In 1995, a mathematician at Bell Labs named Peter Shor published an algorithm that would eventually trigger a global security crisis. The algorithm proved that a sufficiently powerful quantum computer could crack RSA encryption—the foundation securing everything from bank transfers to state secrets—in hours rather than the billions of years it would take conventional computers. Three decades later, we're watching that theoretical threat inch toward reality.
The Quantum Advantage Nobody Wanted
Quantum computers exploit the strange behavior of particles at atomic scales. Unlike classical bits that exist as either 0 or 1, quantum bits—qubits—can exist in multiple states simultaneously through a property called superposition. Add in entanglement, where qubits influence each other instantaneously, and you've got a machine that can explore vast numbers of possibilities at once.
This matters for encryption because current systems like RSA rely on mathematical problems that are easy in one direction but brutally hard in reverse. Multiplying two large prime numbers takes seconds. Factoring the result back into those primes? That would take today's supercomputers longer than the age of the universe. RSA's security rests entirely on this asymmetry.
Shor's algorithm demolishes it. The algorithm identifies hidden periodic patterns in the factoring problem that quantum computers can detect through a process called quantum phase estimation. What makes RSA practically unbreakable for classical computers becomes tractable for quantum ones. The timeline for when this theoretical capability becomes real has suddenly compressed.
Willow Changes the Calculus
On December 9, 2024, Google unveiled Willow, a quantum chip that performed a benchmark calculation in under five minutes. The same task would take the world's fastest supercomputer 10 septillion years—a 1 followed by 25 zeros, a span longer than the universe has existed.
More significant than the raw speed was Willow's achievement in error correction. Quantum systems are notoriously fragile; environmental noise causes qubits to lose their quantum properties almost immediately. For 30 years, researchers struggled with a brutal truth: adding more qubits typically meant more errors, not more computing power.
Willow crossed a threshold. Google's team demonstrated that scaling from a 3x3 array to a 5x5 to a 7x7 grid of qubits actually cut error rates in half at each step. This "below threshold" performance means that larger quantum computers can now be more reliable, not less. The path from today's noisy prototypes to machines with thousands or millions of qubits—the scale needed to threaten encryption—just became visible.
Harvest Now, Decrypt Later
Intelligence agencies and security researchers call it HNDL: "Harvest Now, Decrypt Later." Adversaries are already collecting encrypted data with no current ability to read it. They're betting that quantum computers capable of running Shor's algorithm will arrive before that data loses value.
For information with long shelf lives, this is an active crisis. Medical records remain sensitive for decades. State secrets retain value for years. Even financial data can be exploited long after a transaction clears if it reveals patterns or relationships. The encryption protecting this data today offers no protection against tomorrow's quantum computers.
The threat is geopolitical as much as technical. Whichever nation or entity develops a cryptographically relevant quantum computer first gains a temporary but potentially decisive advantage. Every rival's historical communications become an open book. The incentive to move first—and to move quietly—is enormous.
The Lattice Defense
In August 2024, after an eight-year effort evaluating 82 algorithms from 25 countries, the National Institute of Standards and Technology released three post-quantum cryptography standards. Unlike RSA, these algorithms don't rely on factoring or other problems with hidden periodic structures that quantum computers can exploit.
Most use lattice-based mathematics. Imagine a multi-dimensional grid of points. Lattice problems involve finding the shortest path between points in these high-dimensional spaces—a challenge that lacks the regular structure Shor's algorithm exploits. Even quantum computers face exponential difficulty here.
The three primary standards are ML-KEM for key encapsulation, ML-DSA for digital signatures using lattice mathematics, and SLH-DSA using hash functions. NIST is developing about 15 additional algorithms as backups, recognizing that cryptographic standards need redundancy. If one approach fails, alternatives must be ready.
NIST urged immediate implementation. Not because quantum computers can break current encryption today, but because the transition will take years. Every system, every protocol, every piece of software that relies on RSA or similar algorithms needs updating. Banks, hospitals, governments, and tech companies must coordinate a wholesale replacement of cryptographic infrastructure.
The Implementation Gap
Here's the uncomfortable reality: we have the mathematical tools to resist quantum attacks, but deploying them is a logistical nightmare. Legacy systems run encryption deep in their architecture. Replacing it means updating not just software but hardware, retraining personnel, and ensuring backward compatibility during the transition. For organizations running critical infrastructure, any disruption risks cascading failures.
Google announced in March 2026 that it was accelerating its post-quantum migration timeline—a tacit acknowledgment that the threat window is closing faster than anticipated. The company that built Willow understands better than most how quickly quantum capabilities are advancing.
Meanwhile, the gap between quantum computing development and cryptographic deployment creates a dangerous window. If a state actor or well-funded group achieves a breakthrough before post-quantum standards are widely implemented, the consequences extend far beyond theoretical security papers. Financial systems could be compromised. Secure communications could be intercepted. Digital signatures verifying everything from software updates to legal documents could be forged.
When Math Becomes Obsolete
The quantum encryption race reveals an uncomfortable dependency: modern digital civilization rests on the assumption that certain math problems are hard. Not impossible—just computationally expensive enough that breaking them isn't worth the effort. Quantum computing doesn't change the mathematics. It changes what counts as expensive.
The transition to post-quantum cryptography isn't just a technical upgrade. It's an admission that our security model has an expiration date, and we're racing to replace it before that date arrives. Whether we're moving fast enough remains an open question. The organizations harvesting encrypted data today are betting we're not.