How Secure Is Quantum Computing? The Future of Encryption

By Macfeigh Atunga • Published: September 17, 2025

Labels: Quantum Security, Post-Quantum Cryptography, Shor, RSA, NIST, The MarketWorth Group

Quantum computers promise powerful new capabilities — but they also raise valid questions: will they break the encryption that secures banking, email and the web? This beginner-friendly guide explains what Shor’s algorithm does, where we are with quantum hardware, what NIST’s post-quantum cryptography (PQC) standards look like, realistic timelines and practical steps organizations and developers should take now to stay secure. Key standards and research are cited throughout for verification. 0

Quick answer: Not right now — but be prepared

Short version: **No, quantum computers today cannot break RSA or widely used public-key systems**. However, advances in hardware and error correction mean that in the coming decade(s) the risk grows for high-value targets. Practical defense is available today: **post-quantum cryptography (PQC)** standards and migration plans (led by NIST and other bodies) provide secure, deployable alternatives. NIST published initial PQC standards in 2024 and continued updates & roadmaps in 2025 — these are the roadmap for migration. 1

Practical takeaway: For most individuals the immediate risk is low; for governments, critical infrastructure, and organizations protecting long-lived secrets, planning and early migration steps are already recommended.

Part 1 — How would a quantum computer break RSA?

Shor’s algorithm in plain English

In 1994 Peter Shor discovered a quantum algorithm that factors large integers efficiently (in polynomial time). Classical factoring algorithms take super-polynomial time for large numbers; Shor’s algorithm exploits quantum Fourier transforms and interference across many superposed states to find the period of a function related to the integer, and from that recover its factors. Once you can factor an RSA modulus N = p·q, you can compute private keys and decrypt messages that rely on RSA.

What resource does Shor need?

Shor’s algorithm requires a large, error-corrected quantum computer with enough logical qubits and low enough error rates to run deep circuits. The raw number of physical qubits required depends on the error rate and the error-correction scheme; estimates vary widely, but breaking typical RSA-2048 would need millions of physical qubits under conservative assumptions — or fewer with optimistic improvements in error rates and error correction. Importantly, this is an active research area with evolving estimates. 2

So when will Shor be a real threat?

There is no consensus on an exact year. Roadmaps from major vendors show rapid progress (increasing qubit counts, improvements in quantum volume and error rates), and some risk models project disruptions within a decade for the highest-value targets; others forecast further out. Industry and standards bodies treat this uncertainty by recommending **crypto agility** — planning migrations that allow quick swapping of algorithms when needed. See NIST’s ongoing PQC roadmap and recent workshops for migration guidance. 3

Part 2 — Which cryptographic schemes does quantum computing threaten?

High-risk: public-key systems based on factoring and discrete logs

Shor’s algorithm directly threatens:

• RSA (factoring-based)
• DSA and ElGamal (discrete logarithm over integers)
• Elliptic-curve cryptography (ECC) — used widely in TLS, SSH, and cryptocurrency wallets

These are the public-key primitives that would be broken by a sufficiently large fault-tolerant quantum computer.

Lower-risk: symmetric cryptography & hashing

Quantum attacks against symmetric ciphers and hashes are weaker: Grover’s algorithm gives a quadratic speedup for brute-force search, effectively halving the security bit-level (e.g., AES-256 becomes ~128-bit secure against Grover). The practical remedy is simple: increase key sizes (e.g., AES-256 remains safe if we take into account Grover’s quadratic advantage). Hash functions can be sized similarly. Because these defenses are straightforward, symmetric cryptography is less urgent than public-key migration.

Part 3 — The standards response: NIST and Post-Quantum Cryptography

Where we stand (NIST progress)

NIST led a multiyear public competition to select post-quantum algorithms suitable for standardization. In August 2024 NIST published initial standards for three algorithms and continues to update the program; by 2025 NIST had published FIPS documents and additional status reports. The selected and standardized algorithms include **CRYSTALS-KYBER** (key-encapsulation/KEM) and signature algorithms such as **CRYSTALS-DILITHIUM**, **FALCON**, and **SPHINCS+** in various roles; ongoing analyses and additional candidate studies continued into 2025. NIST also publishes guidance on crypto agility and migration best practices to help organizations transition. 4

What PQC buys you

Post-quantum cryptography provides classical algorithms believed to be secure against both classical and quantum attackers (based on hard lattice problems, code-based problems, hash-based signatures, etc.). Adopting PQC prevents tomorrow’s quantum computer from retroactively decrypting today’s captured communications that were encrypted with vulnerable public key schemes.

Standards, FIPS, and protocol updates

Standards bodies (NIST, IETF, ISO/IEC) are integrating PQC into protocols: TLS, SSH, IPsec, and certificate infrastructures need updates. Many software libraries (OpenSSL, BoringSSL, NSS) and cloud providers are adding PQC algorithms and hybrid modes (combining classical and PQC KEMs) to smooth transition and preserve interoperability.

NIST’s PQC project page, status reports and workshop materials are essential reading for migration planners. 5

Part 4 — Migration strategy: practical steps for organizations

1. Inventory & classify your cryptographic assets

Start with an inventory: which systems use RSA, ECC, or other vulnerable primitives? Which data is long-lived (patient medical records, classified archives, backups)? Prioritize assets that need post-quantum protection now (secrets that must remain confidential for decades).

2. Adopt crypto agility

Crypto agility means designing systems that can switch algorithms and key material with minimal friction. Use abstraction layers, configuration-driven algorithm selection, and modular key management so updates require configuration changes, not complete rewrites.

3. Test PQC in non-critical contexts

Run PQC libraries and hybrid modes in test and staging environments. Libraries like liboqs, Open Quantum Safe (OQS), and vendor SDKs allow developers to experiment with PQC integrations. Hybrid modes (classical + PQC) provide defense in depth during transition.

4. Plan PKI and certificate transitions

Certificate authorities, PKI renewals, and embedded device certificates require careful timelines. Rolling over root CA keys and updating device firmware can be time consuming — plan early and coordinate across suppliers and vendors.

5. Monitor standards & vendor roadmaps

Keep an eye on NIST announcements, IETF drafts (CFRG/TLS WG), and vendor releases. Many cloud providers and major crypto libraries publish migration guides and compatibility notes; follow them and schedule upgrades accordingly. NIST and the U.K. NCSC publish migration timelines and practical guidance. 6

Quick checklist

• Inventory cryptography and classify data by sensitivity and lifetime.
• Deploy PQC libraries in test environments; use hybrid modes for high-value channels.
• Design crypto-agile systems and plan certificate renewals.
• Re-seed backups and archive processes to avoid future decryption risk.

Part 5 — Practical notes about deploying PQC

Key sizes and performance

Many PQC schemes have larger key sizes or signature sizes compared with classical ECC; some KEMs (e.g., Kyber) are relatively compact and performant, while code-based or hash-based options may have larger parameters. Planning must include bandwidth, storage, and performance testing for devices, especially constrained IoT devices.

Hybrid approaches

Hybrid modes combine a classical primitive (e.g., RSA/ECC) with a PQC primitive so that an attacker must break both to succeed. This approach provides continuity and resilience during the transition period.

Firmware & embedded systems

Embedded devices and IoT often have long lifetimes and limited patching capabilities. For such systems, consider hardware replacement timelines, over-the-air update mechanisms, or hybrid client-side solutions to avoid leaving devices permanently vulnerable.

Third-party risk

Vendor and supply-chain risk is real — if your partners don’t adopt PQC, your data might still be vulnerable. Include PQC readiness in procurement and vendor assessments.

Part 6 — Timelines and uncertainty: how to think about risk

Why exact timelines are hard

Predicting when a cryptographically relevant quantum computer (CRQC) will exist depends on hardware scaling, error correction breakthroughs, materials, and funding. Different modeling approaches (technical roadmaps, expert elicitations, and threat timelines) produce a range of estimates. Some conservative reports suggest risk within a few decades; other assessments, especially for high-value targets and well-funded adversaries, suggest preparation is already prudent. The 2024-2025 analyses emphasize preparedness and crypto agility rather than a single date. 7

What to prioritize by risk tolerance

• High-value, long-lived data: act now — inventory and prioritize PQC protections (financial records, state secrets, health records).
• Moderate-value data: plan and test solutions; use hybrid modes for sensitive channels.
• Low-value, short-lived data: monitor progress and schedule upgrades as part of routine cryptographic hygiene.

For corporate roadmaps and risk models see industry reports like the Quantum Threat Timeline (2024) and NIST’s crypto-agility materials (2025). 8

Part 7 — What major vendors are doing

Major cloud providers, browser vendors, and crypto library maintainers are actively testing PQC in experimental branches and hybrid modes. Google, Microsoft, Amazon Web Services, and IBM publish whitepapers, SDKs, and example integrations. For example, IBM and other vendors maintain PQC roadmaps and provide experimental PQC support in libraries used by their cloud customers. Providers also work with standards bodies to harmonize transitions. 9

Vendor tip: consult your cloud provider’s PQC guidance and use their managed services to test hybrid PQC modes before wide production rollouts.

Part 8 — Short case studies: what a migration looks like

Case: a bank migrating TLS and HSMs

A bank should: inventory certificates and HSM usage, test PQC KEMs and signatures in staging environments, update HSM firmware to support PQC where vendor support exists, plan certificate rollover windows, and communicate timelines to partners. Rolling updates and hybrid modes help avoid downtime.

Case: IoT fleet with constrained devices

For constrained devices, options include (a) use PQC for backend servers and sign firmware updates with PQC-protected keys, (b) provision devices with post-quantum-ready bootloaders, or (c) plan hardware replacement cycles aligned with PQC adoption to avoid permanent exposure.

FAQ — short answers to common questions

Q: Is my phone or laptop at risk today?

A: For most users, not immediately. Most messaging, browsing and banking transactions are short-lived and protected by symmetric cryptography or TLS sessions that will be renegotiated. The main concern is archived data that must remain confidential for many years—if someone captures encrypted traffic today, a future quantum computer could potentially decrypt it when they have access to private keys or if long-term keys are compromised.

Q: Will increasing key sizes protect me?

A: Increasing symmetric key sizes (e.g., AES-256) mitigates Grover-style attacks. But simply increasing RSA/ECC key sizes doesn't stop a fully capable Shor attack — you need to migrate to PQC for public key algorithms.

Q: What is device-independent quantum cryptanalysis?

A: Device-independent approaches (like device-independent randomness) are part of quantum research; they are not a replacement for PQC in encryption. For defenses against Shor-style attacks, PQC algorithms are the practical solution today.

Q: How can my organization start today?

A: Inventory keys and certificates, adopt crypto agility, test PQC libraries (liboqs, OpenSSL with OQS patches), use hybrid modes, and consult NIST and your vendors’ guidance. Establish a cross-functional migration plan that includes PKI, embedded devices, and backups.

Resources & further reading (authoritative)

• NIST — Post-Quantum Cryptography Standardization (status & guidance). 10
• NIST — News: First PQC standards (Aug 13, 2024). 11
• NIST Status Report on 4th Round PQC (2025). 12
• UK NCSC — PQC migration timelines and guidance. 13
• IBM — quantum hardware roadmap and PQC notes from major vendors. 14
• Quantum Threat Timeline Report (2024) — risk modeling for organizations. 15

Conclusion — plan, don’t panic

Quantum computing will change the cryptographic landscape — but change is manageable. The tools you need (PQC algorithms, crypto-agility patterns, standards, and vendor support) already exist. The sensible path is to inventory, prioritize, test, and design your systems to be crypto-agile so you can swap in post-quantum algorithms smoothly as standards and vendor support mature.

Stay informed and stay ready: follow us on Facebook for concise updates and practical migration tips — The MarketWorth Group.

Author: Macfeigh Atunga • The MarketWorth Group

Follow: Facebook • Pinterest

© 2025 The MarketWorth Group. All rights reserved.