Skip to content

The Frontier

The state of the field and post-quantum crypto

Where QC really is, and why to migrate crypto now

Strip away the press releases and one consequence of this whole subject lands squarely in ordinary software engineering: the public-key cryptography protecting today's internet has an expiry date, and the clock is already running even though no code-breaking quantum computer exists yet. This lesson is where the theory becomes a migration ticket.

The false comfort to correct

The natural thought is: "No quantum computer can break RSA today, so my encrypted data is safe today, and I can migrate whenever the hardware actually shows up." That reasoning has a hole. An adversary can record your encrypted traffic now and simply store it, then decrypt it years later once a quantum computer arrives. Anything that must stay secret for a decade is effectively exposed the moment it is captured. The deadline is not when the machine is built - it is now, minus your secrecy horizon.

Play with the deadline

The timeline below has two knobs: the year a code-breaking quantum computer arrives, and how long the data you encrypt today must stay secret. Slide them and watch the red band. That band is your exposure - the years during which recorded traffic can be decrypted before your secrets have gone stale.

Set when a code-breaking quantum computer arrives and how long today's data must stay secret. When the secrecy horizon reaches past that arrival, the red band is your exposure: data captured now, decrypted later.
today2026
quantum arrives2035
secret until2041

Exposed. Anything you encrypt today with RSA or ECC and need secret past 2035 is at risk for 6 years. An adversary can store the ciphertext now and decrypt it the day the machine arrives. Migrate to post-quantum schemes before then.

SchemeFamilyWhen quantum arrives
RSA-2048public-keyBroken by Shor
ECC (P-256)public-keyBroken by Shor
AES-256symmetricWeakened by Grover, still safe (128-bit effective)
ML-KEM (Kyber)lattice PQCQuantum-resistant
ML-DSA (Dilithium)lattice PQCQuantum-resistant

Which algorithms fall, and which stand

The damage is not uniform, and the split follows exactly the two algorithms you have already met. Shor's algorithm attacks the hidden structure that public-key cryptography is built on. RSA rests on the hardness of factoring; elliptic-curve cryptography rests on a discrete-logarithm problem with the same kind of periodic structure. Shor demolishes both.[1] See the mechanism in Shor's algorithm and the death of RSA.

Symmetric cryptography survives, because it has no such structure to exploit - only Grover's unstructured search applies. Grover turns a brute-force key hunt over keys into about steps, which halves the effective key strength. A 128-bit effective attack on is still hopeless in practice, so AES-256 is fine; you just would not rely on a 128-bit key anymore. The remedy for symmetric crypto is embarrassingly simple: use longer keys.

The replacement for the broken public-key schemes is , or PQC: new public-key algorithms whose hardness rests on problems with no known efficient quantum attack, chiefly structured lattices. In 2024 NIST standardized the first of them - ML-KEM (Kyber) for key exchange and ML-DSA (Dilithium) for signatures.[2] They run on the classical computers you already own; migration is a software project, not a hardware wait.

Harvest now, decrypt later

The reason this is urgent despite no quantum computer existing is . Ciphertext is cheap to store. An adversary records your RSA-protected traffic today and waits. The day a capable machine exists, every recording whose secret has not yet expired is opened at once. That is why the honest recommendation is to migrate long-lived secrets to PQC before the hardware arrives, not after.[3]

Where the field actually is

The largest processors today hold on the order of a thousand noisy physical qubits, and error rates are only just crossing the threshold where error correction starts to help. Breaking RSA-2048 with Shor is estimated to need millions of high-quality physical qubits sustained for hours - a gap of several orders of magnitude that nobody knows how to close on a firm timeline.[3] The honest summary: a code-breaking quantum computer is not here, is not obviously near, and yet the harvest-now risk makes migration a present-tense decision for anything that must stay secret into the 2030s and beyond.

def effective_bits(key_bits):
    # Grover searches 2^k keys in about 2^(k/2) steps, so the effective
    # security is halved. Shor does NOT apply to symmetric ciphers.
    return key_bits // 2

for k in (128, 256):
    print(f"AES-{k}: {effective_bits(k)}-bit effective security under Grover")

# AES-128 -> 64-bit effective (too weak), AES-256 -> 128-bit (still safe).
# Public-key (RSA, ECC) is a different story: Shor breaks it outright,
# so those get REPLACED by lattice PQC (ML-KEM, ML-DSA), not lengthened.
Grover halves symmetric strength; the fix is longer keys

Lock it in

  • Shor breaks the public-key schemes that run the internet - RSA and elliptic-curve - by attacking their hidden periodic structure.
  • Symmetric ciphers only face Grover, which halves effective key strength, so AES-256 stays secure; the fix there is simply longer keys.
  • Lattice-based post-quantum schemes (ML-KEM, ML-DSA), standardized by NIST in 2024, run on today's hardware and resist both attacks.
  • Harvest-now-decrypt-later makes migration urgent before any quantum computer exists: data recorded today is exposed the day the machine arrives.

Check yourself

How does a future quantum computer affect AES-256?

Why migrate to post-quantum crypto now, before any code-breaking quantum computer exists?

Recall: what does Shor break, what does Grover only weaken, and what is harvest-now-decrypt-later?

The three facts that turn this subject into an engineering deadline. Try to state it, then check.

Match each scheme or idea to its quantum fate.

drop here

broken outright by Shor

drop here

only weakened by Grover, still secure

drop here

quantum-resistant, standardized by NIST in 2024

drop here

why long-lived secrets must migrate before the hardware arrives

Primary source

NIST, Post-Quantum Cryptography project

The authoritative home for the migration: the standardized algorithms (ML-KEM, ML-DSA), the rationale, and transition guidance. Start here before planning any real move off RSA or elliptic-curve cryptography.

Sources

  1. 1.NIST, Post-Quantum Cryptography project
  2. 2.NIST, FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA), the first PQC standards (2024)
  3. 3.Scott Aaronson, Shtetl-Optimized blog