What "Quantum Computing" Can and Can't Break
Sorting the genuine cryptographic threat from the headline noise

Contents
Every few months a headline announces that quantum computers are about to “break encryption,” usually accompanied by a stock photo of glowing blue circuitry and no explanation of which encryption, broken how, or by when. The honest answer is specific rather than sweeping: quantum computers threaten a particular category of cryptographic algorithm, for a mathematically well-understood reason, and leave a different category almost entirely untouched. Understanding which is which turns a scary headline into a genuinely useful piece of planning.
Two Different Jobs, One Word
Modern cryptography does two structurally different jobs that both get lumped under “encryption” in casual conversation. Symmetric cryptography — AES being the standard example — uses the same shared secret key to both lock and unlock data, and its security rests on the sheer size of the key space: with no shortcut available, guessing the right key among all possible keys is the only way in, and that space is deliberately made astronomically large. Asymmetric (public-key) cryptography — RSA and elliptic-curve systems being the standard examples — uses a mathematically related pair of keys, one public and one private, and its security rests on a specific class of maths problem being extremely hard to solve in reverse: multiplying two huge prime numbers together is fast, but recovering the original two primes from the product alone is, for a classical computer, hard enough to be practically impossible at the key sizes in use today.
That second sentence is exactly where quantum computing changes the picture, and only there.
It’s worth a brief aside on why cryptography specifically dominates the quantum computing headlines, given that the field’s actual research agenda is much broader — molecular simulation for drug and materials discovery, certain classes of optimisation problem, and other niches where a quantum computer’s peculiar strengths align with the problem’s structure. Cryptography gets outsized attention because it’s the one application where “quantum computer becomes capable enough” has an immediate, universal, and easily explained consequence: the padlock icon in a browser stops meaning what everyone assumes it means. Most of the other applications are genuinely exciting to the researchers involved and genuinely uninteresting as a headline, because they don’t come with a built-in doomsday narrative.
The Specific Algorithm Doing the Damage
In 1994, mathematician Peter Shor described an algorithm — since named after him — that a sufficiently capable quantum computer could run to find the prime factors of a large number dramatically faster than any known classical method. Shor’s algorithm doesn’t make computers faster in general; it exploits quantum mechanical properties to solve this one specific class of problem, factoring and the closely related discrete logarithm problem, in a fundamentally different way than a classical processor ever could. Because RSA’s security and elliptic-curve cryptography’s security both rest on problems in that same family, a quantum computer capable of running Shor’s algorithm at a large enough scale could, in principle, recover a private key from its corresponding public key — the exact thing that’s supposed to be practically impossible today.
This is genuinely the headline-worthy part, and it’s worth being precise about why it matters so much: almost every secure connection on the modern internet, from a browser padlock to a VPN handshake to a signed software update, uses asymmetric cryptography at the setup stage to agree on a shared secret before the actual data starts flowing. If the asymmetric layer becomes breakable, the setup stage of nearly everything is affected, even if the actual data afterwards is protected by an unrelated method.
What Isn’t Actually in Danger
Symmetric cryptography is a different story, and this is the part most headlines skip. There’s a separate, much less dramatic quantum algorithm — Grover’s algorithm — that applies to unstructured search problems, including brute-force key guessing against a symmetric cipher like AES. Grover’s algorithm gives a quantum computer a quadratic speed-up on that kind of search, meaning it could search a key space in roughly the square root of the steps a classical computer would need, rather than the full number of steps. That sounds significant until you look at the actual numbers: AES-256 offers 256 bits of security against a classical brute-force search, and a quadratic speed-up against that same key would still leave an attacker facing a search space equivalent to roughly 128 bits of classical security — comfortably beyond anything achievable with any computer, quantum or classical, for the foreseeable future. Doubling a symmetric key’s length essentially cancels Grover’s advantage outright, which is why the practical response to the quantum threat on this side is already this simple: use AES-256 rather than AES-128, and the quantum risk to that layer becomes a rounding error.
So the honest one-line summary is this: quantum computing threatens the public-key handshake that sets up a secure connection, and barely dents the symmetric cipher that actually protects the data once the connection is established.
A Common Mix-Up: Post-Quantum Crypto Isn’t Quantum Key Distribution
Two genuinely different fields get tangled together constantly because they share the word “quantum.” Post-quantum cryptography, described above, is ordinary classical mathematics — new hard problems, run on the same classical computers and classical networks we already have, chosen specifically because they resist attack by a future quantum computer. Nothing about deploying it requires any quantum hardware anywhere in the chain; a standard web server and a standard browser can negotiate a post-quantum key exchange today over an entirely ordinary internet connection.
Quantum key distribution is a completely separate idea: using the physical properties of quantum particles themselves, typically photons sent down a fibre link, to detect eavesdropping on the key exchange in a way that’s provable by physics rather than by mathematical hardness. It requires specialised quantum hardware at both ends and dedicated links, which limits it, in practice, to a handful of high-value point-to-point deployments rather than anything resembling general internet use. When a vendor pitches “quantum-safe” security, it’s worth asking bluntly which of these two they actually mean, because one is a software upgrade you could plausibly roll out across your own infrastructure this year, and the other is a specialised physical installation that isn’t going to replace TLS on the open internet any time soon.
Checking Your Own Exposure
| |
A certificate showing rsaEncryption or an elliptic-curve algorithm as its public key algorithm is using exactly the kind of asymmetric cryptography that Shor’s algorithm threatens once a sufficiently capable quantum computer exists. Checking a symmetric cipher’s strength is a similar exercise against whatever’s negotiating the actual data channel — a TLS session log, a VPN configuration, a disk encryption setup — and the practical question in every case is the same: is the key length already comfortably beyond what a quadratic quantum speed-up could meaningfully dent.
The Timeline That Actually Matters
None of this is an imminent problem in the sense of “a working machine exists today that can break a real-world RSA key.” The quantum computers that exist now are nowhere near the scale, stability, and error-correction quality needed to run Shor’s algorithm against keys of the sizes used in production systems — current devices have, at best, a few hundred noisy physical qubits, and factoring a real 2048-bit RSA key is estimated to require many thousands of stable, error-corrected logical qubits, each of which needs a substantial number of physical qubits to implement reliably. Serious estimates for when that gap closes vary widely and have shifted repeatedly as the field has progressed, which is itself informative: this is a research frontier, not a shipped capability sitting on a shelf somewhere.
The reason this matters for planning today anyway is a different threat entirely: harvest now, decrypt later. An adversary who intercepts and stores encrypted traffic today doesn’t need a working quantum computer this year — they need one at any point before the data stops being sensitive, which for some categories of data (state secrets, some financial and medical records, anything with a multi-decade sensitivity window) is a genuinely long time. For that specific category of long-lived, highly sensitive data, the “not yet” timeline of quantum computing is less reassuring than it sounds, because the attack’s clock started the moment the traffic was captured, not the moment the quantum computer becomes capable.
What’s Actually Being Done About It
Standards bodies have not waited for a working machine to appear before acting. NIST ran a multi-year public process to standardise new public-key algorithms specifically designed to resist both classical and quantum attacks — so-called post-quantum cryptography, built on different maths problems (lattice-based problems, among others) that aren’t known to be vulnerable to Shor’s algorithm or anything like it. These are being rolled into TLS and other protocols already, often as a hybrid approach: a connection negotiates both a traditional algorithm and a post-quantum one simultaneously, so the connection stays secure if either one holds, and only becomes vulnerable if both are broken. That hybrid approach is a deliberately conservative way to hedge against a new class of algorithm that hasn’t had decades of adversarial scrutiny the way RSA and elliptic-curve cryptography have.
Troubleshooting: Separating Signal From Noise
When you see a headline claiming a quantum breakthrough “breaks encryption,” check three things before reacting. First, which algorithm was actually broken — a small, artificially chosen number factored in a lab demonstration is a completely different claim from breaking a real 2048-bit key used in production. Second, whether the claim involves a genuine quantum computer running Shor’s algorithm at meaningful scale, or a classical optimisation, a flawed implementation, or an entirely unrelated side-channel attack being reported under a quantum-sounding headline because it gets more clicks. Third, whether the affected algorithm is symmetric or asymmetric, because the practical response is completely different depending on which one it is.
If you manage systems with genuinely long-lived sensitive data, the practical move today is checking whether your TLS stack and VPN already support a post-quantum or hybrid key exchange option, and enabling it where it’s available, well ahead of any point where it becomes urgent.
The gap between “2048-bit RSA” and “safely beyond quantum reach” is also worth putting in concrete terms. A 2048-bit RSA key offers roughly 112 bits of classical security, which is already comfortably out of reach of any classical brute-force attack — the reason it’s broken by Shor’s algorithm rather than brute force is that factoring, unlike guessing a symmetric key, has a structured mathematical shortcut for a quantum computer to exploit. That’s precisely why doubling a symmetric key’s length is such an effective countermeasure against Grover’s algorithm, while no equivalent simple fix exists for RSA against Shor’s algorithm — the only real fix for the asymmetric side is switching to a different mathematical problem entirely, which is exactly what the post-quantum standards do.
Is the Threat Worth Planning For Now?
For the overwhelming majority of everyday traffic — browsing, most business communication, anything with a short practical shelf life — no meaningful action is needed today beyond the two habits that were already good practice regardless of quantum computing: use AES-256 rather than shorter symmetric keys, and keep your TLS stack current so it picks up post-quantum options as they mature. For the narrower category of genuinely long-lived, highly sensitive data, the harvest-now-decrypt-later risk is real enough to justify moving to hybrid post-quantum key exchange sooner rather than later, specifically because the exposure window started the day the data was first transmitted, not the day a capable quantum computer eventually appears. Either way, the headline “quantum computers can break encryption” deserves the same one-sentence correction every time: they threaten one specific, replaceable layer of it, and a well-understood, well-funded fix for that layer is already being deployed. For the standards work already under way to close this gap, quantum-safe cryptography explained: future-proofing your organisation’s data covers the migration path in more depth, and cert-manager: automated TLS certificates that actually renew is the practical side of keeping your own TLS stack current enough to pick up hybrid key exchange as it matures.




