Quantum Computing Threats to Current Encryption Standards
Quantum computing introduces a class of computational threat that breaks the mathematical assumptions underlying the most widely deployed public-key cryptographic systems in use across government, financial, healthcare, and critical infrastructure networks. This page covers the technical mechanics of those threats, the classification of vulnerable versus resistant algorithms, the regulatory and standards landscape shaping mandatory migration timelines, and the structural tensions that complicate transition planning. The scope is national (US), with primary reference to NIST, NSA, and CISA guidance frameworks.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
Quantum computing threats to encryption refer to the capacity of sufficiently powerful quantum computers to solve, in polynomial time, mathematical problems that classical computers require exponential time to crack. The two problems at issue are integer factorization (the basis of RSA encryption) and the discrete logarithm problem (the basis of Diffie-Hellman key exchange and elliptic curve cryptography). Both underpin the majority of public-key infrastructure globally.
The scope of vulnerability is not speculative: the algorithms exist, their quantum complexity is established, and the only variable is the availability of a sufficiently fault-tolerant quantum computer with enough logical qubits to execute attacks at operationally meaningful key sizes. The National Security Agency (NSA) formally acknowledged this threat landscape in its 2015 "Commercial National Security Algorithm Suite" announcement and reinforced it with the 2022 "Commercial National Security Algorithm Suite 2.0" (CNSA 2.0), which mandated migration schedules for National Security Systems (NSS) operators (NSA CNSA 2.0).
The National Institute of Standards and Technology (NIST) defines the scope more precisely through its Post-Quantum Cryptography (PQC) standardization program, launched in 2016 and culminating in the August 2024 publication of three finalized standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) (NIST PQC Standards).
Symmetric encryption algorithms such as AES are affected differently and to a lesser degree, addressed in the Classification section below.
Core mechanics or structure
The principal quantum algorithm enabling cryptographic attacks is Shor's algorithm, published by mathematician Peter Shor in 1994. Running on a fault-tolerant quantum computer, Shor's algorithm factors large integers and computes discrete logarithms in polynomial time — specifically O((log N)³) for factoring an N-bit integer. On a classical computer, the best-known algorithm (General Number Field Sieve) operates in sub-exponential but super-polynomial time, making 2048-bit RSA keys practically unbreakable classically but theoretically solvable in hours by a sufficiently powerful quantum machine.
The quantum mechanical properties enabling this speedup are superposition (a qubit existing in multiple states simultaneously) and entanglement (correlated qubit states enabling parallel computation pathways). The quantum Fourier transform, central to Shor's algorithm, extracts periodicity from modular exponentiation functions — the exact operation underpinning RSA and discrete-log-based systems.
A second relevant algorithm is Grover's algorithm, which provides a quadratic speedup for unstructured search problems. Applied to symmetric key search, Grover's algorithm halves the effective security level: a 128-bit AES key provides only 64-bit equivalent post-quantum security, and a 256-bit AES key provides 128-bit equivalent security. This is the specific reason NIST recommends AES-256 as quantum-resistant for symmetric use cases (NIST SP 800-131A Rev 2).
Cryptographic hash functions used in integrity verification and digital signatures face Grover-class speedups but remain secure at output lengths of 384 bits or more (SHA-384, SHA-512) under current quantum threat models.
The feasibility barrier currently lies in qubit count and error rates. Estimates from IBM, Google, and academic researchers suggest that breaking RSA-2048 with Shor's algorithm requires approximately 4,000 logical (error-corrected) qubits — which, accounting for physical-to-logical qubit overhead from error correction codes, may translate to millions of physical qubits. No public system has approached this threshold as of the NIST 2024 finalization cycle.
Causal relationships or drivers
The primary driver accelerating urgency is the harvest now, decrypt later (HNDL) threat model. Adversaries — particularly nation-state actors — can intercept and store encrypted communications today, then decrypt them once sufficiently powerful quantum hardware becomes available. Data with long-term sensitivity (classified communications, medical records, financial instruments, legal records) is exposed even if quantum computers remain years away.
The Cybersecurity and Infrastructure Security Agency (CISA) identified HNDL explicitly in its 2022 "Post-Quantum Cryptography Initiative" (CISA PQC), noting that the migration to post-quantum cryptography must begin immediately given the lead time required for large-scale cryptographic infrastructure replacement.
Secondary drivers include:
- Key distribution infrastructure scale: Public key infrastructure underpins TLS/SSL, code signing, digital certificates, and VPN authentication. Replacing certificate hierarchies across federal agencies alone involves thousands of systems.
- Hardware lifecycle constraints: Hardware security modules and cryptographic accelerators embedded in network equipment have 7–15 year refresh cycles, meaning hardware ordered today may still be operational when quantum threat thresholds are reached.
- Regulatory mandate pressure: The Office of Management and Budget (OMB) Memorandum M-23-02 (2022) required all federal agencies to submit cryptographic inventories to identify quantum-vulnerable systems, establishing a federal migration baseline.
Classification boundaries
Quantum threats do not affect all cryptographic primitives equally. Precise classification follows:
Fully broken by Shor's algorithm (quantum computer required):
- RSA (all key sizes — 1024, 2048, 4096-bit)
- Diffie-Hellman key exchange (classical and elliptic curve variants)
- Digital Signature Algorithm (DSA) and ECDSA
- ElGamal encryption
Weakened but not broken by Grover's algorithm (doubling key length mitigates):
- AES-128 (reduced to ~64-bit security; not recommended post-quantum)
- AES-256 (reduced to ~128-bit security; acceptable per NIST)
- SHA-256 (reduced to ~128-bit collision resistance; acceptable for most uses)
- HMAC constructions with SHA-256 or above
Currently assessed as quantum-resistant (NIST-standardized post-quantum):
- ML-KEM (FIPS 203): lattice-based key encapsulation
- ML-DSA (FIPS 204): lattice-based digital signatures
- SLH-DSA (FIPS 205): hash-based digital signatures
Under continued evaluation (NIST Round 4 candidates):
- BIKE, HQC, Classic McEliece (code-based alternatives for key encapsulation)
The post-quantum cryptography landscape distinguishes between algorithm families — lattice-based, hash-based, code-based, and isogeny-based — each with distinct security proof assumptions and performance profiles.
Tradeoffs and tensions
Performance vs. security: NIST's finalized PQC algorithms carry significantly larger key and ciphertext sizes than their classical counterparts. ML-KEM-768 public keys are 1,184 bytes; RSA-2048 public keys are 256 bytes. SLH-DSA signatures range from 8,080 to 49,856 bytes depending on parameter set, versus ECDSA signatures of 64 bytes. This creates bandwidth, latency, and storage tradeoffs in constrained environments such as IoT devices and mobile platforms.
Migration timeline vs. operational continuity: Replacing cryptographic algorithms in legacy systems requires testing, certification, and often hardware replacement — not merely software patching. CNSA 2.0 mandated full transition for NSS by 2033, a timeline that conflicts with the procurement and lifecycle reality of many embedded and industrial systems.
Algorithm confidence vs. deployment urgency: Lattice-based cryptography, which underlies ML-KEM and ML-DSA, has not faced the decades of public cryptanalysis that RSA and ECC have. The mathematical hardness assumptions (Module Learning With Errors — MLWE) are considered sound but have a shorter adversarial track record. SIKE, an isogeny-based candidate included in NIST Round 3, was broken classically in 2022 using a single-core attack — illustrating that novel hardness assumptions carry real risk.
Hybrid schemes: The current industry-standard response to this uncertainty is hybrid cryptography — combining a classical algorithm (e.g., ECDH) with a post-quantum algorithm (e.g., ML-KEM) so that security holds if either primitive remains unbroken. TLS 1.3 extension points support hybrid key exchange. The tension is that hybrid schemes add protocol complexity, increase handshake sizes, and require both algorithm families to be maintained simultaneously during the transition window.
Common misconceptions
Misconception: Quantum computers already threaten today's encryption.
Correction: No publicly known quantum computer has the logical qubit count or error correction fidelity to run Shor's algorithm against RSA-2048 or larger keys. The threat is prospective, not operational — but the HNDL model makes prospective threats operationally urgent now.
Misconception: Upgrading to 4096-bit RSA provides quantum protection.
Correction: RSA-4096 is still fully vulnerable to Shor's algorithm. The polynomial-time complexity of the algorithm scales with key size in ways that remain tractable; a 4096-bit key does not multiply the quantum computing effort by a practically prohibitive factor. NIST does not recommend RSA-4096 as a post-quantum mitigation.
Misconception: AES is quantum-proof.
Correction: AES is Grover-weakened. AES-128 drops to approximately 64-bit effective security against quantum search — below acceptable thresholds. AES-256 retains approximately 128-bit post-quantum security and is considered adequate. The distinction between AES-128 and AES-256 is operationally significant in a post-quantum context in a way it is not classically.
Misconception: Post-quantum cryptography means quantum cryptography (QKD).
Correction: Quantum Key Distribution (QKD) is a separate field using quantum optical channels for key exchange. NIST's PQC standardization program addresses classical-hardware, software-implementable algorithms that are mathematically resistant to quantum attacks — not QKD systems. The two are not interchangeable, and NIST explicitly does not endorse QKD as a federal cryptographic standard (NIST IR 8413).
Checklist or steps (non-advisory)
The following steps describe the cryptographic transition process as structured by NIST, CISA, and NSA migration guidance — presented as a reference sequence, not professional advice.
Phase 1 — Inventory and classification
- [ ] Enumerate all cryptographic algorithms in use across systems, applications, and network infrastructure
- [ ] Identify all uses of RSA, ECDH, ECDSA, DSA, and classical Diffie-Hellman
- [ ] Catalog key sizes, certificate lifetimes, and hardware-bound cryptographic implementations
- [ ] Flag systems with data sensitivity periods exceeding 5 years (HNDL exposure window)
- [ ] Document dependencies on third-party libraries (OpenSSL, BouncyCastle, NSS) for algorithm support status
Phase 2 — Risk prioritization
- [ ] Assign risk tiers based on data sensitivity, exposure duration, and system replaceability
- [ ] Identify systems where encryption key management infrastructure (e.g., HSMs, KMS) limits algorithm agility
- [ ] Assess TLS/SSL protocol versions in deployment for PQC extension readiness
Phase 3 — Migration planning
- [ ] Select target algorithms from NIST FIPS 203/204/205 for each use case
- [ ] Evaluate hybrid scheme requirements for high-assurance or NSS-adjacent systems
- [ ] Identify hardware refresh cycles that align with CNSA 2.0 mandate timelines
Phase 4 — Implementation and validation
- [ ] Replace or update cryptographic libraries to versions supporting ML-KEM and ML-DSA
- [ ] Validate implementations against NIST Cryptographic Algorithm Validation Program (CAVP) test vectors (NIST CAVP)
- [ ] Update certificate issuance pipelines and CA hierarchies
- [ ] Conduct performance testing in constrained environments (IoT, mobile, embedded)
Phase 5 — Documentation and compliance verification
- [ ] Update System Security Plans (SSPs) and Authority to Operate (ATO) documentation
- [ ] Align with FIPS 140 validation requirements for new cryptographic modules
- [ ] Report cryptographic inventory status per OMB M-23-02 requirements (federal agencies)
Reference table or matrix
| Algorithm | Type | Quantum Threat | Classical Security (bits) | Post-Quantum Security | NIST Status |
|---|---|---|---|---|---|
| RSA-2048 | Asymmetric (KE/Sig) | Fully broken (Shor) | ~112 | 0 | Deprecated for PQC |
| RSA-4096 | Asymmetric (KE/Sig) | Fully broken (Shor) | ~140 | 0 | Deprecated for PQC |
| ECDH P-256 | Key Exchange | Fully broken (Shor) | 128 | 0 | Deprecated for PQC |
| ECDSA P-384 | Digital Signature | Fully broken (Shor) | 192 | 0 | Deprecated for PQC |
| AES-128 | Symmetric | Grover-weakened | 128 | ~64 | Not recommended PQC |
| AES-256 | Symmetric | Grover-weakened | 256 | ~128 | Acceptable (NIST) |
| SHA-256 | Hash | Grover-weakened | 256 (collision) | ~128 | Acceptable for most uses |
| SHA-384 | Hash | Grover-weakened | 384 (collision) | ~192 | Recommended |
| ML-KEM-768 (FIPS 203) | Key Encapsulation | Resistant (MLWE) | — | ~128 | NIST Finalized 2024 |
| ML-DSA-65 (FIPS 204) | Digital Signature | Resistant (MLWE) | — | ~128 | NIST Finalized 2024 |
| SLH-DSA-128s (FIPS 205) | Digital Signature | Resistant (hash) | — | ~128 | NIST Finalized 2024 |
| Classic McEliece | Key Encapsulation | Resistant (code) | — | ~128 | NIST Round 4 |
| BIKE | Key Encapsulation | Resistant (code) | — | ~128 | NIST Round 4 |
Security estimates based on NIST SP 800-57 Part 1 Rev 5 guidance and NIST PQC project documentation (NIST SP 800-57).
References
- [NIST Post-Quantum Cryptography Standardization Project](https://csrc.