The Quantum Threat
What makes quantum computers dangerous to RSA and ECDH. The Harvest Now, Decrypt Later threat model, and what NIST has standardized to replace them.
Why quantum computers are different
Classical computers work with bits: 0 or 1. Quantum computers work with qubits, which can exist in superpositions of 0 and 1 simultaneously. Combined with entanglement and quantum interference, this allows certain algorithms to solve specific problems exponentially faster than any classical computer.
The key word is specific. Quantum computers are not universally faster. They do not speed up video rendering, database queries, or most business logic. But they are devastating for two categories of mathematical problems that modern cryptography depends on.
Shor's algorithm: the cryptographic threat
In 1994, Peter Shor published an algorithm that runs on a quantum computer and can factor large integers and solve the discrete logarithm problem in polynomial time. Both of these are computationally infeasible on classical computers, and both are the mathematical foundation of the cryptography protecting most internet traffic today.
RSA security assumption: Factoring n = p × q into its prime factors is computationally infeasible. RSA-2048 would take ~300 trillion years on the fastest classical supercomputer. Shor's algorithm breaks RSA-2048 in hours on a large enough quantum computer. ECDH/ECDSA security assumption: Given a point Q = k × G on an elliptic curve, finding k is computationally infeasible. (Elliptic Curve Discrete Logarithm Problem) Shor's algorithm solves this too.
This means the following are all broken by Shor's algorithm:
- RSA (all key sizes: 1024, 2048, 4096)
- ECDSA (all curves: P-256, P-384, secp256k1)
- ECDHE (all curves: X25519, P-256)
- DH and DHE (classic Diffie-Hellman)
These algorithms secure TLS handshakes, certificate signatures, JWT signatures, SSH keys, PGP keys, and code signing certificates. The quantum threat is not theoretical for one corner of security: it is a single algorithm that breaks the key exchange and authentication layer across almost everything.
What quantum computers do NOT break
Grover's algorithm provides a quadratic speedup for searching unsorted data. For symmetric cryptography (AES) and hash functions (SHA-256), this effectively halves the security level in bits. AES-128 becomes AES-64 equivalent post-quantum, which is insufficient. AES-256 becomes AES-128 equivalent, which remains secure.
- AES-256-GCM: secure post-quantum
- SHA-256: secure post-quantum (128-bit post-quantum security)
- SHA-512: secure post-quantum
- AES-128: marginal, prefer AES-256 for new systems
Your symmetric cryptography is fine
If you are already using AES-256-GCM for data at rest and SHA-256 for integrity, you do not need to change those. The migration is specifically for asymmetric cryptography: key exchange and digital signatures.Harvest Now, Decrypt Later (HNDL)
The most urgent threat is not a quantum computer breaking your encryption in real time. Cryptographically relevant quantum computers do not yet exist. The urgent threat is that adversaries do not need to break encryption in real time.
Nation-state intelligence agencies and advanced persistent threat groups are recording encrypted network traffic today. They store it. When quantum computers become capable enough (estimated 2030 to 2035 by NIST), they will decrypt everything they collected.
2024: Adversary records your encrypted TLS sessions
(API calls, financial data, internal communications)
2031: Quantum computer breaks ECDHE key exchange retroactively
Result: All traffic from 2024 is now readableThis matters for any data that must remain confidential for more than 5 to 10 years from now. For banks and financial institutions, this includes:
- Customer financial history and transaction records
- Inter-bank settlement communications
- Internal credit risk models and proprietary trading strategies
- Regulatory filings and audit trails
- Long-term contractual communications
Forward secrecy (ECDHE) does not protect against HNDL. The adversary records the full TLS handshake including the ECDHE key exchange, and Shor's algorithm can derive the session key from the recorded handshake.
NIST Post-Quantum Cryptography standards
NIST ran a multi-year competition to standardize post-quantum cryptographic algorithms. In August 2024, they published the first three standards:
| Standard | Algorithm | Replaces |
|---|---|---|
| FIPS 203 | ML-KEM (Kyber) | ECDHE, RSA key exchange |
| FIPS 204 | ML-DSA (Dilithium) | ECDSA, RSA signatures |
| FIPS 205 | SLH-DSA (SPHINCS+) | ECDSA (hash-based, stateless) |
ML-KEM is based on the Module Learning With Errors (MLWE) problem. Unlike RSA and ECDH, no quantum algorithm is known to solve MLWE efficiently. It has been analyzed by cryptographers worldwide for over 6 years through the NIST competition process.
ML-DSA (signatures) and SLH-DSA are based on different mathematical foundations (lattice problems and hash trees respectively), providing diversity: if one mathematical approach is later found vulnerable, the other remains secure.
The migration path
Post-quantum migration is not a single switch. It is a layered process:
- Step 1: Crypto inventory. Know where RSA and ECDH/ECDSA are used across your systems. You cannot migrate what you have not mapped.
- Step 2: Hybrid TLS. Enable X25519 + ML-KEM-768 hybrid key exchange in your TLS configuration. This provides quantum safety for key exchange while remaining compatible with clients that do not support PQC. This is available in OpenSSL 3.x and recent nginx/Caddy builds.
- Step 3: PQC certificates. Harder. Requires your CA to support ML-DSA certificates. Hybrid certificates (ML-DSA + ECDSA dual-signed) allow gradual rollout.
- Step 4: Application-level crypto. JWTs, signed payloads, code signing, SSH keys. Each requires its own migration.
Start with key exchange, not signatures
Hybrid TLS key exchange (X25519 + ML-KEM) is the highest-impact, lowest-disruption first step. It is already deployed in Chrome and Cloudflare. Enable it on your servers now. Certificate/signature migration comes later and requires more coordination.