Research / Post-Quantum Cryptography / 01 · The Threat

The Quantum Threat & Why It Matters Now

A sufficiently powerful quantum computer will break the cryptography securing today's internet. The attack on your historical data has already begun.

◀ Briefing Hub Next: The Standards ▶
01 · The Quantum Threat

Why Quantum Breaks Today's Cryptography

Public-key cryptography rests on mathematical problems that are hard for classical computers but solvable in polynomial time by quantum ones. Two algorithms, both decades old, define the threat.

1994 · Peter Shor
Shor's Algorithm
Solves integer factorisation and the discrete logarithm problem in polynomial time on a quantum computer. This is the mathematical foundation of RSA, ECC, ECDSA, and Diffie-Hellman key exchange. A sufficiently large quantum computer running Shor's algorithm breaks all of them.
1996 · Lov Grover
Grover's Algorithm
Provides a quadratic speedup for unstructured search. Effective security of symmetric keys is halved: AES-128 effectively becomes 64-bit (broken), AES-256 effectively becomes 128-bit (still secure). Hash function collision resistance is similarly reduced.
CRQC · Hardware Threshold
Cryptographically Relevant Quantum Computer
The NSA term for a quantum computer powerful enough to break current public-key cryptography. Estimates require roughly 4,000 logical qubits — translating to millions of physical qubits with current error rates. Today's leading systems have ~1,000 noisy physical qubits. The gap is closing.
Active Threat Today
Harvest Now, Decrypt Later (HNDL)
Encrypted data captured today can be stored and decrypted when a CRQC becomes available. State actors are confirmed to be conducting bulk capture programmes. Any organisation with data that must remain confidential for more than a decade is already under attack — they simply will not know until the keys break.
02 · Inventory

What Breaks, What Weakens, What Survives

Not all cryptography is equally exposed. Symmetric algorithms survive with larger keys; public-key cryptography is the catastrophic failure.

Broken by Shor's Algorithm
RSA (all key sizes)
Integer factorisation
ECC / ECDSA / ECDH
Elliptic curve discrete log
Diffie-Hellman (DH/DHE)
Discrete logarithm
DSA
Discrete logarithm
EdDSA (Ed25519, Ed448)
Elliptic curve variant
El Gamal
Discrete logarithm
Survives With Larger Keys
AES-256
Quantum-safe as-is
AES-128
Upgrade to AES-256
ChaCha20
Quantum-safe as-is
SHA-256 / SHA-3
Reduced margin, still secure
HMAC / Poly1305
Inherits underlying security
3DES, MD5, SHA-1
Already deprecated

The asymmetry matters strategically. Symmetric crypto migration is a key-size policy change — relatively trivial. Public-key migration requires replacing the algorithms themselves, rebuilding certificate chains, refreshing hardware tokens, and re-architecting protocols. This is where the cost and risk live.

03 · Clarifications

Misconceptions Costing Organisations Time

Several framings of the quantum threat are confidently asserted by vendors and the press — and several of them are wrong in ways that delay action.

"Quantum will break encryption overnight, like a switch."
The threat is gradual, not binary. Migration must complete before a CRQC exists. Once one does, the harvested-decrypt-later attack on historical data is already executed. Waiting for a clear quantum breakthrough is a guarantee of being late.
"AES is broken by quantum computers."
It is not. Grover's algorithm reduces effective security by a square root — not a full break. AES-256 retains ~128 bits of security against quantum attack, which is more than adequate. The problem is exclusively with public-key (asymmetric) cryptography.
"Only governments and intelligence agencies need to migrate."
Any organisation handling data with confidentiality requirements over 10 years — medical records, financial transactions, intellectual property, customer identity, legal records — is already a target of harvest-now-decrypt-later attacks. Regulatory deadlines will reach commercial sectors within five years.
"We can wait until a quantum computer actually exists."
Migration timelines for enterprise PKI, embedded systems, and hardware tokens routinely run five to ten years. Standards bodies have already published the algorithms. By the time a CRQC is publicly demonstrated, your migration window has closed.
"Quantum Key Distribution will solve this."
QKD is a different technology with different uses. It requires specialised optical hardware, has limited range, does not authenticate parties, and cannot replace digital signatures or the broad public-key infrastructure. PQC — running on classical computers — is the standardised replacement for general-purpose cryptography.
"Post-quantum algorithms are unproven and risky."
They have been under public cryptanalysis for eight years through the NIST competition. Several candidates were broken during the process — including Rainbow and SIKE — and those algorithms were eliminated. The standardised survivors have withstood the most intensive open cryptographic analysis in history.
04 · Terminology

Post-Quantum Cryptography vs Quantum Key Distribution

These are routinely confused in board-level briefings. They are different technologies addressing different parts of the security stack.

 
Post-Quantum Cryptography (PQC)
Quantum Key Distribution (QKD)
What it is
Classical mathematical algorithms believed to resist quantum attack. Runs on conventional CPUs.
A physical-layer key exchange using single photons. Requires specialised quantum hardware.
What it replaces
RSA, ECC, ECDSA, Diffie-Hellman — the full set of broken public-key algorithms.
Only the key-exchange step, and only over a dedicated optical channel.
Authentication
Yes — supports digital signatures and identity verification.
No — requires a pre-shared classical authentication channel.
Deployment
Software update. Already shipping in Apple, Signal, Chrome, AWS, Cloudflare.
Hardware installation. Point-to-point fibre or satellite. Range limited (~100 km terrestrial).
Standards body
NIST (FIPS 203, 204, 205, 206), with ETSI, ISO, IETF alignment.
ETSI QKD standards. NSA explicitly does not recommend QKD for national security use.
Business relevance
Mandatory for every organisation using public-key cryptography — which is every digital organisation.
Niche use cases: nation-state communications, ultra-high-security inter-data-centre links.

For business decision-makers the operative technology is PQC. QKD remains scientifically interesting but is not a substitute for the migration described across this research.

05 · Decision Framework

Mosca's Theorem: Are You Already Late?

Michele Mosca's inequality gives executives a clean framework for deciding whether to start migration now. Adjust the sliders to model your organisation.

The Inequality
If X + Y > Z, you are already too late.
X · Data Secrecy Lifetime15
How many years must your sensitive data remain confidential?
Y · Migration Time7
How many years to complete your cryptographic migration?
Z · Time to CRQC15
Years until a Cryptographically Relevant Quantum Computer exists.
Verdict
CALCULATING
Adjust the sliders to model your situation.

Most enterprises with sensitive data (financial, medical, IP, government) sit at X = 15–25 years. Realistic migration timelines for large organisations are Y = 5–10 years. Independent expert surveys (Mosca, Global Risk Institute) place Z at 10–20 years with non-trivial probability of being shorter. The arithmetic does not favour delay.

◀ Return to Hub
Post-Quantum Cryptography
All five briefings, the executive summary, and Diarka services.
Next Briefing ▶
02 · The Standards
The NIST competition, the algorithms now replacing RSA, and performance trade-offs.
Diarka Quantum · Advisory
Need a Mosca-Framework Assessment for Your Organisation?

We deliver board-ready exposure assessments that translate the threat described here into specific risk numbers for your business.

Request Briefing All Briefings