. The category covers two distinct things often confused with each other: quantum key distribution (QKD), which uses quantum mechanics directly for key exchange; and post-quantum cryptography (PQC), which uses classical algorithms believed to resist quantum attacks. PQC is what's being deployed; QKD remains niche.

The threat: Shor's algorithm

Peter Shor's 1994 algorithm shows that a sufficiently large quantum computer can factor large integers in polynomial time. The consequence: RSA, which depends on the difficulty of factoring, is broken. The same algorithm also computes discrete logarithms in elliptic-curve groups, so ECC (ECDSA, ECDH, Ed25519, X25519) is broken too. All of our current public-key cryptography rests on these two hard problems.

How big a quantum computer? Estimates of the resources needed to factor 2048-bit RSA: roughly 4,000 logical qubits and 10^9 quantum gates, sustained for about 8 hours. Current devices have 1,000+ physical qubits but very few logical qubits after error correction; reaching the cryptographically-relevant scale is widely estimated to take 10–25 years.

Symmetric crypto is mostly fine

Grover's algorithm provides a quantum speed-up for unstructured search, halving the effective key strength of symmetric ciphers. AES-128 effectively becomes 64-bit secure (uncomfortable), AES-256 becomes 128-bit secure (still strong). Hash functions are similarly affected: SHA-256's collision resistance drops from 128 to about 85 bits, preimage resistance from 256 to 128.

The pragmatic response: use larger symmetric keys (AES-256, SHA-384/512) and the existing algorithms remain secure. Symmetric crypto isn't broken; it just needs to be sized up.

Harvest now, decrypt later

The most cited near-term concern: adversaries collecting encrypted traffic today on the assumption they can decrypt it in 10–20 years when quantum hardware matures. The threat is real for any data that remains valuable that long — diplomatic cables, intelligence, medical records, legal documents, intellectual property.

This is why the post-quantum transition can't wait for quantum hardware to exist. Data being encrypted in 2026 needs to be quantum-resistant if it must remain confidential in 2040.

NIST's PQC standardization

NIST ran a multi-year open competition (2016–2024) to standardize post-quantum algorithms. The 2024 winners:

ML-KEM (CRYSTALS-Kyber) for key encapsulation — replaces ECDH/RSA-KEM
ML-DSA (CRYSTALS-Dilithium) for signatures — replaces ECDSA/RSA
SLH-DSA (SPHINCS+) hash-based signatures — backup for ML-DSA in case lattice cryptanalysis advances
FN-DSA (Falcon) compact signatures for constrained environments

The first three were standardized as FIPS 203, 204, 205 in August 2024. Falcon is pending.

The deployment is happening

Major real-world deployments by 2025–2026:

TLS hybrid handshakes — Chrome, Firefox, Cloudflare, Google, and others deploy X25519+Kyber hybrids. Both algorithms run; the connection is secure if either remains unbroken.
Apple iMessage PQ3 — the messaging protocol added post-quantum key exchange via a custom hybrid in 2024.
Signal PQXDH — Signal's key exchange added a Kyber hybrid in 2023.
SSH — OpenSSH 9.x supports a Streamlined NTRU Prime hybrid for the key exchange.
VPNs — WireGuard with a Kyber wrapper exists; commercial VPNs are starting to advertise PQ options.

The trade-offs

Post-quantum algorithms aren't free:

Key sizes are larger. Kyber public keys are ~1.5 KB versus 32 bytes for X25519. Dilithium signatures are ~2.5 KB versus 64 bytes for Ed25519. Bandwidth and storage costs matter at scale.
Some algorithms are slower on certain hardware, especially constrained devices. ML-KEM is comparable to ECDH; ML-DSA is slower than Ed25519.
Lattice cryptography is newer and less battle-tested. Concerns about cryptanalytic advances are real; hash-based signatures (SPHINCS+) are a more conservative fallback at the cost of much larger signatures.

Quantum key distribution: the other thing

QKD uses quantum properties (no-cloning, measurement disturbance) to establish a shared key between two endpoints with information-theoretic security. The catch: it requires special hardware (single-photon sources/detectors), point-to-point fiber or line-of-sight, and trusted intermediate nodes for distances beyond a few hundred kilometers. Niche deployments exist in banks and government networks, but QKD doesn't scale to Internet-style use cases.

NIST and most cryptographers have explicitly recommended PQC over QKD for general use. The hype around QKD has often outrun the engineering.

What this means for you

For individual users, the post-quantum transition is mostly invisible. Browsers, OSes, and messaging apps roll out hybrid algorithms transparently. The data being encrypted today with hybrid algorithms will be safe even if quantum computers arrive. The exception: if you handle long-term-confidential data (intelligence, medical records, financial records) and your software still uses classical-only ECDH/RSA, that's worth attention now, not in 10 years.

Frequently asked questions

When will quantum computers break RSA?: Best estimates: 10–25 years for an attack on 2048-bit RSA. The hardware isn't close yet, but the trajectory is real. The honest answer is uncertainty; planning for 10 years out is prudent because the data being encrypted now might still be valuable then.
Is my browser already using post-quantum crypto?: If it's Chrome, Edge, Firefox, or Safari with recent updates, partially yes — connecting to PQ-capable servers uses hybrid key exchange. Server adoption is uneven; Google, Cloudflare, and major CDNs serve PQ-hybrid TLS, while smaller sites mostly don't yet.
Should I be using Kyber and Dilithium today?: If you're a developer building new systems, yes — use hybrids where possible. If you're a user of established products, the transition is happening below you. Don't replace working classical crypto with pure-PQ; use both in hybrid configurations.
What's the difference between QKD and PQC?: QKD uses quantum physics for key exchange and requires special hardware and dedicated links. PQC uses classical algorithms that resist quantum attacks; it runs on existing infrastructure. PQC is what's being widely deployed; QKD is a niche solution for specific high-security physical links.
Is post-quantum crypto definitely secure?: Believed to be secure based on hard problems (lattice problems, code problems, hash properties). Less battle-tested than RSA/ECC because they're newer. Cryptanalytic advances against lattice-based schemes have happened (and led to algorithm withdrawals during the NIST competition). Hybrid modes provide insurance against future breaks.