Quantum Threat Mechanics

How quantum computers break RSA, ECC, and weaken AES — and why PQC algorithms survive.

Qubits & Superposition

Classical computers store information as bits — each is definitively 0 or 1. A quantum computer uses , which exploit two quantum phenomena to process information fundamentally differently.

Classical Bit
0 or 1

Always in a definite state. N bits represent exactly one of 2N values at a time.

Quantum Bit (Qubit)
α|0〉 + β|1〉

exists in a combination of 0 and 1 simultaneously. qubits can be correlated so measuring one instantly determines the other. Together, N qubits can process 2N states in parallel.

Key insight: Quantum speedup doesn't come from "trying all answers at once." It comes from carefully constructing interference patterns that amplify correct answers and cancel wrong ones. Only specific algorithms (like and ) can exploit this structure.

Shor's Algorithm — Breaking &

Peter Shor discovered in 1994 that a quantum computer can solve two hard mathematical problems exponentially faster than any classical computer:

Integer Factorization (RSA)

RSA relies on the difficulty of factoring large numbers (N = p × q).

Classical: O(e1.9 · n1/3) — sub-exponential
Quantum: O(n³) — polynomial

RSA-2048 requires ~4,098 logical qubits. A CRQC could factor it in hours, not billions of years.

Discrete Logarithm (ECC/DH)

ECC (, , ) and Diffie-Hellman rely on the hardness of discrete logarithms.

Classical: O(2n/2) — exponential (Pollard rho)
Quantum: O(n³) — polynomial

P-256 requires ~2,330 logical qubits. All ECC variants (P-256, P-384, , ) are equally broken.

Impact: Every public-key algorithm based on integer factorization or discrete logarithms — RSA, DSA, ECDSA, ECDH, EdDSA, DH — provides zero security against a quantum adversary. Key size increases do not help because Shor's algorithm scales polynomially.

Grover's Algorithm — Weakening & SHA

Lov Grover discovered in 1996 that a quantum computer can search an unstructured database quadratically faster. This affects symmetric encryption and hash functions:

AlgorithmClassical SecurityQuantum SecurityStatus
AES-128128-bit64-bitInsufficient
AES-192192-bit96-bitAdequate
AES-256256-bit128-bitSecure
SHA-256 (collision)128-bit~85-bitSecure

Practical note: Grover's algorithm is less threatening than Shor's. It provides only a quadratic speedup (halving security bits), and the algorithm requires sequential oracle queries — it cannot be parallelized effectively. The fix is simple: double the key size (AES-128 → AES-256).

CRQC Timeline Projections

A is one powerful enough to run Shor's algorithm against production-size keys. Experts disagree on when this will happen, but major agencies are planning for it now:

NIST IR 8547 — Deprecate by 2030, disallow by 2035
NSA CNSA 2.0 — Software PQC by 2025, all NSS by 2033
Global Risk Institute — ~33% chance by 2033, ~50% by 2038
BSI Germany — Recommend hybrid migration now
ANSSI France — Mandate hybrid for government by 2025

Bottom line: Whether a CRQC arrives in 2030 or 2040, migration takes years. Organizations handling long-lived data (government, healthcare, finance) must begin now because of the Harvest Now, Decrypt Later threat.

The most urgent quantum threat is not future code-breaking — it's data being intercepted today for future decryption. This attack is called Harvest Now, Decrypt Later (HNDL), also known as "Store Now, Decrypt Later" or "retrospective decryption."

📡
Phase 1: Harvest

Adversaries intercept encrypted traffic today (VPN, TLS, email) and store it.

💾
Phase 2: Store

Data is archived — storage is cheap. Adversaries wait for quantum capability.

🔓
Phase 3: Decrypt

Once CRQC is available, Shor's breaks the key exchange. Symmetric keys are recovered, all data is decrypted.

Mosca's Theorem (Migration Deadline): If your data must remain secure for X years, your migration will take Y years, and a CRQC is expected in Z years, you must start migrating within Z − X − Y years. For data with 25-year sensitivity, a 5-year migration time, and a CRQC in 2035, migration should have started by 2005.

HNDL targets confidentiality. HNFL targets authenticity and integrity. Adversaries collect signed artifacts today — firmware images, certificate chains, code-signing blobs — and store them. Once a CRQC arrives, Shor's algorithm recovers the signer's private key, enabling forged signatures on any document or binary.

📂
Phase 1: Capture

Collect signed artifacts — firmware images, CA certificates, code-signing blobs. Public-key material is often publicly accessible.

💾
Phase 2: Store

Archive for years to decades. No active attack is needed — the adversary waits for quantum capability.

✍️
Phase 3: Forge

CRQC runs Shor's algorithm on the signer's public key, recovers the private key, and forges arbitrary signatures retroactively.

High-risk targets
  • hierarchies & root CA certificates
  • • Firmware signing (medical devices, industrial, automotive)
  • • Software update pipelines & code-signing certs
  • • Government ePassports & digital ID credentials
Why it's urgent now

A Root CA issued today with a 20-year validity period will still be trusted in 2046. If a CRQC arrives in 2035, that CA's RSA or ECDSA key is breakable — and every certificate it ever signed becomes forgeable. Migration to or must complete before CRQC arrival.

HNFL vs HNDL: HNDL requires intercepting encrypted traffic. HNFL does not — signed artifacts are often public. The re-issuance deadline formula is simpler: Re-issuance Deadline = CRQC Year − Re-issuance Time. Use the Step 5 workshop to calculate your credential migration window.

Related Resources

Threat Dashboard
Industry-specific quantum risks & PQC replacements
Algorithm Explorer
Compare key sizes, security levels & performance
Migration Timeline
NIST milestones, country deadlines & standardization
Risk Assessment
Assess your organization's quantum readiness

Explore Interactively

Use the Workshop to visualize security degradation, compare algorithms, and calculate your HNDL migration deadline.