When Will Quantum Computers Break Encryption?
A Realistic Timeline

The question isn't whether quantum computers will break current encryption—it's when. Security experts debate timelines ranging from 5 to 30 years, but one thing is certain: organizations need to prepare now. Let's examine the realistic timeline and what it means for your security strategy.

Current State of Quantum Computing

As of early 2026, the most powerful quantum computers have around 1,000-1,500 qubits. IBM, Google, and others continue making steady progress. However, there's a crucial distinction between physical qubits and logical qubits:

• Physical qubits: The actual quantum bits, prone to errors and decoherence
• Logical qubits: Error-corrected qubits that can perform reliable computations

Breaking RSA-2048 requires approximately 4,000 logical qubits. Current error correction ratios suggest this needs millions of physical qubits—a significant engineering challenge. The best surface-code estimates place the overhead at roughly 1,000 to 3,000 physical qubits per logical qubit, depending on the target gate error rate. That puts a cryptographically relevant quantum computer (CRQC) in the range of 4 to 12 million physical qubits—well beyond the hardware available today.

Expert Timeline Predictions

Various experts and organizations have offered predictions:

The Global Risk Institute surveys quantum computing experts annually. Their 2025 survey found a median estimate of 15% probability of cryptographically relevant quantum computers by 2030, rising to 50% by 2035.

Which Algorithms Are Vulnerable?

Not all cryptography is equally at risk. Shor's algorithm threatens asymmetric (public-key) schemes, while Grover's algorithm weakens symmetric ciphers by effectively halving their key length. The practical impact varies dramatically by algorithm family:

The critical takeaway: every TLS handshake, JWT signature, and API token that relies on RSA or elliptic curves becomes forgeable or decryptable once a CRQC exists. Symmetric primitives at 256-bit key lengths remain safe, but they protect data at rest—not authentication, key exchange, or digital signatures.

The "Harvest Now, Decrypt Later" Threat

Perhaps more concerning than the timeline itself is the "harvest now, decrypt later" attack vector. Adversaries—including nation-states—are already collecting encrypted data with the intention of decrypting it once quantum computers are available.

Consider data with long-term sensitivity:

• Medical records (sensitive for decades)
• Financial transactions (legally retained for years)
• Government communications (classified for 25+ years) — see how government agencies are preparing
• Intellectual property (competitive value for years)
• Personal communications (privacy expectations persist)

If your data has value beyond 5-10 years, it's already at risk from future quantum attacks. Intelligence agencies with petabyte-scale storage can intercept encrypted traffic today, archive it cheaply, and retroactively decrypt the entire corpus once the hardware matures. The effective threat window is not "when CRQCs arrive" but "now, minus the sensitivity lifetime of your data."

What's Driving Progress?

Several factors are accelerating quantum computing development:

• Government investment: Billions in funding from US, China, EU, and others
• Private sector: Tech giants competing for quantum advantage
• New approaches: Topological qubits, photonic computing, and other innovations
• Error correction advances: Steady improvements in qubit stability

Why Start Migration Now?

Even with a 10-15 year timeline, starting your post-quantum migration today is essential:

• Migration takes time: Large organizations need 5-10 years to fully transition
• Testing and validation: New algorithms need thorough vetting in your environment
• Supply chain: Your vendors and partners need to migrate too
• Regulatory requirements: Compliance mandates are emerging now
• Unknown unknowns: Quantum computing could advance faster than expected

Post-Quantum Cryptography Is Production-Ready Today

The common objection to early migration is performance: lattice-based algorithms are assumed to be slower or more resource-intensive than classical alternatives. That assumption is outdated. NIST finalized FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in 2024, and optimized implementations are already running in production.

H33's authentication stack demonstrates that post-quantum security imposes negligible overhead when the implementation is engineered correctly. The full pipeline—BFV fully homomorphic encryption over a lattice with polynomial degree N=4096, ZKP verification via STARK lookups, and Dilithium signature attestation—completes in approximately 42 microseconds per authentication. At scale, this sustains 2,172,518 authentications per second on a single Graviton4 instance.

The key architectural decisions that make this possible include Montgomery-form NTT arithmetic with Harvey lazy reduction (eliminating modular division from the hot path), NTT-domain fused inner products (one final INTT instead of per-chunk transforms), and batch Dilithium attestation (one signature operation per 32-user batch rather than per individual). These are engineering optimizations, not theoretical shortcuts—they preserve the full lattice-based security guarantees while eliminating computational waste.

// H33 single API call — full post-quantum auth pipeline
// BFV FHE (N=4096, t=65537) + ZKP STARK + Dilithium-5
POST /v1/auth/verify
Authorization: Bearer h33_pk_...
Content-Type: application/json

{
  "batch": ["user_001", "user_002", ... "user_032"],
  "templates_ct": "<BFV ciphertext, 32 SIMD slots>",
  "probes_ct":    "<BFV ciphertext, 32 SIMD slots>"
}

// Response: ~1,356µs for 32 users (~42µs per auth)
// Dilithium-signed attestation included
{
  "matches": [true, true, false, ...],
  "attestation": "<ML-DSA-65 signature>",
  "zkp_proof_id": "stark_lookup_0x7f3a..."
}

Recommended Actions

Regardless of the exact timeline, these steps will prepare your organization:

• Inventory all cryptographic assets and dependencies
• Classify data by sensitivity and longevity
• Begin pilot projects with post-quantum algorithms
• Implement crypto-agility to enable faster future transitions
• Monitor NIST standards and industry developments
• Adopt hybrid key exchange (classical + PQ) in TLS as an immediate step
• Replace RSA/ECDSA signatures with ML-DSA (Dilithium) for new deployments

The quantum threat timeline may be uncertain, but the need to act is not. The mathematics are settled, the standards are finalized, and production-grade implementations exist today. Organizations that begin their post-quantum journey now will be best positioned to weather the quantum transition, whenever it arrives.