The Frontier
The state of the field and post-quantum crypto
Where QC really is, and why to migrate crypto now
Strip away the press releases and one consequence of this whole subject lands squarely in ordinary software engineering: the public-key cryptography protecting today's internet has an expiry date, and the clock is already running even though no code-breaking quantum computer exists yet. This lesson is where the theory becomes a migration ticket.
The false comfort to correct
Play with the deadline
The timeline below has two knobs: the year a code-breaking quantum computer arrives, and how long the data you encrypt today must stay secret. Slide them and watch the red band. That band is your exposure - the years during which recorded traffic can be decrypted before your secrets have gone stale.
Exposed. Anything you encrypt today with RSA or ECC and need secret past 2035 is at risk for 6 years. An adversary can store the ciphertext now and decrypt it the day the machine arrives. Migrate to post-quantum schemes before then.
| Scheme | Family | When quantum arrives |
|---|---|---|
| RSA-2048 | public-key | Broken by Shor |
| ECC (P-256) | public-key | Broken by Shor |
| AES-256 | symmetric | Weakened by Grover, still safe (128-bit effective) |
| ML-KEM (Kyber) | lattice PQC | Quantum-resistant |
| ML-DSA (Dilithium) | lattice PQC | Quantum-resistant |
Which algorithms fall, and which stand
The damage is not uniform, and the split follows exactly the two algorithms you have already met. Shor's algorithm attacks the hidden structure that public-key cryptography is built on. RSA rests on the hardness of factoring; elliptic-curve cryptography rests on a discrete-logarithm problem with the same kind of periodic structure. Shor demolishes both.[1] See the mechanism in Shor's algorithm and the death of RSA.
Symmetric cryptography survives, because it has no such structure to exploit - only Grover's unstructured search applies. Grover turns a brute-force key hunt over keys into about steps, which halves the effective key strength. A 128-bit effective attack on is still hopeless in practice, so AES-256 is fine; you just would not rely on a 128-bit key anymore. The remedy for symmetric crypto is embarrassingly simple: use longer keys.
The replacement for the broken public-key schemes is , or PQC: new public-key algorithms whose hardness rests on problems with no known efficient quantum attack, chiefly structured lattices. In 2024 NIST standardized the first of them - ML-KEM (Kyber) for key exchange and ML-DSA (Dilithium) for signatures.[2] They run on the classical computers you already own; migration is a software project, not a hardware wait.
Harvest now, decrypt later
Where the field actually is
The largest processors today hold on the order of a thousand noisy physical qubits, and error rates are only just crossing the threshold where error correction starts to help. Breaking RSA-2048 with Shor is estimated to need millions of high-quality physical qubits sustained for hours - a gap of several orders of magnitude that nobody knows how to close on a firm timeline.[3] The honest summary: a code-breaking quantum computer is not here, is not obviously near, and yet the harvest-now risk makes migration a present-tense decision for anything that must stay secret into the 2030s and beyond.
def effective_bits(key_bits):
# Grover searches 2^k keys in about 2^(k/2) steps, so the effective
# security is halved. Shor does NOT apply to symmetric ciphers.
return key_bits // 2
for k in (128, 256):
print(f"AES-{k}: {effective_bits(k)}-bit effective security under Grover")
# AES-128 -> 64-bit effective (too weak), AES-256 -> 128-bit (still safe).
# Public-key (RSA, ECC) is a different story: Shor breaks it outright,
# so those get REPLACED by lattice PQC (ML-KEM, ML-DSA), not lengthened.Lock it in
- Shor breaks the public-key schemes that run the internet - RSA and elliptic-curve - by attacking their hidden periodic structure.
- Symmetric ciphers only face Grover, which halves effective key strength, so AES-256 stays secure; the fix there is simply longer keys.
- Lattice-based post-quantum schemes (ML-KEM, ML-DSA), standardized by NIST in 2024, run on today's hardware and resist both attacks.
- Harvest-now-decrypt-later makes migration urgent before any quantum computer exists: data recorded today is exposed the day the machine arrives.
Check yourself
How does a future quantum computer affect AES-256?
Why migrate to post-quantum crypto now, before any code-breaking quantum computer exists?
Recall: what does Shor break, what does Grover only weaken, and what is harvest-now-decrypt-later?
The three facts that turn this subject into an engineering deadline. Try to state it, then check.
Match each scheme or idea to its quantum fate.
broken outright by Shor
only weakened by Grover, still secure
quantum-resistant, standardized by NIST in 2024
why long-lived secrets must migrate before the hardware arrives
Primary source
NIST, Post-Quantum Cryptography projectThe authoritative home for the migration: the standardized algorithms (ML-KEM, ML-DSA), the rationale, and transition guidance. Start here before planning any real move off RSA or elliptic-curve cryptography.
Sources