Quantum Computing Cryptography FAQ
The quantum computing cryptography FAQ you'll find below covers every serious question surrounding quantum threats to modern encryption, from how Shor's algorithm actually breaks RSA to which NIST-standardised algorithms replace it and what timeline analysts consider realistic for a cryptographically relevant quantum computer. If you hold cryptocurrency, run a blockchain application, or simply want to understand how quantum computing reshapes digital security, this page delivers accurate, mechanism-level answers without hype or hand-waving.
What Is Quantum Computing and Why Does It Matter for Cryptography?
Quantum computing uses the principles of quantum mechanics, specifically superposition and entanglement, to perform certain calculations exponentially faster than classical computers. For most everyday tasks, this speed advantage is irrelevant. For cryptography, however, the implications are profound: several algorithms that underpin modern internet security are provably vulnerable to quantum attacks.
How a quantum computer differs from a classical one
A classical bit is either 0 or 1. A quantum bit, or qubit, can exist in a superposition of both states simultaneously. When multiple qubits are entangled, a quantum processor can evaluate enormous numbers of possibilities in parallel. This is not magic, it is a consequence of interference: quantum algorithms amplify paths that lead to correct answers and cancel paths that do not.
Why cryptographers are paying attention now
Most current public-key cryptography relies on mathematical problems that are computationally hard for classical computers: integer factorisation (RSA), discrete logarithm (Diffie-Hellman), and elliptic-curve discrete logarithm (ECDSA, used in Bitcoin and Ethereum). Quantum algorithms can solve these problems in polynomial time, collapsing the security assumptions that protect trillions of dollars in digital assets and communications.
---
Core Quantum Algorithm Questions
What is Shor's algorithm and what does it break?
Shor's algorithm, published by Peter Shor in 1994, finds the prime factors of a large integer in polynomial time on a quantum computer. This directly breaks:
- RSA (security rests on the hardness of integer factorisation)
- Diffie-Hellman and DSA (security rests on discrete logarithm)
- ECDSA / ECDH (security rests on elliptic-curve discrete logarithm)
A sufficiently powerful quantum computer running Shor's algorithm could derive the private key from any exposed public key in hours or minutes rather than billions of years.
What is Grover's algorithm and what does it break?
Grover's algorithm provides a quadratic speedup for searching an unstructured database. Applied to symmetric cryptography (AES, SHA-2, SHA-3), it effectively halves the bit-security level. AES-128 drops to roughly 64-bit effective security; AES-256 drops to 128-bit security. The fix is straightforward: double your key length. AES-256 and SHA-384/SHA-512 are considered quantum-resistant for symmetric use cases.
Is quantum computing a threat to blockchain?
Yes, but in a nuanced way. The threat is specifically to public-key cryptography used in signing transactions and deriving addresses. If your public key is exposed on-chain (which it is for any address that has spent funds), a quantum adversary running Shor's algorithm could forge your signature and drain your wallet. The hash functions securing the blockchain's Merkle tree structure and proof-of-work are weakened by Grover's but not broken outright.
---
Timeline and "Q-Day" Questions
What is Q-Day?
Q-Day (sometimes written Q-day) is the hypothetical future date when a cryptographically relevant quantum computer (CRQC) exists: a machine powerful enough to run Shor's algorithm against real-world RSA-2048 or 256-bit elliptic-curve keys within a practical timeframe. At that point, any unprotected private key whose corresponding public key is on record becomes retrospectively derivable.
When will Q-Day arrive?
No consensus exists on a precise date. Here is a summary of analyst positions as of 2025:
| Forecast Source | Estimated CRQC Arrival | Key Assumption |
|---|---|---|
| NIST (2022 report) | 2030–2040 | Requires ~4,000 logical (error-corrected) qubits for RSA-2048 |
| IBM internal roadmap | Mid-2030s | Assumes continued error-correction progress |
| NCSC (UK) | "Within 10–15 years" | Cautious government planning horizon |
| Academic pessimists | Post-2040 | Decoherence and error rates remain hard problems |
| Academic optimists | Late 2020s (narrow scenario) | Algorithmic breakthroughs in error correction |
The honest answer: migration to post-quantum cryptography should be treated as a near-term infrastructure project, not a distant theoretical concern, because migration takes years and adversaries may already be harvesting encrypted data for later decryption ("harvest now, decrypt later").
What is "harvest now, decrypt later"?
Nation-state and well-resourced adversaries can record encrypted traffic or blockchain transactions today, store the ciphertext, and decrypt it once a CRQC exists. For long-lived secrets (government documents, private keys holding dormant wallets) this is a concrete threat even before Q-Day arrives.
---
Post-Quantum Cryptography (PQC) Questions
What is post-quantum cryptography?
Post-quantum cryptography (PQC) refers to classical (non-quantum) cryptographic algorithms that are believed to be secure against both classical and quantum attacks. These algorithms run on today's hardware; they do not require a quantum computer to execute. The goal is to replace quantum-vulnerable algorithms with PQC equivalents before CRQCs appear.
What mathematical problems does PQC rely on?
PQC candidates draw on problems for which no efficient quantum algorithm is currently known:
- Lattice problems (Learning With Errors, Module-LWE, NTRU): the hardness of finding short vectors in high-dimensional lattices
- Hash-based signatures (XMSS, LMS, SPHINCS+): security derives from collision resistance of hash functions, which Grover weakens but does not break
- Code-based cryptography (McEliece): decoding random linear codes is NP-hard and has no known quantum speedup
- Multivariate polynomial systems: solving systems of multivariate quadratic equations over finite fields
- Isogeny-based cryptography: SIKE was broken classically in 2022; this family is now largely out of favour
What algorithms did NIST standardise in 2024?
After an eight-year competition, NIST finalised its first post-quantum cryptography standards in August 2024:
| Standard Name | Basis | Use Case |
|---|---|---|
| **ML-KEM** (formerly CRYSTALS-Kyber) | Module lattice (Module-LWE) | Key encapsulation / key exchange |
| **ML-DSA** (formerly CRYSTALS-Dilithium) | Module lattice | Digital signatures |
| **SLH-DSA** (formerly SPHINCS+) | Hash-based (stateless) | Digital signatures |
| **FN-DSA** (formerly FALCON) | NTRU lattice | Digital signatures (compact) |
These are the authoritative replacements for RSA and ECDSA in new systems. NIST also continues evaluating additional candidates for diversity.
What is lattice-based cryptography?
Lattice cryptography constructs security around geometric problems in high-dimensional integer lattices. The two dominant hard problems are:
- Learning With Errors (LWE): distinguish noisy linear equations from random data. Finding the secret requires solving a problem believed hard even for quantum computers.
- Short Integer Solution (SIS): find a short integer vector satisfying a linear equation over a lattice.
Lattice schemes are efficient, have small key sizes compared to earlier PQC candidates, and support advanced constructions such as fully homomorphic encryption (FHE).
What is hash-based cryptography?
Hash-based signature schemes such as SPHINCS+ build digital signatures using only cryptographic hash functions. Their security is reducible to standard properties (collision resistance, preimage resistance) of the underlying hash function. They are conservative and well-understood but produce larger signature sizes than lattice alternatives.
---
Practical Implications for Cryptocurrency and Wallets
Are Bitcoin and Ethereum wallets currently quantum-vulnerable?
Partially. The vulnerability depends on whether your public key has been exposed:
- Unspent outputs with unexposed public keys (e.g., pay-to-public-key-hash addresses that have never sent a transaction): the public key is not on-chain, so Shor's algorithm cannot derive your private key from what is publicly visible.
- Addresses that have sent a transaction: the public key is published in the spending transaction and permanently recorded on-chain. A CRQC operator could run Shor's algorithm against it.
- Pay-to-public-key (P2PK) outputs: public key is always exposed. Satoshi's early mining rewards fall into this category.
Best practice already recommended by security researchers: use each address only once and migrate to PQC-secured wallets before Q-Day.
What does a quantum-resistant crypto wallet do differently?
A quantum-resistant wallet replaces ECDSA key generation and signing with a NIST-standardised PQC algorithm, typically a lattice-based scheme such as ML-DSA or a hash-based scheme such as SLH-DSA. The wallet software generates key pairs whose security does not rest on the elliptic-curve discrete logarithm problem. Projects in this space, such as BMIC.ai, align their cryptographic layer with NIST PQC standards to protect users' holdings against future quantum attacks.
Can existing blockchains upgrade to post-quantum cryptography?
Yes, but it requires a hard fork and broad community consensus. The upgrade involves replacing the signature scheme at the protocol level, migrating existing UTXOs or account balances to new PQC-secured addresses, and updating all wallet software. Several research groups and blockchain projects are actively drafting migration paths. The Ethereum Foundation has discussed quantum-resistant account abstraction; Bitcoin's path is less defined given its conservative governance.
What should a crypto holder do right now?
- Audit address reuse: check whether any addresses with significant balances have already spent funds (exposing their public keys).
- Move funds to fresh addresses: where possible, consolidate to addresses whose public keys have never appeared on-chain.
- Monitor PQC wallet developments: wallets implementing NIST-standardised algorithms are beginning to emerge.
- Do not panic-sell: Q-Day is not imminent according to mainstream estimates, but preparation time is limited because blockchain migrations are slow.
- Treat long-term cold storage differently from hot wallets: cold wallets with unexposed public keys are lower-risk in the near term.
---
Cryptographic Mechanisms: Deeper Questions
What is the difference between quantum cryptography and post-quantum cryptography?
These are frequently confused:
| Term | What It Is | Example |
|---|---|---|
| **Quantum cryptography** | Uses quantum mechanical phenomena to perform cryptographic tasks | Quantum Key Distribution (QKD) |
| **Post-quantum cryptography** | Classical algorithms resistant to quantum attacks, run on standard hardware | ML-KEM, SPHINCS+ |
QKD distributes symmetric keys using photon polarisation states; eavesdropping disturbs the quantum states and is detectable. It is a hardware-dependent point-to-point solution and cannot replace public-key infrastructure at internet scale without significant infrastructure investment. PQC is a software upgrade.
What is Quantum Key Distribution (QKD)?
QKD uses quantum properties to establish a shared secret key between two parties such that any interception is physically detectable. The BB84 protocol (Bennett and Brassard, 1984) encodes bits in the polarisation states of individual photons. Because measuring a quantum state disturbs it, eavesdropping leaves a detectable signature in the error rate of the received signal. QKD is unconditionally secure in theory but limited by practical factors: photon loss over distance, requirement for dedicated fibre or satellite links, and inability to route through standard internet infrastructure.
What is the difference between symmetric and asymmetric encryption under quantum threat?
| Scheme Type | Examples | Quantum Threat | Mitigation |
|---|---|---|---|
| Asymmetric (public-key) | RSA, ECDSA, ECDH | Broken by Shor's algorithm | Replace with PQC algorithms |
| Symmetric | AES, ChaCha20 | Weakened by Grover's algorithm | Double key length (use AES-256+) |
| Hash functions | SHA-256, SHA-3 | Weakened by Grover's algorithm | Use SHA-384 / SHA-512 |
What is a cryptographically relevant quantum computer (CRQC)?
A CRQC is a quantum computer capable of running Shor's algorithm against real-world key sizes (RSA-2048, 256-bit ECC) within a practical time window, typically hours. Achieving this requires not just many physical qubits but a sufficient ratio of logical (error-corrected) qubits. Current best estimates suggest RSA-2048 requires approximately 4,000 logical qubits, which in turn requires millions of physical qubits given current error rates. The largest publicly known systems in 2025 operate in the hundreds to low thousands of physical qubits with error rates still too high for large-scale Shor runs.
What is quantum error correction and why does it matter?
Real qubits are fragile and prone to decoherence: interaction with the environment causes them to lose their quantum state. Quantum error correction encodes one logical qubit across many physical qubits, allowing errors to be detected and corrected without measuring the underlying quantum state (which would collapse it). The surface code is the leading error-correction scheme; it requires roughly 1,000 physical qubits per logical qubit at current error rates. This overhead is the primary reason CRQCs capable of running Shor's algorithm remain years away.
---
Standards, Governance, and Migration
Which standards bodies are leading PQC adoption?
- NIST (US): published final PQC standards in 2024 (ML-KEM, ML-DSA, SLH-DSA, FN-DSA)
- ETSI (EU): Quantum Safe Cryptography working group, harmonising with NIST outputs
- ISO/IEC: incorporating PQC into JTC 1/SC 27 security standards
- IETF: drafting PQC integration into TLS 1.3, SSH, and other internet protocols
- NSA/CNSA 2.0: mandates PQC migration for US national security systems by 2030–2035
How long does cryptographic migration typically take?
Historical precedent is sobering. The migration from DES to AES (announced 2001, finalised 2002) took over a decade to achieve broad deployment. The SHA-1 deprecation process stretched from NIST's 2011 guidance to complete browser removal in 2017. PQC migration is arguably more complex because it touches every layer of the stack: TLS handshakes, certificate authorities, firmware signing, hardware security modules, and blockchain protocols. Starting now is not premature.
---
Summary: Key Takeaways
- Shor's algorithm breaks RSA, ECDSA, and Diffie-Hellman on a sufficiently powerful quantum computer.
- Grover's algorithm weakens symmetric encryption and hash functions but does not break them; doubling key length is the countermeasure.
- Q-Day is not imminent but migration timelines mean preparation must start now.
- NIST finalised four PQC standards in 2024: ML-KEM, ML-DSA, SLH-DSA, FN-DSA, all lattice- or hash-based.
- Crypto wallets whose public keys are on-chain are already in the "harvest now, decrypt later" threat window.
- Post-quantum cryptography runs on classical hardware today and is the practical migration path for internet-scale systems.
Frequently Asked Questions
Will quantum computers break Bitcoin?
A cryptographically relevant quantum computer running Shor's algorithm could derive the private key from any Bitcoin address whose public key is publicly visible on-chain. Addresses that have never sent a transaction and use pay-to-public-key-hash (P2PKH) format keep the public key hidden until first spend, offering a degree of protection. However, the Bitcoin protocol itself would need a hard-fork upgrade to post-quantum signature schemes to be secure long-term. No such upgrade has been finalised as of 2025.
What is the difference between post-quantum cryptography and quantum cryptography?
Post-quantum cryptography (PQC) refers to classical mathematical algorithms, such as lattice-based or hash-based schemes, that run on standard hardware and are believed to resist quantum attacks. Quantum cryptography uses actual quantum mechanical phenomena, most notably Quantum Key Distribution (QKD), to perform cryptographic tasks. PQC is a software-layer upgrade deployable across the internet; QKD requires specialised hardware and dedicated communication links.
Which NIST post-quantum algorithms should I look for in new cryptographic products?
The four NIST-standardised PQC algorithms finalised in 2024 are: ML-KEM (key encapsulation, based on Module-LWE lattices), ML-DSA (digital signatures, lattice-based), SLH-DSA (digital signatures, stateless hash-based), and FN-DSA (digital signatures, NTRU lattice). Any new product claiming quantum resistance should specify which of these it implements, or provide a rigorous justification for any alternative.
Is AES-256 safe from quantum computers?
Yes, for practical purposes. Grover's algorithm reduces AES-256's effective security from 256 bits to approximately 128 bits, which remains computationally infeasible to brute-force. AES-128, however, would drop to roughly 64-bit effective security, which is marginal. Security professionals recommend AES-256 or stronger for any data that must remain confidential beyond the Q-Day horizon.
What is 'harvest now, decrypt later' and should I be worried?
Harvest now, decrypt later describes a strategy where an adversary records encrypted data or blockchain transactions today, stores them, and decrypts them once a CRQC becomes available. For most consumer crypto holders, the immediate risk is low because the computational cost remains prohibitive. For large dormant wallets, sensitive long-lived secrets, or any data with multi-decade confidentiality requirements, this is a genuine and current threat that justifies migration to PQC now rather than waiting.
How many qubits are needed to break real-world cryptography?
Breaking RSA-2048 requires approximately 4,000 logical (error-corrected) qubits running Shor's algorithm, according to widely cited research. Given current error rates, achieving one logical qubit requires roughly 1,000 physical qubits using the surface error-correction code, implying a physical qubit count in the millions for a practical attack. The largest publicly disclosed quantum processors in 2025 are in the hundreds to low thousands of physical qubits, still far short of this threshold.