Quantum Computing Threats to Current Encryption Standards
Quantum computing introduces a category of computational threat that renders foundational cryptographic assumptions obsolete — not through brute force at classical scale, but through fundamentally different algorithmic approaches that exploit quantum mechanical properties. This page maps the threat landscape, identifies which encryption standards are vulnerable and to what degree, describes the regulatory and standards response underway, and clarifies the structural boundaries between quantum-vulnerable and quantum-resistant cryptography. It is relevant to security architects, compliance officers, and procurement professionals evaluating cryptographic posture across federal, healthcare, financial, and enterprise environments.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
The quantum computing threat to encryption is the risk that sufficiently powerful quantum computers will break the mathematical hardness assumptions underlying asymmetric cryptography — specifically integer factorization and discrete logarithm problems — and substantially weaken symmetric encryption through accelerated key search. The threat is not theoretical in origin; it is grounded in published quantum algorithms with proven computational complexity advantages over classical counterparts.
The scope of this threat covers the full surface of deployed public-key infrastructure (PKI): RSA key exchange, Elliptic Curve Diffie-Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), and Diffie-Hellman (DH) protocols. These mechanisms underpin TLS/HTTPS, digital certificate chains, code signing, secure email, VPN authentication, and the key negotiation layer of end-to-end encrypted communications. The encryption providers across the professional service sector reflect the breadth of systems relying on these now-challenged foundations.
The National Institute of Standards and Technology (NIST) has formally acknowledged this scope through its Post-Quantum Cryptography (PQC) standardization project, initiated in 2016 and producing its first finalized standards in 2024. The threat also carries a forward-looking operational dimension known as "harvest now, decrypt later" (HNDL): adversaries intercept and store encrypted data today with the intent to decrypt it once capable quantum hardware becomes available, meaning the effective threat window for sensitive long-lived data has already opened.
Core mechanics or structure
The primary quantum attack vector against asymmetric encryption is Shor's algorithm, published by mathematician Peter Shor in 1994. Shor's algorithm factors large integers and solves discrete logarithm problems in polynomial time on a quantum computer — a fundamental departure from the exponential time required by the best classical algorithms. RSA-2048, which derives its security from the presumed infeasibility of factoring a 2,048-bit semiprime, would be broken by a sufficiently large fault-tolerant quantum computer running Shor's algorithm in a matter of hours rather than the billions of years required classically.
The secondary attack vector against symmetric encryption is Grover's algorithm, which provides a quadratic speedup for unstructured search problems. Applied to AES-128, Grover's algorithm reduces the effective key search space from 2¹²⁸ to 2⁶⁴ operations — a reduction that brings AES-128 within range of practical attack. AES-256, however, reduces to 2¹²⁸ effective operations under Grover's attack, retaining an acceptable security margin. This is why NIST SP 800-175B Rev 1 guidance already orients federal systems toward 256-bit symmetric keys as the baseline for quantum-era security.
Hash functions face a similar Grover-based degradation. SHA-256 output collision resistance drops from 128-bit to 64-bit under quantum attack; SHA-384 and SHA-512 retain 192-bit and 256-bit post-quantum security margins respectively. The structural implication is that symmetric and hash-based primitives are repairable through key and output size increases, while public-key systems based on factorization and discrete logarithm require complete algorithmic replacement.
Causal relationships or drivers
Three reinforcing drivers accelerate the urgency of the quantum cryptographic threat:
Hardware progress timelines. IBM's public quantum roadmap documents a progression from 127 physical qubits in 2021 to 1,121 qubits in 2023 (IBM Quantum). Cryptographically relevant attacks on RSA-2048 are estimated to require millions of logical (error-corrected) qubits, a threshold not yet reached — but national intelligence assessments from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) project that cryptographically relevant quantum computers could emerge within 10 to 15 years.
Harvest now, decrypt later operations. State-level adversaries with long-horizon intelligence objectives collect encrypted traffic now for retroactive decryption. Data classified at higher sensitivity levels — national security information, long-term financial records, medical records — faces meaningful exposure under this model. The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) issued in 2022 cites HNDL explicitly as a driver for immediate migration.
Infrastructure replacement lead times. Federal and enterprise cryptographic infrastructure replacement cycles span 5 to 10 years for large-scale PKI and key management systems. NIST's PQC standardization project recognized this lag: the 8-year standardization process (2016–2024) was explicitly timed to provide migration runway before quantum hardware matures. Organizations that begin migration planning only after cryptographically relevant quantum computers appear will have already missed the window for orderly transition.
The provides contextual framing for where these migration pressures intersect with the professional service landscape.
Classification boundaries
Quantum threats to encryption divide across four structural categories:
Imminently broken (requiring algorithmic replacement): RSA (all key sizes), ECDH, ECDSA, DH, and DSA. Shor's algorithm renders these computationally trivial for a fault-tolerant quantum computer regardless of key length scaling. NIST formally deprecated RSA-2048 and elliptic curve key exchange for use beyond 2030 in the context of quantum migration planning.
Weakened but repairable (requiring key size increases): AES-128 (degraded to ~64-bit security under Grover), SHA-256 (collision resistance reduced to ~64-bit). AES-256 and SHA-384/SHA-512 retain adequate margins under quantum attack without algorithmic change.
Quantum-resistant by design (new NIST PQC standards): NIST finalized three post-quantum standards in August 2024 (FIPS 203, FIPS 204, FIPS 205):
- FIPS 203 — Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM, formerly CRYSTALS-Kyber)
- FIPS 204 — Module-Lattice-Based Digital Signature Algorithm (ML-DSA, formerly CRYSTALS-Dilithium)
- FIPS 205 — Stateless Hash-Based Digital Signature Standard (SLH-DSA, formerly SPHINCS+)
Hybrid transitional schemes: Deployments combining classical and post-quantum algorithms in parallel — for example, X25519 + ML-KEM — to maintain compatibility while introducing quantum resistance. This approach is endorsed in CISA's Post-Quantum Cryptography Initiative guidance as a migration bridge rather than a permanent architecture.
Tradeoffs and tensions
The transition to post-quantum cryptography involves contested engineering tradeoffs that have no clean resolution:
Performance overhead. ML-KEM and ML-DSA produce significantly larger key and signature sizes than their classical counterparts. ML-DSA signatures are approximately 2,420 bytes compared to 64 bytes for an ECDSA P-256 signature. For high-throughput systems processing millions of transactions per second, this overhead introduces latency and bandwidth costs that require hardware or protocol-layer mitigation.
Algorithm confidence versus deployment urgency. NIST's finalized PQC standards are mathematically rigorous but lack the decades of adversarial cryptanalysis that validate RSA and AES. A vulnerability discovered in ML-KEM or ML-DSA after widespread deployment would require another migration cycle under worse time pressure. Hybrid schemes hedge this risk but compound implementation complexity.
Standardization fragmentation. Outside the NIST framework, the Internet Engineering Task Force (IETF) is standardizing PQC integration into TLS 1.3, SSH, and X.509 certificates through working groups including TLS and LAMPS. The European Telecommunications Standards Institute (ETSI) has published parallel quantum-safe cryptography specifications. Divergent international standards create interoperability friction for multinational organizations managing cross-border encrypted communications.
Migration prioritization conflicts. CISA and NSA prioritize migration of systems handling national security information, critical infrastructure, and long-lived sensitive data. Commercial organizations face pressure to demonstrate quantum readiness for regulatory and procurement purposes before technical urgency strictly demands it, creating resource allocation tension against other security investments. The how to use this encryption resource page provides sector-specific framing for navigating these priority decisions.
Common misconceptions
Misconception: Quantum computers already break encryption.
Correction: No publicly known quantum computer has broken any deployed cryptographic algorithm. Current quantum hardware operates with high error rates and insufficient qubit counts for cryptographically relevant attacks. IBM's 1,121-qubit system announced in 2023 remains orders of magnitude below the millions of fault-tolerant logical qubits required to run Shor's algorithm against RSA-2048.
Misconception: Doubling RSA key size provides quantum resistance.
Correction: Shor's algorithm scales polynomially — not exponentially — with key size. Moving from RSA-2048 to RSA-4096 provides negligible additional protection against a quantum attack; the algorithm's polynomial complexity means a quantum computer capable of breaking RSA-2048 requires only marginally more resources to break RSA-4096. Key size increases are not a viable migration path for RSA.
Misconception: AES-256 is fully broken by quantum computers.
Correction: Grover's algorithm reduces AES-256 to approximately 128-bit security, which NIST and NSA consider an acceptable post-quantum security level. AES-256 is explicitly endorsed in CNSA 2.0 as a quantum-resistant symmetric cipher for national security systems, requiring no replacement.
Misconception: Post-quantum cryptography means quantum key distribution (QKD).
Correction: QKD is a physics-based key distribution mechanism using quantum channels — it is not a drop-in replacement for PKI and requires specialized hardware infrastructure. NIST's PQC project specifically addresses mathematical (software-implementable) algorithms that can replace classical public-key cryptography without quantum hardware. NSA has stated that it does not endorse QKD for protecting national security systems due to implementation and scalability limitations.
Misconception: Only government systems need to migrate.
Correction: HNDL attacks target any encrypted data with long-term sensitivity — financial records, medical histories, intellectual property, legal communications. CISA's post-quantum guidance explicitly addresses private sector critical infrastructure operators including energy, financial services, and healthcare, not only federal agencies.
Checklist or steps (non-advisory)
Cryptographic inventory and exposure assessment
Reference table or matrix
| Algorithm / Standard | Type | Quantum Attack | Quantum Vulnerability | Post-Quantum Recommendation |
|---|---|---|---|---|
| RSA-2048 | Asymmetric (key exchange, signatures) | Shor's algorithm | Fully broken | Replace with ML-KEM (FIPS 203) / ML-DSA (FIPS 204) |
| RSA-4096 | Asymmetric (key exchange, signatures) | Shor's algorithm | Fully broken (marginal improvement only) | Replace with ML-KEM / ML-DSA |
| ECDH / ECDSA (P-256) | Asymmetric (key exchange, signatures) | Shor's algorithm | Fully broken | Replace with ML-KEM / ML-DSA |
| DH / DSA (2048-bit) | Asymmetric (key exchange, signatures) | Shor's algorithm | Fully broken | Replace with ML-KEM / ML-DSA |
| AES-128 | Symmetric | Grover's algorithm | Weakened (~64-bit security) | Upgrade to AES-256 |
| AES-256 | Symmetric | Grover's algorithm | Acceptable (~128-bit security) | Retain; endorsed in CNSA 2.0 |
| SHA-256 | Hash | Grover's algorithm | Collision resistance ~64-bit | Upgrade to SHA-384 or SHA-512 where margins are critical |
| SHA-384 | Hash | Grover's algorithm | Collision resistance ~192-bit | Retain |
| SHA-512 | Hash | Grover's algorithm | Collision resistance ~256-bit | Retain |
| ML-KEM (FIPS 203) | Post-quantum key encapsulation | None known | Quantum-resistant | NIST primary recommendation for key exchange |
| ML-DSA (FIPS 204) | Post-quantum digital signatures | None known | Quantum-resistant | NIST primary recommendation for signatures |
| SLH-DSA (FIPS 205) | Post-quantum digital signatures (hash-based) | None known | Quantum-resistant | NIST alternative signature standard |
| X25519 + ML-KEM (hybrid) | Transitional hybrid key exchange | Partial (classical component breakable) | Transitional protection | CISA-endorsed migration bridge |
Sources: NIST PQC Finalized Standards 2024; NSA CNSA 2.0; CISA Post-Quantum Cryptography Initiative