Post-quantum: what it is, what it isn't, and how much time you really have

Every time a quantum-computing news story breaks, someone at a financial institution asks: “When do we have to migrate?” The short answer is they already started, even though the risk is for 2030-2035. This article explains why, separating what quantum computing actually threatens from what’s overhyped, and proposing a pragmatic migration plan.

Qubit numbers and roadmaps in this article reflect public state at the close of 2025. It’s a field where figures age quickly; links to official sources are at the bottom.

What a quantum computer actually does

A quantum computer is not a faster classical computer. It’s a machine that leverages two specific properties of quantum mechanics:

1. Superposition — a qubit can be in multiple states simultaneously until it’s measured.
2. Entanglement — qubits can be correlated such that measuring one instantly affects the other.

These properties allow executing algorithms that explore many possibilities in parallel. For most computational tasks this adds nothing useful — a spreadsheet doesn’t benefit from quantum computing. But for some very specific mathematical problems, it does.

The two quantum algorithms that matter for cryptography:

Shor’s algorithm (1994)

Efficiently solves the integer factorization problem and the discrete logarithm problem. Both are the foundation of all classical asymmetric cryptography.

Consequence: a sufficiently large quantum computer breaks these algorithms:

• RSA (any key size)
• DSA
• ECDSA (all elliptic curves)
• ECDH and DH (classical and elliptic-curve Diffie-Hellman)

Grover’s algorithm (1996)

Speeds up unstructured search. Its effect on symmetric cryptography and hashes is modest: it halves the effective strength in bits.

Consequence:

• AES-128 is left with ~64 bits of post-quantum strength → weak.
• AES-256 is left with ~128 bits of strength → still solid for the next decade.
• SHA-256 retains ~128 bits of collision resistance → solid.
• SHA-512 is left with ~256 bits → very solid.

What it isn’t

Worth separating reality from marketing:

• Does NOT catastrophically break symmetric cryptography. AES-256 remains post-quantum secure.
• Does NOT break modern hashes. SHA-256 and above keep working.
• Does NOT magically read your encrypted data. It only breaks specific asymmetric algorithms.
• Is NOT right around the corner. “Quantum supremacy” announcements measure things distinct from breaking real cryptography.
• Does NOT directly affect your PIN, your MAC or your EMV validation — those use symmetric cryptography. What it does affect is the key exchange and the certificates that underpin those operations.

Where the technology is today (real, not marketing)

Quantum computers as of the end of 2025 are very large in headlines and very small in actual capability. The relevant public milestones:

• IBM published in December 2023 its roadmap through 2033 (IBM Quantum Roadmap), going through Condor (1,121 qubits, announced at the same event), Heron (133 qubits with far better error rates), Flamingo, Crossbill, Kookaburra and Loon. The explicit strategy is to prioritize quality over quantity after crossing the thousand-physical-qubit barrier.

• Google Research announced in December 2024 the Willow chip (105 qubits), reporting for the first time “below threshold” error correction — the threshold where adding more physical qubits exponentially reduces errors instead of increasing them (Google Blog · Meet Willow). It is probably the most important breakthrough of recent years, not for qubit count but for proving that error correction scales.

• Atom Computing announced in October 2023 a neutral-atom array of 1,225 sites with 1,180 qubits effectively populated — the first system to cross the thousand-qubit barrier (Atom Computing announcement). An architecture distinct from IBM’s and Google’s superconductors.

• Quantinuum operates the H-Series family based on trapped ions; their H2 model achieves all-to-all-connected physical qubits with very low error rates, although at much smaller scale. It’s the most mature example of quality over quantity.

Key point: all the numbers above are noisy physical qubits. For breakable cryptography you need error-corrected logical qubits. With current correction techniques, you need between 1,000 and 10,000 physical qubits to build one stable logical qubit.

How many qubits are really needed

To run Shor on RSA-2048 (which would break most production PKIs today), the most-cited academic reference is Gidney & Ekerå (2019, refined in 2021):

Factoring a 2,048-bit RSA number would require approximately 20 million noisy physical qubits running the algorithm for 8 hours, assuming 10⁻³ error rates and surface-code error correction.

— “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits” (arXiv:1905.09749)

Those 20 million translate to approximately 4,000 logical qubits once error correction is applied.

Between ~1,000 physical qubits today and ~20,000,000 needed, there are four orders of magnitude of difference. It’s not a “more qubits” problem — it’s an error-correction, coherence, connectivity and scaling problem. Serious expert estimates for a Cryptographically Relevant Quantum Computer (CRQC):

• Most conservative: around 2030.
• Central: 2035-2040.
• Most pessimistic for attackers: never at practical scale.

NSA, in its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), published September 2022, assumes full transition to post-quantum algorithms by 2035 for U.S. national-security systems.

So why act now

If real risk is 2035, why the urgency? Three concrete reasons:

1. “Harvest Now, Decrypt Later” (HNDL)

State actors and sophisticated APTs are capturing encrypted traffic today, storing it, waiting for quantum capability. When it comes, they’ll retroactively decrypt everything that’s still sensitive.

If your information has value beyond 2035 —long-term contracts, personal data, trade secrets, national-security information, financial transactions—, it’s already exposed if you encrypt it only with classical asymmetric crypto.

2. Long-life certificates already live in the risk zone

A root certificate issued today with a 20-year lifetime covers 2026-2046. Half of that period is in the zone where it may no longer be quantum-safe. The same applies to digital-signature certificates with extended validity (LTV).

3. Real migration takes 5-7 years

Full inventory + algorithm decisions + library adoption + hardware updates (HSMs, smart cards) + testing + gradual rollout + retirement of old algorithms. At large institutions, this is measured in multi-year cycles. Starting in 2030 to be ready by 2035 is late.

What NIST already did for you

In August 2024, NIST published the first three post-quantum standards (NIST press release):

• FIPS 203 (ML-KEM) — formerly known as CRYSTALS-Kyber. For key exchange (KEM = Key Encapsulation Mechanism). The primary one for general use.
• FIPS 204 (ML-DSA) — formerly CRYSTALS-Dilithium. For general-purpose digital signature.
• FIPS 205 (SLH-DSA) — formerly SPHINCS+. For hash-based digital signature. NIST positions it as conservative backup: larger keys and signatures, but security anchored in well-studied hash properties.
• FIPS 206 (FN-DSA, draft) — formerly Falcon. Signatures more compact than ML-DSA.

Decision made. You don’t have to choose between 80 academic candidates — just among these. The technical discussion is no longer “which algorithm?”, but “where and in what order do we apply them?”

Some production deployments are already running. Cloudflare enabled hybrid TLS handshakes (X25519 + Kyber512/Kyber768) by default for all customers from October 2022 (Cloudflare blog · Post-quantum for all) — years before formal standardization. Google has done similar deployments in Chrome and internal services.

The pragmatic migration plan

You’re right in the intuition: it’s basically an inventory plus an algorithm migration. But the inventory is the hard part and the migration has layers. A reasonable recipe:

Phase 1 — Inventory (3-6 months)

Map every place where there’s classical asymmetric cryptography:

• TLS certificates — internal and external.
• Digital-signature certificates — issuers and users.
• VPNs and IPsec.
• SSH (the older algorithms).
• Keys inside HSMs and the flows that consume them.
• Code signing and software signing.
• Keys embedded in hardware: smart cards, tokens, IoT devices, POS terminals.
• Keys at third-party SaaS services.
• Documents signed with LTV (long-term validity).

Without this inventory, no migration. It’s typically the part that costs the most and the part the organization underestimates.

Phase 2 — Crypto agility (parallel, 6-12 months)

Before migrating anything, make sure the system allows migration:

• Updatable cryptographic libraries.
• Configuration per component, not hardcoded.
• Capability to support multiple algorithms in parallel (hybrid).
• Documented algorithm-rotation processes.

This is architecture work. It’s not optional.

Phase 3 — Hybrid mode (12-24 months)

Adopt combinations of classical + post-quantum algorithm simultaneously. If one yields, the other holds. The industry is converging on this for the next 5-10 years.

Cloudflare and Google are already rolling out hybrids for TLS today. HSMs from Utimaco, Thales and other vendors are starting to support post-quantum primitives in firmware.

Phase 4 — Pure replacement (2030+)

Once the ecosystem matures and backward dependencies are resolved, gradually retire classical algorithms. This won’t be a single event: different systems will migrate at their own pace according to risk and cost.

Phase 5 — Retire old algorithms (post-2035)

When the last classical system is out of use, retire the libraries, the fallback capabilities, and archive the old procedures. Probably never fully ends.

What to do this month, concretely

Regardless of your institution’s size:

1. List on a single sheet every place you know has asymmetric cryptography. It’s probably incomplete. Doesn’t matter — that’s the starting point.
2. Identify the owner of each one. If no one’s responsible, that’s the most urgent problem.
3. Ask each owner when keys are renewed and what the current lifetime is. Anything with useful life beyond 2030 enters the priority list.
4. Ask your critical vendors (HSM, PKI, CMS, terminals) what their post-quantum roadmap is. If they don’t have an answer, that’s also information.
5. Take the result to the board once. One sheet. Period.

No step requires buying new technology. All require looking.

Sources and references

• NIST · First 3 finalized post-quantum encryption standards (FIPS 203, 204, 205), August 2024 — https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
• Google Research · Meet Willow, our state-of-the-art quantum chip, December 2024 — https://blog.google/technology/research/google-willow-quantum-chip/
• IBM Quantum · Roadmap 2033 (Condor, Heron, Kookaburra, Loon, …) — https://www.ibm.com/quantum/blog/quantum-roadmap-2033
• Atom Computing · First to exceed 1,000 qubits (1,225 sites, 1,180 populated), October 2023 — https://atom-computing.com/quantum-startup-atom-computing-first-to-exceed-1000-qubits/
• Gidney & Ekerå · How to factor 2,048-bit RSA in 8 hours using 20M noisy qubits, arXiv 1905.09749 — https://arxiv.org/abs/1905.09749
• Cloudflare · Post-quantum for all (X25519+Kyber hybrid TLS in production), October 2022 — https://blog.cloudflare.com/post-quantum-for-all
• NSA · Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), September 2022 — available on nsa.gov and cisa.gov. Public mirror frequently under media.defense.gov.
• Quantinuum · H-Series (H2, trapped-ion) — quantinuum.com/products-solutions/quantinuum-systems.

---

At 2PSECURE we accompany financial institutions and critical-infrastructure companies in the cryptographic-inventory phase, the crypto-agility audit, and the post-quantum migration roadmap. If your organization still doesn’t have clear visibility of its quantum-exposed surface, let’s talk.

---