Quantum computing will not just break encryption. It will break the assumption of privacy that the entire digital world is built on.
There is a padlock metaphor that gets used in cybersecurity circles to explain public-key cryptography to non-specialists. Your public key is the open padlock — you hand copies to everyone. Your private key is what closes it. Anyone can lock a message to you. Only you can open it. The metaphor is imperfect, as all metaphors are, but it has one serious problem: it implies the padlock is permanent.
It is not. And the thing that will eventually break it has been running, in prototype form, in research labs in IBM, Google, IonQ, and the Chinese Academy of Sciences for the better part of a decade.
Quantum computing is a phrase that has been used so promiscuously — in venture pitches, government strategy papers, breathless technology journalism — that it has begun to lose definition. So let’s be specific about the threat, because the specificity is what makes it alarming.
WHAT SHOR’S ALGORITHM ACTUALLY DOES
In 1994, a mathematician at Bell Labs named Peter Shor published an algorithm that could, theoretically, factor large integers exponentially faster than any classical computer. This was a theoretical result. Shor had no machine capable of running it. But the implication was immediately understood by cryptographers: RSA encryption, which secures the majority of internet traffic, banking infrastructure, and government communications on Earth, relies on the computational difficulty of factoring large numbers. If you could factor them quickly, you could break RSA.
RSA-2048, the standard most commonly deployed today, would take a classical computer longer than the age of the universe to crack by brute force. A sufficiently powerful quantum computer running Shor’s algorithm could theoretically do it in hours.
The ‘sufficiently powerful’ qualifier has always been the rejoinder. And for 30 years, it was a reasonable one. Quantum computers are extraordinarily difficult to build. They require operating temperatures near absolute zero. They are extraordinarily sensitive to environmental interference — a concept called decoherence — which causes quantum states to collapse before useful computation completes.
The standard reassurance — ‘we’re decades away from cryptographically relevant quantum computers’ — is beginning to sound less like an assessment and more like a prayer.
In 2023, researchers at the University of Science and Technology of China demonstrated factoring a 2048-bit integer using a quantum annealing approach, though the result was disputed and the methodology does not scale directly to universal quantum computing. In 2024, Google announced its Willow chip had achieved a benchmark computation that would take classical computers 10 septillion years. IBM’s roadmap targets 100,000 physical qubits by 2033. The trajectory is not linear, but it is not stalled either.
HARVEST NOW, DECRYPT LATER
Here is the problem that most public discourse about quantum computing has not adequately confronted: the threat is not only future. It is already partially present.
A strategy known in the security community as ‘harvest now, decrypt later’ — or HNDL — proceeds as follows. An adversary with sufficient resources intercepts and stores encrypted communications today. The communications are currently unreadable. In ten, fifteen, twenty years, when a cryptographically relevant quantum computer exists, the adversary decrypts the archive. Everything that was private in 2025 becomes readable in 2040.
The US National Security Agency has been warning about this since at least 2015. In 2022, the White House issued a National Security Memorandum directing federal agencies to begin the migration to post-quantum cryptographic standards. In 2024, NIST — the National Institute of Standards and Technology — finalised the first set of post-quantum cryptographic algorithms, including CRYSTALS-Kyber and CRYSTALS-Dilithium, after a six-year evaluation process.
The algorithms exist. The standards are published. The migration has, in principle, begun.
In practice, most organisations have not started.
THE INFRASTRUCTURE PROBLEM
Cryptographic transitions are historically among the slowest and most painful processes in technology. The migration from SHA-1 to SHA-256 took over a decade and was still incomplete in some systems years after SHA-1 was formally deprecated. The transition from TLS 1.0 to TLS 1.2 stretched across nearly the same timeframe. These are relatively minor upgrades within the same cryptographic paradigm.
Post-quantum migration is a paradigm change. It requires updating not just software libraries but hardware security modules, smartcards, embedded systems in critical infrastructure, and protocols baked into devices with multi-decade operational lifespans. The power grid. Industrial control systems. Aviation. Medical devices. Many of these systems run cryptographic implementations that were never designed to be updated.
A 2023 survey by the Ponemon Institute found that 61% of organisations had not yet begun assessing their cryptographic inventory — the first step in any migration. A separate study by ISACA found that fewer than 25% of cybersecurity professionals felt their organisation had adequate plans for post-quantum security.
The padlock is still working. The locksmith is a decade away. And most of us haven’t started making new keys.
There is a version of this story that ends well. NIST publishes the standards. Governments mandate migration timelines. The technology industry implements them. Quantum computers arrive to find that critical infrastructure has already moved on. This is the outcome everyone in the security community is working toward.
But there is another version. In it, the timeline compresses faster than expected — as timelines in hardware development occasionally do. The migration, which was always going to be slow, turns out not to have started early enough. And the archive of harvested communications from the 2020s sits ready for decryption.
The lock that secures nearly everything we do online was designed in the 1970s, refined in the 1980s and 1990s, and has worked astonishingly well for 40 years. It is still working. What is changing is not the lock. It is the nature of what will eventually be able to pick it.
The question is not whether to replace it. The question is whether anyone in authority will move fast enough to matter.
