Quantum encryption apocalypse: experts weigh in on how to prepare for Q-day

At a glance:

• Quantum computers could break current encryption using Shor's algorithm, threatening RSA and other widely used cryptographic schemes — a scenario called "Q-day" or the quantum encryption apocalypse.
• Google and a Caltech spinoff recently announced breakthroughs in quantum computing, suggesting Q-day may arrive sooner than previously expected, though results are still preprint and unverified.
• NIST has already published post-quantum cryptography (PQC) standards, and experts urge organizations to begin migration now rather than wait for the threat to materialize.

The quantum threat to encryption

In 1994, American mathematician Peter Shor developed a quantum algorithm with the potential to dismantle major cryptography schemes. If realized in quantum hardware, Shor's algorithm would factor large integers at incomprehensible speeds — solving the very mathematical problems that underpin RSA encryption, the discrete logarithm problem, and the elliptic-curve discrete logarithm problem that secure everything from banking transactions to government communications. Some cryptography circles refer to this milestone as "Q-day," the quantum encryption apocalypse. Cryptographic algorithms like RSA essentially "scramble" data to protect sensitive information, and not even the world's best supercomputers can crack these encryptions. But quantum computers are poised to outperform their classical counterparts on exactly these mathematical tasks.

The prospect of a quantum apocalypse has driven various stakeholders to consider what that scenario could look like and how to prepare. In 2015, the U.S. National Institute of Standards and Technology (NIST) initiated programs to develop post-quantum cryptography standards. To be clear, no existing quantum computer has definitively proven it runs Shor's algorithm. However, last week saw two "bombshell" independent announcements — one from Google and one from a Caltech spinoff startup — about quantum encryption breakthroughs. Both results are preprints that have yet to weather independent verification and empirical testing. Still, they present a clear message: the quantum encryption apocalypse might come sooner than we think.

Expert perspectives on timing and risk

Henry Yuen, a theoretical computer scientist at Columbia University, emphasizes the difficulty of making high-confidence predictions about when quantum computers capable of running Shor's algorithm will come online. For industry, governments, financial institutions, and society, the pertinent question should be, "Can one be highly confident that Shor's algorithm won't come online in the next five years?" If not, then we need to move with great urgency to secure our digital infrastructure to be secure against quantum attack. This will require enormous coordinated effort between industry, academia, and government. Although NIST has recommended replacement cryptosystems that are conjectured to be secure against quantum attack, Yuen cautions that we should not view quantum-safe cryptography as a solved problem. All it takes is one brilliant quantum algorithm — a Shor 2.0, if you will — that might put us back at square one. We will need to spend more time stress-testing the recommended post-quantum encryption schemes, as well as coming up with alternative cryptosystems, to maximize the chances that we can defend ourselves against quantum attacks.

Tim Palmer, a theoretical physicist at Oxford University who devised the alternative model Rational Quantum Mechanics (RaQM), offers a contrasting perspective. The ability to break RSA encryption assumes that the quantum advantage of Shor's algorithm will continue on computers with thousands of error-corrected qubits. This in turn assumes quantum mechanics itself holds at these scales. Palmer believes it doesn't. Although the public thinks of quantum mechanics as a wildly discontinuous theory, it turns out that quantum mechanics depends on the continuum of numbers more vitally than does classical physics. RaQM is a much simpler theory than quantum mechanics, without the deep mysteries of superposition and nonlocality. It achieves this by banishing the continuum from quantum physics. As a result, RaQM reveals the information content of the wavefunction explicitly: when more than a few hundred qubits are entangled, there is not enough information in the quantum wavefunction to allocate even one bit of information to each Hilbert Space dimension. When this happens, the quantum advantage of Shor's algorithm will saturate and cannot be improved by entangling more qubits.

What quantum mechanics offers as a solution

Paul Davies, a theoretical physicist at Arizona State University and author of Quantum 2.0, points out that quantum mechanics undermines many popular cryptographic methods, but it also contains the solution. Exploiting entanglement, information can be teleported from A to B with complete security because any attempt to eavesdrop irreversibly and detectably corrupts the transmitted data and thus gives the game away. Importantly, the inescapable data mutilation isn't merely a technical disruption but a law of nature, so there is no evading it. However, Davies notes that it is not necessary to use fancy quantum cryptography technology such as entanglement to avoid the looming quantum apocalypse. There are many quantum-proof encryption protocols, an obvious example being the one-time pad. They may not be as convenient as current methods, but they can be secure for all practical purposes.

What none of these considerations address, Davies warns, is the vulnerability of existing and past data that, if vacuumed up by a bad actor, sits like a time bomb awaiting the advent of a quantum computer to break into that vast database and uncover many secrets. The scope for intimidation, blackmail, and cyberwarfare is obvious. For the individual, Davies's advice is to permanently erase as much past data as you can that's stored in the cloud, and copy all essential data onto storage devices that never again connect to the internet.

Practical steps for organizations

Sophie Schmieg, a senior staff cryptography engineer at Google, explains that the encryption currently used to keep information confidential and secure could be broken by a large-scale quantum computer in coming years. We can mitigate this quantum threat to encryption by taking the necessary migration steps now. With NIST and IETF having published their PQC standards, we have a way to protect our computing infrastructure before a quantum computer is ready. Many widely used cryptographic libraries have implemented these algorithms in the last few years, even if some gaps that need to be addressed by cryptography engineers remain. We now need to empower general software engineers to undertake the transition. Hardcoded TLS ciphers need to be swapped to their PQC counterpart (X25519MLKEM768), SSH versions need to be updated, configurations for access token signatures need to be changed from ECDSA to MLDSA, and more.

Dustin Moody, a mathematician at NIST who manages NIST efforts for PQC development, views the "quantum apocalypse" as a serious, looming threat that requires action, though he stresses it is not an apocalypse because we have the tools to deal with it if the world adopts them quickly enough. One of his jobs at NIST is to manage the development of PQC standards designed to protect sensitive data for the long term against the attack of a quantum computer. NIST developed these standards in an open process with the help of cryptographers worldwide, and they are ready for use right now. But publishing the standards is only the beginning — the real work lies in widespread adoption. The key challenge is timing: it could take years or even decades to fully transition the world's digital infrastructure, so preparation needs to begin well before the threat fully materializes. No one knows how long it will take to develop a quantum computer that can break current encryption methods, and the timeline may be shorter than we'd prefer.

Bill Fefferman, a theoretical computer scientist at the University of Chicago, emphasizes that to guard against the threat that quantum computers will pose to cryptography, there is only one solution: we urgently need to replace our existing cryptography with post-quantum cryptographic schemes such as those that have recently been standardized by NIST. There are a couple of reasons why we can't afford to delay this implementation. First, the timeline to build large-scale quantum computers is uncertain. There is no widespread consensus among experts, but experimental progress has been rapid and there is no reason to expect it to slow down. Second, we need to counter the threat of "harvest now and decrypt later" attacks. The idea is that attackers can download and store encrypted information that is widely available online. This data will not be accessible to them today but will be when large-scale quantum computers arrive that can break the encryption.

Dave Taku, Vice President and Global Head of Product Management & UX at RSA Security, offers a more measured perspective. While the current generation of quantum computing presents no practical threat to commercial-grade encryption key lengths, innovation continues to progress at a steady pace. But we aren't on the verge of a quantum apocalypse — if organizations begin to prepare now. NIST mandates that all federal and critical systems should implement PQC by 2035. Given the current state of the technology, that date should provide ample time before PQC presents any real risk. Organizations can begin to prepare now by evaluating "PQC-ready" cryptographic modules that already support the new standards. Where classical algorithms are employed, increasing the key length, along with proper key management, is a practical solution that exponentially increases the computational power required, even for quantum computers. Long-lived data can also be 'double-wrapped' to provide additional defense in depth against 'harvest now, decrypt later' attacks.

Looking ahead

The experts broadly agree on one point: waiting is the riskiest strategy. Whether Q-day arrives in five years or fifty, the transition to post-quantum cryptography will take years or decades to complete across the global digital infrastructure. Organizations should prioritize "crypto-agility" — the ability to quickly swap out cryptographic systems — and begin by conducting a comprehensive inventory of where and how public-key cryptography is used. By identifying vulnerable points and prioritizing high-value data today, they can carry out a deliberate, phased migration that reduces risk over time. As Dave Taku notes, while we should all prepare now for the post-quantum future, the biggest risk that organizations face today comes from much less sophisticated attacks — weak passwords, phishing, and social engineering. Address those challenges immediately even as you work toward NIST's 2035 deadline.