Cybersecurity

When Will Quantum Computers Break Encryption?

A practical guide to Q-Day, RSA-2048, Shor’s algorithm, resource estimates and the post-quantum migration already underway.

Written by QuantumNews Research Desk Editorially reviewed by QuantumNews Research Desk Last reviewed: 14 July 2026 18 min read

⚡ Quantum Brief

Quantum computers cannot currently break widely deployed encryption such as RSA-2048 or modern elliptic-curve cryptography. A successful attack would require a cryptographically relevant, fault-tolerant quantum computer able to run an enormous error-corrected circuit. Published resource estimates vary sharply with hardware and error-correction assumptions, so they are engineering scenarios—not arrival forecasts. There is no defensible date for Q-Day. Organisations should still migrate now: NIST has finalised its first post-quantum standards, and data collected today may remain sensitive when a capable quantum computer eventually exists.

Key takeaways

  • No publicly demonstrated quantum computer can break RSA-2048, ECC or other widely deployed public-key cryptography.
  • Shor’s algorithm threatens integer factorisation and discrete-logarithm systems; symmetric encryption is affected differently.
  • Resource estimates depend on physical error rates, code choices, connectivity, cycle time and acceptable runtime.
  • A large physical-qubit count is not equivalent to a useful logical-qubit computer.
  • NIST’s ML-KEM, ML-DSA and SLH-DSA standards are available for post-quantum migration.
  • “Harvest now, decrypt later” makes long-lived sensitive data a present-day risk.
On this pageWhat Does It Mean to Break Encryption?Can Quantum Computers Break Encryption Today?How Would Shor’s Algorithm Break RSA?How Many Qubits Would Be Required?Which Encryption Methods Are Vulnerable?Common MisconceptionsQ-Day Timeline and Migration MilestonesWhat Should Organisations Do Now?Frequently asked questions

What Does It Mean to Break Encryption?

Breaking encryption means recovering protected information or forging an authentication result without the secret key, within a useful amount of time and at an acceptable cost. The quantum risk is not uniform: different cryptographic systems rely on different mathematical problems.

RSA security relies on the difficulty of factoring a large composite integer. Elliptic-curve systems rely on discrete logarithms. A sufficiently capable fault-tolerant quantum computer running Shor’s algorithm could solve both problem classes efficiently. Symmetric ciphers and hash functions face a different, smaller class of speed-up from Grover’s algorithm.

Can Quantum Computers Break Encryption Today?

No public experiment has factored an RSA key of practical cryptographic size. Small demonstrations establish that algorithmic components can work; they do not demonstrate a scalable attack. The decisive gap is sustained, fault-tolerant logical computation.

Evidence levels should not be treated as interchangeable.
Evidence levelWhat it establishesWhat it does not establish
TheoryA quantum algorithm offers an asymptotic speed-upThat useful hardware exists
Small experimentA component works at limited scaleA cryptographically relevant attack
Error-correction milestoneLogical performance improves under stated conditionsA complete, long-running fault-tolerant system
Resource estimateA scenario is plausible under explicit assumptionsA delivery date
Cryptographic attackA deployed key is recovered or signature forgedNot publicly demonstrated for modern key sizes

How Would Shor’s Algorithm Break RSA?

Shor’s algorithm converts factoring into a period-finding problem. The quantum computer performs the period-finding subroutine, while classical computation handles preparation and post-processing.

  1. 1

    Choose a value

    Select a number related to the RSA modulus and construct a modular arithmetic problem.

  2. 2

    Create a quantum superposition

    Represent many possible inputs coherently across a quantum register.

  3. 3

    Compute modular powers

    Run a large reversible arithmetic circuit whose periodic structure encodes information about the factors.

  4. 4

    Extract the period

    Use quantum interference and a Fourier-transform procedure to make useful period information measurable.

  5. 5

    Recover the factors classically

    Use the measured period and classical number theory to derive the prime factors, repeating if necessary.

How Many Qubits Would Be Required?

There is no single stable qubit number. A 2021 peer-reviewed estimate described an eight-hour RSA-2048 factorisation scenario using roughly 20 million noisy qubits under a specific superconducting, surface-code model. A 2025 preprint reduced the scenario to fewer than one million noisy qubits with a runtime under a week by changing circuit and error-correction assumptions.

These results demonstrate the sensitivity of resource accounting to architecture and compilation. They should not be read as forecasts that a machine will arrive on a corresponding schedule.

Resource figures are scenarios built on different assumptions, not directly comparable product specifications.
RequirementCurrent public systemsCryptographic attack scenario
Physical qubitsHundreds to low thousands in many gate-model systemsPublished estimates range from below one million to tens of millions
Logical computationEarly demonstrations with limited scale and durationThousands of reliable logical qubits plus large ancillary factories
Error correctionExperimental and rapidly improvingSustained operation throughout a very deep circuit
RuntimeShort circuits constrained by noiseHours or days in particular estimates
System scopeProcessor milestonesProcessor, decoder, control stack, cryogenics and classical support working together

Which Encryption Methods Are Vulnerable?

Public-key encryption, key exchange, digital signatures, symmetric encryption and hashing need separate treatment. Saying that quantum computing “breaks encryption” obscures these important differences.

SystemQuantum effectPractical response
RSAShor’s algorithm can factor the public modulusReplace with post-quantum key establishment/signatures
ECC / ECDH / ECDSAShor’s algorithm can solve the elliptic-curve discrete logarithm problemReplace with post-quantum alternatives
AES-128Grover’s algorithm gives a quadratic brute-force speed-up in the ideal modelUse appropriate key sizes and system-level guidance
AES-256Retains a large security margin against generic Grover searchGenerally regarded as a quantum-resistant symmetric choice
Hash functionsGeneric preimage search can receive a quadratic speed-upUse adequate output lengths and current standards

Common Misconceptions

Myth

Quantum computers try every key at once.

Quantum algorithms manipulate amplitudes and interference. Measurement does not reveal every computed branch.

Myth

A million physical qubits means RSA is broken.

Qubit quality, connectivity, error correction, logical operations and total system throughput all matter.

Myth

Larger RSA keys solve the transition problem.

They increase resource requirements but remain in the problem class targeted by Shor’s algorithm.

Myth

Migration can wait until Q-Day is predicted.

Cryptographic inventories, protocol changes, vendor dependencies and long-lived data require years of preparation.

Q-Day Timeline and Migration Milestones

This timeline distinguishes confirmed developments from future claims. No entry supplies a reliable Q-Day date.

  1. Shor’s algorithm proposed

    Established an efficient quantum route to factoring and discrete logarithms.

  2. Detailed RSA-2048 resource estimate published

    A peer-reviewed surface-code study estimated 20 million noisy qubits for an eight-hour scenario.

  3. First NIST PQC standards finalised

    FIPS 203, 204 and 205 standardised ML-KEM, ML-DSA and SLH-DSA.

  4. HQC selected and factoring estimate revised

    NIST chose HQC as a backup KEM candidate; a new preprint reported a sub-million-qubit RSA-2048 scenario.

  5. Migration and fault-tolerance engineering continue

    Industry roadmaps remain targets. Public evidence does not show a cryptographically relevant quantum computer.

  6. Major transition horizon

    U.S. transition guidance targets removal of quantum-vulnerable algorithms from standards on this timescale, with high-risk systems moving earlier.

What Should Organisations Do Now?

The rational response is crypto-agility, not panic. Organisations can reduce present exposure without pretending to know the Q-Day date.

  1. 1

    Inventory cryptography

    Map algorithms, keys, certificates, protocols, libraries, embedded systems and vendor dependencies.

  2. 2

    Classify data lifetime

    Prioritise information that must remain confidential for many years.

  3. 3

    Plan for crypto-agility

    Make algorithms and key formats replaceable without rebuilding entire systems.

  4. 4

    Test standardised PQC

    Evaluate ML-KEM, ML-DSA and SLH-DSA in realistic protocols, devices and performance conditions.

  5. 5

    Track suppliers and standards

    Require migration plans and evidence from vendors; keep implementations aligned with current guidance.

Frequently asked questions

What is Q-Day?

Q-Day is an informal term for the point when a quantum computer can break cryptography that protects real systems, especially RSA and elliptic-curve public-key schemes. It has no agreed date or single technical threshold.

Can quantum computers break Bitcoin?

A sufficiently capable fault-tolerant quantum computer could threaten the elliptic-curve signatures used to authorise Bitcoin transactions. That does not mean current quantum processors can steal Bitcoin, and protocol migration options depend on which public keys are exposed and how the network coordinates changes.

Can quantum computers break AES-256?

Grover’s algorithm gives an ideal quadratic speed-up for generic key search, which is much less dramatic than Shor’s exponential impact on RSA and ECC. AES-256 retains a large generic security margin, though complete system design and implementation still matter.

How long would it take to break RSA-2048?

Only conditional estimates exist. Published scenarios range from hours to days or longer, depending on the number and quality of physical qubits, error-correction code, cycle speed, connectivity, decoder performance and architecture. There is no machine today that meets those assumptions.

Is post-quantum cryptography available today?

Yes. NIST finalised FIPS 203, FIPS 204 and FIPS 205 in August 2024. They specify ML-KEM for key establishment and ML-DSA and SLH-DSA for digital signatures. Deployment still requires implementation testing, protocol integration and operational planning.

Why migrate before a powerful quantum computer exists?

Migration across large estates takes years, and attackers can collect encrypted data now for later decryption. Early work also exposes hidden cryptographic dependencies and improves the ability to change algorithms when standards or threats evolve.

Methodology

QuantumNews compares primary standards, government migration guidance and technical resource-estimation papers. Qubit counts are reported with their architecture and runtime assumptions; preprints are labelled separately from peer-reviewed work. Company roadmap targets are not treated as completed capabilities. Current status was checked against public evidence, not confidential claims.

Update history

14 July 2026Initial editorial draft created with current NIST standards and RSA-2048 resource estimates.

Corrections

Found an error or newer technical evidence? Contact the QuantumNews editorial team.

References

  1. Announcing Approval of Three Federal Information Processing Standards for Post-Quantum Cryptography NIST
  2. Post-Quantum Cryptography Project NIST CSRC
  3. Quantum-Readiness: Migration to Post-Quantum Cryptography CISA, NSA and NIST
  4. How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits Quantum
  5. How to factor 2048 bit RSA integers with less than a million noisy qubits Google Quantum AI / arXiv preprint