In 1994, a mathematician at Bell Labs published a nine-page paper that essentially set a timer on the world's digital security infrastructure. Peter Shor's algorithm showed that a sufficiently powerful quantum computer could crack RSA encryption—the system protecting over 90% of internet connections—in a matter of hours rather than the billions of years it would take today's fastest supercomputers. The paper didn't cause immediate panic because quantum computers barely existed. Three decades later, they're getting closer to reality, and the clock is ticking louder.

The Mathematics of Our Vulnerability

RSA encryption works because factoring large numbers is absurdly difficult. When you connect to your bank's website, the security relies on a mathematical lock with two prime numbers multiplied together—sometimes creating numbers 617 digits long. Classical computers would need to try essentially every possible combination, a task that scales exponentially with the size of the number.

Shor's algorithm breaks this by exploiting quantum mechanics. While classical computers process information as bits that are either 0 or 1, quantum computers use qubits that exist in multiple states simultaneously through superposition. The algorithm employs something called the Quantum Fourier Transform to identify repeating patterns in the factors, reducing the problem from exponential to polynomial time. What would take millennia becomes feasible in an afternoon.

The threat extends beyond RSA. Elliptic curve cryptography, Diffie-Hellman key exchanges, and most digital signature algorithms face the same fate. These systems all rely on mathematical problems that quantum computers can solve efficiently.

The Gap Between Theory and Practice

IBM factored the number 15 in 2001 using a 7-qubit quantum computer—the first experimental proof that Shor's algorithm actually works on physical hardware. It was simultaneously a milestone and a reminder of how far we had to go. Fifteen is the product of 3 and 5. Breaking modern encryption requires factoring numbers that are incomprehensibly larger.

Today's quantum computers have made progress on qubit count. D-Wave's systems boast over 5,000 qubits. But raw numbers mislead. The real challenge is stability. Qubits are extraordinarily fragile, prone to errors from temperature fluctuations, electromagnetic interference, and quantum decoherence—the tendency for quantum states to collapse into classical ones. Running Shor's algorithm on a number large enough to matter requires not just many qubits, but stable, error-corrected qubits that can maintain coherence through complex calculations.

Most experts place the arrival of cryptanalytically relevant quantum computers somewhere in the 2030s, though some predictions edge closer to the end of this decade. The uncertainty itself is part of the problem. The NSA has stated that "the impact of adversarial use of a quantum computer could be devastating to National Security Systems and our nation"—strong language from an agency not given to hyperbole.

Stealing Tomorrow's Secrets Today

The "harvest now, decrypt later" strategy adds urgency to a seemingly distant threat. Adversaries with sufficient resources are likely collecting encrypted communications right now—diplomatic cables, military transmissions, personal health records, corporate secrets—banking them in vast databases. When quantum computers capable of breaking current encryption come online, potentially a decade or more from now, they can retroactively unlock everything collected.

This means data encrypted today needs protection not just against today's threats, but against computers that don't yet exist. Medical records, classified documents, and long-term business strategies all have confidentiality requirements that extend well into the quantum era. The encryption protecting them now won't last.

The Eight-Year Marathon to New Standards

NIST launched its post-quantum cryptography standardization process in February 2016, receiving 82 submissions from 278 researchers across six continents. The response revealed both the global nature of the threat and the difficulty of the solution. Creating encryption that resists quantum attacks while remaining practical for everyday use required evaluating entirely different mathematical approaches.

In August 2024, NIST released three finalized standards. FIPS 203, based on an algorithm called CRYSTALS-Kyber, handles key establishment using lattice-based cryptography—essentially security derived from the difficulty of solving certain problems about geometric structures in high-dimensional space. FIPS 204, based on CRYSTALS-Dilithium, provides digital signatures using similar lattice mathematics. FIPS 205 takes a different approach, using hash functions for signatures with solid security properties but at the cost of larger file sizes.

A fourth standard based on FALCON is expected by summer 2025. In March 2025, NIST selected HQC (Hamming Quasi-Cyclic) as an additional key encapsulation mechanism, completing the core standardization effort that began nine years earlier.

Notably, symmetric encryption algorithms like AES-256 remain secure. Quantum computers provide only modest speedups against symmetric encryption—doubling the key length restores security. The vulnerability lies specifically in public-key cryptography, the asymmetric systems that allow strangers to establish secure communications without pre-shared secrets.

The Decade of Dangerous Migration

Publication of standards marks the beginning, not the end, of the transition. President Biden's National Security Memorandum 10, issued in May 2022, set 2035 as the deadline for mitigating quantum risk in government systems. NIST's proposed timeline would deprecate 112-bit security algorithms after 2030 and disallow them after 2035, with even stronger algorithms phased out on the same schedule.

These timelines acknowledge reality: wholesale replacement of cryptographic infrastructure takes years. Public key infrastructure, smart cards, code signing certificates, and embedded systems all need updates. Some devices can receive software patches; others require physical replacement. The process is complicated by the need to maintain backward compatibility during the transition and by the sheer number of systems involved.

Organizations face a choice between immediate migration to post-quantum algorithms and hybrid approaches that combine classical and new systems. Hybrids offer redundancy—if either system fails, the other provides backup—but add complexity and computational overhead. Pure post-quantum deployment is cleaner but riskier if an algorithm proves vulnerable.

Priority goes to systems with long confidentiality requirements: VPNs, TLS connections, and especially public key infrastructure that underpins trust across the internet. Dustin Moody, a mathematician at NIST, urged administrators to "start integrating the new standards right away," emphasizing that "full integration will take time."

The Invisible Breakthrough Problem

One persistent question haunts planning: could a cryptanalytically relevant quantum computer already exist in secret? The commercial incentives argue against it. Quantum computing promises over a trillion dollars in economic value through applications in drug discovery, materials science, and optimization problems. Companies like IBM, Google, and Microsoft are racing to demonstrate quantum advantage in useful applications, with every milestone announced and celebrated. The expertise required is scattered across universities and research labs worldwide. Keeping a functional system secret would mean forgoing both enormous profits and scientific recognition.

Resource requirements add another barrier. These machines need extensive infrastructure—dilution refrigerators to cool qubits to near absolute zero, sophisticated error correction systems, and teams of specialized engineers. The difficulty of maintaining secrecy around such visible requirements makes a clandestine breakthrough extremely unlikely, though not impossible.

The scenario remains troubling because the consequences are so severe. Unlike most security vulnerabilities that allow targeted attacks, a working quantum computer would simultaneously break encryption across the entire internet. Every HTTPS connection, every VPN, every digital signature would become readable. The asymmetry between the long development timeline and the instantaneous collapse of security it would trigger makes prudent preparation essential even against unlikely scenarios.

The transition to post-quantum cryptography is happening now, not because quantum computers can break today's encryption yet, but because by the time they can, it will be too late to respond. Shor's nine-page paper started a countdown. The alarm is finally going off.