“Quantum computers are capable of breaking all currently used encryption algorithms.”

As researchers around the world race to build quantum computers that could break the current encryption providing security and privacy for our digital lives, NIST is helping to secure our future by developing algorithms to protect our data and systems. NIST has already released three post-quantum cryptography standards that can be implemented now to secure a wide range of electronic information, from confidential email messages to e-commerce transactions that propel the modern economy.

NIST's Post-Quantum Cryptography (PQC) project leads the national and global effort to secure electronic information against the future threat of quantum computers—machines that may be years or decades away but could eventually break many of today's widely used cryptographic systems. Through a multi-year international competition involving industry, academia, and governments, NIST released the principal three PQC standards in 2024 and is developing additional standards to serve as backups or alternatives. Organizations should begin applying these standards now to migrate their systems to quantum-resistant cryptography.

Now is the time to migrate to new post-quantum encryption standards, before quantum computers put today's encryption at risk. Three NIST standards that were developed through a rigorous, international process are ready to be implemented now. As researchers around the world race to build quantum computers that could break the current encryption providing security and privacy for our digital lives, NIST is helping to secure our future by developing algorithms to protect our data and systems.

Current IBM quantum systems have up to 1,121 qubits but are not fault-tolerant; breaking practical RSA encryption requires scalable, error-corrected logical qubits numbering in the millions, which is years away.

A quantum computer with one million noisy qubits running for one week can theoretically crack RSA-2048 bit encryption, representing twenty times fewer qubits than Google's 2019 estimate, according to new research from Google Quantum AI. The findings sharply compress the timeline for when current encryption standards could fall, compelling enterprises to accelerate post-quantum cryptography (PQC) adoption.

Quantum computers, on the other hand, promise to rapidly crack complex cryptographic systems that a classical computer might never be able to unravel. This promise is based on a quantum factoring algorithm proposed in 1994 by Peter Shor... 'If large-scale quantum computers ever get built, then factoring is toast and we have to find something else to use for cryptography.'

Chinese scientists at Shanghai University have determined that a quantum computer from the Canadian firm D-Wave can effectively crack a popular encryption method. Researchers found it can attack Rivest-Shamir-Adleman (RSA) encryption, which is used by web browsers, VPNs, email services, and chips from brands like Samsung and LG. It can also target the Advanced Encryption Standard (AES), which the US government adopted in 2001.

Shor's algorithm can factor large numbers and solve discrete logarithm problems exponentially faster than any known classical computer. This poses an existential threat to all widely used asymmetric (public-key) encryption, including RSA and Elliptic Curve Cryptography (ECC). Grover's algorithm provides a quadratic speedup for searching unstructured data, which can be applied to brute-forcing symmetric encryption keys. It doesn't “break” the algorithm but effectively halves its security strength. For example, it reduces AES-128's security to a 64-bit level and AES-256's to a 128-bit level. This threat is manageable; simply doubling the key length (i.e., using AES-256) makes the algorithm secure against quantum attacks for the foreseeable future.

Shor's algorithm can quickly factor large numbers, and thereby break RSA encryption, a fundamental pillar of cybersecurity. In response, the US National Institute for Standards and Technology (NIST) has been promoting the development of post-quantum encryption algorithms—new ways of securing data that should, in theory, stand up to future attacks from quantum computers.

The research team... found that D-Wave’s quantum computers can optimize problem-solving in a way that makes it possible to attack encryption methods such as RSA. 'Using the D-Wave Advantage, we successfully factored a 22-bit RSA integer...' The researchers didn’t just stop at RSA. They also attacked algorithms crucial to the Advanced Encryption Standard (AES)...

Read the blog to get the facts about the RSA algorithm and why post-quantum encryption does not pose an immediate cybersecurity threat.

Symmetric encryption algorithms like AES are largely quantum-resistant already. They just need larger key sizes - think of it like adding a few extra pins to an already secure lock. It's a simple upgrade to something that's already working well. Quantum computers are not some magic wand that breaks all encryption. Think of them more like a specialized lock pick - they're really good at breaking certain types of locks, but completely useless against others.

Is AES-256 quantum-resistant? AES-256 (Advanced Encryption Standard using 256-bit keys), is a widely used symmetric encryption algorithm often used by the US government and other secure organizations. While quantum computers could use an algorithm, called Grover's algorithm, to reduce their effective security level from 256 bits to approximately 128 bits, most professionals still consider 128 bits as secure, meaning this algorithm is technically quantum-resistant.

It's essential to differentiate between universal qubits, used in general-purpose quantum computers like those developed by IBM and Google, and adiabatic qubits, which are found in D-Wave's systems designed for optimization problems. While universal qubits can run advanced cryptographic algorithms like Shor's algorithm, adiabatic qubits cannot. D-Wave's machines, even with 5,000 qubits, are not capable of breaking encryption methods such as RSA-2048 or AES-256.

NIST has standardized post-quantum cryptographic algorithms like CRYSTALS-Kyber and CRYSTALS-Dilithium in 2024, explicitly because current quantum computers do not have sufficient qubits or error rates to run Shor's algorithm on full-size keys like RSA-2048, which requires millions of logical qubits.

Anybody with a large working quantum computer today would pose an immediate privacy and security threat to the whole internet... Shor’s algorithm... would allow the user to very easily decrypt any data encrypted with a large-number factoring based system - which would pretty much ruin the entire internet.