Part IV · 1 — The quantum threat
All of today's asymmetric cryptography rests on problems that a sufficiently large quantum computer solves. This is not fiction: the algorithm has existed since 1994. The question is when — and the answer requires acting before then.
1.1 Why quantum breaks asymmetric
The security of RSA, Diffie-Hellman, and elliptic curves is computational: it comes from problems (factoring, discrete logarithm) that no classical computer solves in feasible time. A quantum computer changes the game for exactly that class of problems.
- Shor's algorithm (1994) — factors integers and solves discrete logarithms
in polynomial time. This breaks RSA, DH, ECDH, ECDSA, Ed25519 — the entire asymmetric foundation at once. It is not a weakening; it is a total rupture.
1.2 Symmetric only gets a scare
Symmetric cryptography and hashes suffer far less:
- Grover's algorithm (1996) — speeds up brute-force searches, giving a
square-root advantage. In practice, it halves the effective security: AES-128 drops to ~64 bits of margin (uncomfortable), but AES-256 remains at ~128 bits — solid. The same holds for hashes: use 256+ bit outputs.
The recipe for symmetric is simple: double the key size (use AES-256, SHA-384/512). There is no rupture, only a parameter adjustment. The entire crisis is asymmetric.
| Primitive | Quantum algorithm | Effect | Response |
|---|---|---|---|
| RSA / DH / curves | Shor | total break | replace with PQC |
| AES, ChaCha20 | Grover | ½ the margin | use 256 bits |
| SHA-2 / SHA-3 | Grover | ½ the margin | use 256+ bits |
1.3 "Harvest now, decrypt later"
Here is why the urgency is today, even though the relevant quantum computer does not yet exist. An adversary can:
- Capture and archive today all the encrypted traffic it can get.
- Decrypt later, once it has a quantum computer — years in the future.
This is called HNDL (Harvest Now, Decrypt Later). Any data that needs to stay secret for more than a decade — medical records, state secrets, long-lived keys — is already at risk now, because it may be getting archived at this very moment. Long-term confidentiality is the first victim, long before the machine exists.
1.4 When? The uncertain timeline
Nobody knows the date of a "CRQC" (*Cryptographically Relevant Quantum Computer*). Estimates range from one to several decades, and the hardware is still far from the scale (millions of logical qubits, with error correction) that Shor requires in practice. But the decision cannot wait for certainty, for three reasons:
- HNDL already threatens long-lived data today.
- Migrating cryptography takes years in large systems — protocols,
libraries, hardware, standards.
- The risk is asymmetric: migrating early costs effort; migrating too late is
catastrophic and irreversible.
That is why NIST finalized the first post-quantum standards in 2024 and governments set migration deadlines — the topic of the next sections.
Dense reference: Shor, Grover, qubit estimates, and HNDL in
08-post-quantum. Next: The new families — the math that resists quantum and the standards NIST chose.