The Lock on Everything

Every time you visit a website over HTTPS, send an encrypted message, or make a payment online, your security rests on a mathematical assumption: that factoring large numbers into their prime components is computationally hard.

RSA encryption — the backbone of internet security for forty years — works because multiplying two 1024-bit prime numbers together takes milliseconds, but reversing the operation (finding those primes from the product) takes longer than the age of the universe on classical hardware.

That assumption holds against classical computers. It does not hold against a sufficiently powerful quantum computer running Shor's Algorithm.

Shor's Algorithm: The Specific Threat

In 1994, Peter Shor — then at Bell Labs — published a quantum algorithm for integer factorisation that runs in polynomial time. On a classical computer, factoring an n-bit number scales exponentially with n. On a quantum computer running Shor's algorithm, it scales roughly as n³ — a qualitative difference that makes large-number factoring tractable.

The same mathematical structure that underlies RSA — the difficulty of the discrete logarithm problem — also underlies Elliptic Curve Cryptography (ECC), the algorithm protecting most modern TLS connections, SSH keys, and cryptocurrency wallets. Shor's algorithm breaks both.

The critical caveat: breaking RSA-2048 is estimated to require roughly 4,000 logical qubits running fault-tolerant operations. Current systems have hundreds of physical qubits with error rates far too high for Shor's algorithm to work. We are likely a decade or more away from a machine that can execute the attack.

Likely. Not certainly.

The "Harvest Now, Decrypt Later" Problem

The timeline gap creates a subtler, more immediate risk.

An adversary today — a state actor or well-resourced attacker — can collect encrypted traffic and store it. They cannot decrypt it today. But the moment a sufficiently powerful quantum computer exists, every historical message encrypted with RSA or ECC becomes readable.

Security experts call this the "Y2Q" problem: not a cliff, but a slope. The transition needs to begin immediately even though the threat is not yet active.

Post-Quantum Cryptography

The response from the cryptographic community has been systematic. In 2016, NIST (the US National Institute of Standards and Technology) launched a competition to standardise post-quantum cryptographic algorithms. In August 2024, after eight years of analysis, NIST published the first three finalised standards.

The leading approach — and the one NIST standardised first — is lattice-based cryptography. The security of lattice schemes rests on the hardness of finding short vectors in high-dimensional mathematical lattices. No quantum algorithm is known to solve this efficiently.

CRYSTALS-Kyber (now FIPS 203) handles key encapsulation — establishing shared secrets. CRYSTALS-Dilithium (now FIPS 204) handles digital signatures. Both are lattice-based and are already being deployed in major software: Google Chrome added support in 2023, Cloudflare began offering post-quantum TLS the same year.

Hash-based signatures (SPHINCS+, now FIPS 205) offer a more conservative alternative: their security rests only on the collision-resistance of cryptographic hash functions, which quantum computers can weaken but not break entirely.

Code-based cryptography — descending from Robert McEliece's 1978 scheme — has resisted cryptanalysis for 46 years and survived the NIST competition, though its large key sizes limit practical deployment.

Quantum Key Distribution: A Different Approach

Post-quantum cryptography solves the problem computationally — designing algorithms hard for quantum computers to attack. Quantum Key Distribution (QKD) takes a different route: using quantum mechanics itself as the security primitive.

In the BB84 protocol, Alice sends Bob a stream of photons polarised in randomly chosen bases. Bob measures them in randomly chosen bases. After transmission, they compare bases over a classical channel and keep only the measurements where they chose the same basis — this becomes the shared secret key.

Any eavesdropper who intercepts and measures the photons must choose a basis for measurement. When they choose wrong, they disturb the photon's state in a detectable way. Alice and Bob can detect the eavesdropping by sacrificing a subset of their key and checking the error rate.

QKD's limitation is practical: it requires a dedicated optical channel (typically fibre or free-space), currently has distance limits of a few hundred kilometres without quantum repeaters, and is expensive to deploy. It complements rather than replaces post-quantum cryptography.

The Migration Ahead

Moving the internet's cryptographic infrastructure is one of the largest coordinated engineering efforts in history. Billions of devices, millions of servers, and decades of embedded systems all need updated cryptographic libraries.

The good news: the hard work of standardisation is done. CRYSTALS-Kyber and CRYSTALS-Dilithium are finalised. Major cloud providers, browser vendors, and operating system developers have begun or completed integration. The HTTPS ecosystem — which replaced HTTP across most of the web in under a decade — provides a precedent for how fast cryptographic transitions can move when there is clear community alignment.

The bad news: critical infrastructure moves slower. Industrial control systems, embedded devices, and legacy financial systems may take decades to migrate, and many cannot be updated at all.

The quantum computer that breaks RSA does not yet exist. But the decisions made in the next few years — about which algorithms to deploy, which systems to prioritise, which data to protect — will determine how exposed the digital world is when that machine eventually arrives.

The time to upgrade a lock is before the key is found.