Imagine sending a message today that is perfectly secure. Now imagine someone saving that encrypted message and waiting ten years to read it. This isn't science fiction; it is the reality of the "harvest now, decrypt later" attack strategy. As we move through 2026, the clock is ticking louder than ever for businesses, governments, and blockchain networks. The central question is no longer *if* quantum computers will break current encryption, but *when*. Understanding this timeline is critical because once a cryptographically relevant quantum computer exists, decades of digital security could unravel in hours.
The threat landscape has shifted dramatically from theoretical physics to immediate operational risk. Organizations are racing against a moving target where technological breakthroughs keep pushing the deadline closer. If you are managing sensitive data, financial systems, or blockchain infrastructure, ignoring this timeline is not an option. You need to know exactly when your current defenses might fail so you can migrate before the window closes.
The Core Threat: Shor's Algorithm and RSA Vulnerability
To understand the timeline, you first need to understand the weapon. Classical computers struggle with factoring large prime numbers, which is the mathematical foundation of RSA encryption. It would take a classical supercomputer billions of years to crack standard RSA-2048 keys. However, quantum computers operate differently. They use qubits to exist in multiple states simultaneously, allowing them to process vast amounts of possibilities at once.
Shor's algorithm is the specific quantum program designed to exploit this capability. It doesn't just speed up the cracking process; it changes the complexity class entirely. Instead of taking billions of years, a sufficiently powerful quantum computer could break RSA-2048 in under 24 hours. This is the definition of a Cryptographically Relevant Quantum Computer (CRQC). While symmetric encryption like AES is also affected by Grover's algorithm, the impact is less severe because it only provides a quadratic speedup, meaning doubling the key size effectively neutralizes the threat. Asymmetric cryptography, used for digital signatures and key exchange, faces existential risk.
Expert Estimates: The 5-to-30 Year Window
So, when does this happen? There is no single date, but there is a consensus range. The Global Risk Institute's 2024 report provides the most cited probability assessments. Their analysis suggests that by 2034, there is a 17% to 34% chance that a CRQC will exist capable of breaking RSA-2048 within a day. By 2044, that probability jumps to 79%.
This creates a distinct acceleration curve. Early estimates placed the threat decades away, but recent milestones in quantum error correction have disrupted those linear projections. Experts at the 2025 SANS Emerging Threats Summit refined these numbers, suggesting that within 5 to 15 years, we could see CRQCs breaking standard encryptions rapidly. The lower end of this spectrum-5 to 10 years-is driven by optimistic views on how quickly logical qubits can be scaled. The higher end accounts for potential setbacks in connecting and controlling these fragile quantum states. Regardless of which side of the debate you fall on, the window for preparation is narrowing fast.
| Year | Probability Range | Risk Level |
|---|---|---|
| 2034 | 17% - 34% | Moderate |
| 2044 | 79% | High |
| 2055-2060 | Near Certainty (MITRE Estimate) | Critical |
Government Mandates: The Regulatory Deadline
While experts debate probabilities, governments are setting hard deadlines. These mandates force action regardless of whether you believe the threat is imminent. In the United States, National Security Memorandum 10 (NSM-10) requires all federal agencies to fully migrate to post-quantum cryptography (PQC) by 2035. This isn't a suggestion; it is a compliance requirement for handling sensitive national information.
Some agencies are moving even faster. The Department of Homeland Security has indicated a transition period ending by 2030. For National Security Systems, the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) makes PQC preferred immediately in 2025 and mandatory between 2030 and 2033 depending on the application. These regulatory frameworks assume the worst-case scenario regarding timeline acceleration. For private sector companies dealing with government contracts or regulated industries like finance, these dates become your effective deadlines. Ignoring them means non-compliance and massive liability risks.
Technical Realities: Error Correction and Qubit Scaling
The timeline depends heavily on hardware progress. Current quantum computers are noisy and prone to errors. To break RSA, you need millions of physical qubits to create thousands of stable "logical" qubits. Recent breakthroughs in quantum error suppression have shown that we can mitigate some of these errors, potentially accelerating the path to utility-scale machines.
MITRE’s 2025 assessment offers a more conservative view, suggesting that following current trend lines, RSA-2048 compromise capabilities might not arrive until 2055-2060. However, this assumes linear progression. History shows that technology often follows exponential curves once key bottlenecks are solved. If error correction scales efficiently, the 2035 mark becomes highly plausible. Conversely, if scaling logical qubits proves harder than anticipated, the threat could recede slightly. But betting on delay is a dangerous strategy in cybersecurity. You cannot afford to be wrong about the delay, but you can afford to be early on the migration.
Industry Preparedness: Who Is Acting?
Awareness is high, but action is lagging. Deloitte’s Global Future of Cyber survey reveals that while 52% of organizations are measuring their exposure to quantum risks, only 30% are taking decisive action to implement solutions. This gap is widening as executive awareness grows. Interviews with financial industry leaders in 2025 showed universal familiarity with NIST’s 2024 PQC standards. Yet, many wait for clear regulatory directives before triggering full-scale migration projects.
This hesitation is costly. Migrating cryptographic systems is complex. It involves inventorying all cryptographic assets, assessing vulnerability, testing new algorithms, and deploying updates across legacy systems. For blockchain networks, the challenge is even greater because changing consensus mechanisms or signature schemes often requires hard forks, which carry significant community and economic risk. Financial institutions estimate that regulatory action will trigger within one to five years, forcing a rush that could lead to implementation errors. Starting now allows for a controlled, tested transition rather than a panic-driven scramble.
The Blockchain Implication: Immutable Risks
Blockchain technology faces a unique quantum threat. Traditional databases can patch vulnerabilities by updating software. Blockchains are immutable by design. If a quantum computer breaks the elliptic curve cryptography securing Bitcoin or Ethereum addresses, attackers could steal funds without leaving a trace. The "harvest now, decrypt later" strategy is particularly devastating here. An adversary can record public transactions today, wait for a CRQC to emerge, and then retroactively sign transactions to drain wallets.
Moreover, smart contracts rely on cryptographic signatures for execution. If those signatures are forgeable, the entire trust model collapses. Major blockchain projects are already exploring quantum-resistant signature schemes, such as lattice-based cryptography. However, integrating these into existing networks without disrupting decentralization or performance remains a significant engineering hurdle. The timeline for blockchain quantum resistance is tied directly to the broader PQC adoption curve, but with higher stakes due to irreversibility.
Action Plan: Preparing for the Post-Quantum Era
You don't need to wait for the perfect solution. NIST published its final PQC standards in 2024, providing approved algorithms like CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures. These are ready for implementation. Here is what you should do now:
- Inventory Your Crypto Assets: Identify every system using RSA, ECC, or DSA. Map where they are used and who has access.
- Assess Data Shelf Life: Determine which data must remain secret beyond 2035. Prioritize migrating protections for long-lived secrets like state secrets, health records, and intellectual property.
- Test Hybrid Solutions: Implement hybrid cryptographic suites that combine classical and post-quantum algorithms. This provides defense-in-depth; if the PQC algorithm fails, the classical layer still holds, and vice versa.
- Monitor Standards: Keep an eye on NIST updates and CNSA 2.0 requirements. Compliance timelines are tightening.
- Plan for Blockchain Upgrades: If you run nodes or hold significant assets, monitor proposals for quantum-resistant forks. Prepare liquidity strategies in case of network splits.
The quantum threat is real, measurable, and approaching. The difference between being prepared and being vulnerable lies in acting today based on tomorrow's risks. Don't let the complexity of the technology paralyze you. Start with inventory, prioritize high-value data, and begin testing PQC standards now. The cost of migration is high, but the cost of breach is catastrophic.
When will quantum computers break current encryption?
Estimates vary, but the Global Risk Institute suggests a 17-34% chance of a cryptographically relevant quantum computer (CRQC) existing by 2034, rising to 79% by 2044. Some conservative models suggest 2055-2060, but recent advancements in error correction may accelerate this timeline significantly. Most experts agree the threat will materialize within the next 5 to 15 years.
What is the "harvest now, decrypt later" attack?
This is a strategy where adversaries collect encrypted data today, knowing they cannot read it yet. They store this data securely until a powerful enough quantum computer is available to break the encryption. This makes any data with a long shelf life (like state secrets, medical records, or blockchain transaction histories) vulnerable immediately, even if the quantum computer isn't built for another decade.
How does quantum computing affect blockchain security?
Most blockchains use elliptic curve cryptography for digital signatures. A quantum computer running Shor's algorithm could derive private keys from public keys, allowing attackers to steal funds. Because blockchain transactions are immutable, there is no way to reverse stolen funds. This necessitates a migration to quantum-resistant signature schemes, which is complex due to the need for consensus and potential hard forks.
What are NIST's post-quantum cryptography standards?
In 2024, NIST finalized several post-quantum cryptography (PQC) standards. Key algorithms include CRYSTALS-Kyber for key establishment and CRYSTALS-Dilithium for digital signatures. These algorithms are designed to resist attacks from both classical and quantum computers. Organizations are encouraged to begin implementing these standards, often in hybrid modes with existing classical algorithms, to ensure a smooth transition.
What is the government deadline for migrating to post-quantum cryptography?
National Security Memorandum 10 (NSM-10) sets a deadline of 2035 for US federal agencies to complete migration to post-quantum cryptography. However, specific agencies like the Department of Homeland Security aim for earlier completion by 2030. The Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) requires PQC for National Security Systems between 2030 and 2033. Private companies working with government entities should align their plans with these aggressive timelines.
Is AES encryption safe from quantum computers?
AES is safer than asymmetric encryption like RSA against quantum threats. Quantum computers use Grover's algorithm to search unstructured databases, which provides only a quadratic speedup. This means doubling the key size (e.g., from AES-128 to AES-256) effectively negates the quantum advantage. While not immune, AES-256 is considered robust against near-term quantum attacks, unlike RSA which requires a complete algorithmic replacement.