February 11 / 2025 / Reading Time: 5 minutes
Stop Worrying About The Quantum Apocalypse
By Elliot Kaplan
How worried should I be about Quantum computing breaking the encryption I use? (the Quantum Apocalypse!)
Basically zero.
The analysis presented here is primarily derived from a review paper (read it here) from last year, and some broader analysis of the state of Quantum. The paper goes into the details of how Quantum Computing (QC) is being used now, as well as its likely prospects for the near future for both practical and cryptanalysis applications[1]. This paper sets sober bounds for an assessment of when quantum cryptanalysis will arrive.
Even the publicly available IBM Quantum Roadmap (over here)—which you could view as the most optimistic scenario—suggests that building a a cryptographically useful number of Qubits is at least ten years away. This scale is what many researchers view as a minimum for reliably performing cryptanalysis on classical public-key encryption schemes (e.g., RSA-2048).
Why Are You Saying Zero?
Because quantum cryptography has some of the harshest prerequisites for practical application out of any of the applications discussed. On the practical side, the descriptions of applications get hazier and hazier the further away the authors get from describing simulations of existing quantum mechanical systems. A (very cursory) look into references gives the sense that, until quantum computers can do linear algebra better than classical computers, it's all just marketing.
The authors make the case that there's avenues of research to make quantum computing more practical:
- Error mitigation to de-noise the process
- Split big problems up into small ones, basically parallel quantum processing
- Run calculations multiple times to try to average out the noise, basically embarrassingly parallel quantum processing.
All this is probably great for the small army of physicists and chemists with immediate applications for quantum computing in their own field, but that doesn't make for industrial or business applications any time soon.
One thing the authors very effectively make the case for is that quantum cryptanalysis is not going to work in small quantum computers. Grover's algorithm (see here) could speed up brute force attacks, but not enough to break symmetric crypto with a modest number of Qubits. Shor's algorithm (read more here), which is the current real threat for asymmetric crypto (RSA, ECC, etc..) needs a large scale quantum computer.
To throw in some numbers..
The current record for the number of Qubits in a computer is IBMs 433 Qubit "Osprey" (according to Chatgpt).
To break 256 bit elliptic curve encryption (such as is used in the bitcoin network) would require 13x10⁶ Qubits (or 13,000,000 Qubits).
For comparison, some real life examples of the differences between where we are now, and where we need to be:
| 433 Steps is a 2 minute walk | 13 Million steps is approximately 6,500 Miles (like walking from California to India) |
| 433 People is a small town | 13 Million people is a megacity |
| 433 Seconds is about 7 minutes | 13 Million seconds is roughly 150 days |
To break 2048-Bit RSA (used all over the place, including openssl) would require a similar number of Qubits.
Note: There was a research paper published in May 2024 from some Shanghai University researchers which by October had the media in a panic about that dreaded Quantum Apocalypse. However, the research only factored a 50-bit number, which is much smaller than the keys used in encryption applications (the paper itself highlighted the fact that the technology is nowhere near "there" yet).
Note 2: Of course, something could occur to speed this all up, in effect a "quantum leap", but making financial decisions based on advances of that type is probably risky for most companies.
What Should I Be Worried About Then?
Practically, anything but this. That being said, while the paper is very bearish on the prospect of a quantum computer decrypting your hard drive any time soon, they do cite "gather now, decrypt later" as a realistic threat. In this scenario someone collects all your data now, and then in ten years (?) breaks it.
Which prompts the question that any organization should be asking itself is "what secrets do I have now, that a major nation-state would be willing to hold for ten years before it could then devote major resources into decrypting?". Probably not much, but there may come the time that your nation-state adversary only needs to hang onto some encrypted data for a year before it makes it through the queue to get cracked. For that time, there are some steps to getting "Quantum safe":
- Inventory cryptography usage: Identify where and how you use cryptography today. Which algorithms and key lengths are you relying on, and which data is most sensitive if decrypted in the future? (keeping in mind "the future" is a while away).
- Identify and prioritize crown jewels: Understand which pieces of data really need the highest security. This might include trade secrets, sensitive personal information, or strategic communications.
- Develop a transformation roadmap: Chart out how and when you plan to migrate from existing algorithms (RSA, ECC) to post-quantum ones (e.g., the NIST finalists like CRYSTALS-Kyber, CRYSTALS-Dilithium, etc.).
- Begin the transformation to become quantum safe: Start small with testing, pilot programs, or hybrid deployments (classical + post-quantum) so you can get comfortable with next-gen crypto. Update internal libraries, protocols, and devices where feasible.
- Gain familiarity and expertise in the use of new algorithms and tools: Train or hire people conversant in post-quantum cryptography (PQC). Keep abreast of NIST standards and best practices as they evolve.
Again, there is no need to panic about the Quantum Apocalypse. Some organizations are going to need to consider this sooner rather than later (Defense, Finance, Healthcare), and for those that need guidance, we can help. For most organizations, this is probably "someone else's problem", or something you don't need to put a lot of resources into. Good security hygiene - rotating keys, patching vulnerabilities, maintaining a proactive security posture, is going to have a much more immediate impact on lowering your risks.
In Conclusion
If you’re anxious about quantum computers decrypting your data in the near term, relax. The real threats, at least in the immediate future, remain conventional: insecure configurations, phishing, software exploits, etc.
That said, prepare for a post-quantum world if your data’s confidentiality horizon extends for 10+ years. Inventory your cryptographic assets, keep tabs on NIST’s PQC standards, and plan your upgrade paths accordingly. That way, you’ll be ready if (or when) a truly cryptanalytically relevant quantum computer comes online and the Quantum Apocalypse arrives.
[1] It should be noted that the corresponding author is a ranking researcher for IBM Quantum, and the paper itself is cosigned by the head of IBM Quantum and the head of the Post-Quantum Cryptography project at NIST. That is to say, this is about as authoritative a review paper as you are going to find.