Misunderstood "Quantum Hegemony" You don't need to panic before 2030

Today, predictions about when “cryptography-related quantum computers (CRQC)” will be born are often overly aggressive and exaggerated—leading to calls for immediate and comprehensive migration to post-quantum cryptography.

However, these calls often overlook the costs and risks of premature migration and ignore the vastly different risk profiles among various cryptographic primitives:

• Post-quantum encryption indeed needs to be deployed immediately, despite high costs: “Harvest Now, Decrypt Later” (HNDL) attacks are already happening. Sensitive data encrypted today may still be valuable decades later when quantum computers appear. While implementing post-quantum encryption incurs performance overhead and execution risks, those data requiring long-term confidentiality have no other choice in the face of HNDL attacks.
• Post-quantum signatures face a completely different computational logic: they are not affected by HNDL attacks. Moreover, the costs and risks of post-quantum signatures (larger size, poorer performance, immature technology, and potential bugs) mean we need to adopt a thoughtful, rather than frantic, migration strategy.

Clarifying these differences is crucial. Misunderstandings can distort cost-benefit analyses and cause teams to overlook more immediate security risks—such as code bugs.

The real challenge in migrating to post-quantum cryptography lies in matching urgency with actual threats. The following will clarify common misconceptions about quantum threats by covering encryption, signatures, and zero-knowledge proofs (especially their impact on blockchain).

How far are we from quantum threats?

Despite the hype, the likelihood of “cryptography-related quantum computers (CRQC)” emerging in the 2020s is extremely low.

By “CRQC,” I mean a fault-tolerant, error-corrected quantum computer capable of running Shor’s algorithm within a reasonable timeframe to attack elliptic curve cryptography or RSA (for example, cracking secp256k1 or RSA-2048 within at most a month).

Reasonable analysis of milestones and resource estimates shows we are still far from building such a machine. Although some companies claim CRQC might appear before 2030 or 2035, current publicly known progress does not support these claims.

Objectively, none of the current technological architectures—ion traps, superconducting qubits, neutral atom systems—are close to the hundreds of thousands or millions of physical qubits needed to run Shor’s algorithm (depending on error rates and error correction schemes).

Limitations are not only about the number of qubits but also include gate fidelities, qubit connectivity, and the depth of continuous error correction circuits required for running deep quantum algorithms. While some systems now have physical qubit counts exceeding 1,000, counting qubits alone is misleading: these systems lack the connectivity and fidelity needed for cryptographic computations.

Recent systems are approaching the fault-tolerance threshold in terms of physical error rates, but no one has demonstrated more than a few logical qubits with sustained error correction circuits—let alone the thousands of high-fidelity, deep, fault-tolerant logical qubits needed for running Shor’s algorithm. The gap between “proof of quantum error correction feasibility” and “scaling to cryptanalysis scale” remains huge.

In short: unless the number of qubits and their fidelity improve by several orders of magnitude, CRQC remains out of reach.

However, it’s easy to get confused by corporate PR and media reports. Here are some common misconceptions:

• Claims of “quantum advantage” demonstrations: These demonstrations are currently for artificially designed tasks. They are chosen not because they are practical but because they can run on existing hardware and show significant quantum speedup—something often obscured in announcements.
• Companies claiming thousands of physical qubits: This usually refers to quantum annealers, not gate-model machines capable of running Shor’s algorithm to attack public-key cryptography.
• Misuse of the term “logical qubits”: Quantum algorithms like Shor’s require thousands of stable logical qubits. Through quantum error correction, many physical qubits are used to realize a single logical qubit—typically hundreds to thousands. Some companies have exaggerated this, claiming, for example, that two physical qubits per logical qubit suffice to realize 48 logical qubits. Such low-redundancy codes can only detect errors, not correct them. Truly fault-tolerant logical qubits for cryptanalysis require hundreds to thousands of physical qubits each.
• Playing with definitions: Many roadmaps use “logical qubits” to refer to qubits supporting only Clifford operations. These operations can be efficiently simulated classically and are therefore insufficient for running Shor’s algorithm.

Even if a roadmap aims to “achieve thousands of logical qubits by X year,” it does not mean the company expects to run Shor’s algorithm to crack classical cryptography at that time.

These marketing tactics seriously distort public (and even some seasoned observers’) understanding of how close quantum threats really are.

Nevertheless, some experts are genuinely excited about progress. Scott Aaronson recently said that, given the pace of hardware development, he believes “it’s possible to have a fault-tolerant quantum computer running Shor’s algorithm before the next U.S. presidential election.” But he also clarified that this does not mean a CRQC capable of threatening cryptography: even factoring 15 = 3 × 5 in a fault-tolerant system counts as a “successful prophecy.” This is clearly not on the same scale as cracking RSA-2048.

In fact, all experiments factoring 15 use simplified circuits, not the full fault-tolerant Shor’s algorithm; and factoring 21 requires additional hints and shortcuts.

In simple terms: no publicly available progress proves we can build a quantum computer capable of cracking RSA-2048 or secp256k1 within the next 5 years.

Ten years remains a very aggressive prediction.

The U.S. government’s goal to complete the post-quantum migration of government systems by 2035 is a schedule for the migration project itself, not a prediction that CRQC will appear by then.

Which types of cryptosystems are vulnerable to HNDL attacks?

“HNDL (Harvest Now, Decrypt Later)” refers to attackers storing encrypted communications now and decrypting them once quantum computers appear.

State-level adversaries are likely already archiving large amounts of U.S. government encrypted communications for future decryption. Therefore, cryptographic systems need to migrate immediately, especially in scenarios where confidentiality needs to be maintained for 10–50 years or more.

However, all digital signatures relied upon by blockchains are different from encryption: they do not contain secret information that can be targeted for retroactive attacks.

In other words, when quantum computers appear, signatures can be forged from that moment onward, but past signatures are unaffected—because they do not leak secrets, and as long as it can be proven that the signature was generated before the advent of CRQC, it cannot be forged.

Thus, the urgency to migrate to post-quantum signatures is much lower than that for encryption.

Mainstream platforms have also adopted corresponding strategies:

• Chrome and Cloudflare have deployed hybrid TLS with X25519+ML-KEM.
• Apple iMessage (PQ3) and Signal (PQXDH, SPQR) have also deployed hybrid post-quantum encryption.

However, deployment of post-quantum signatures on critical web infrastructure has been deliberately delayed—only to be implemented when CRQC is truly imminent, because current post-quantum signature schemes still have significant performance regressions.

The situation with zkSNARKs (a zero-knowledge succinct non-interactive argument system) is similar to signatures. Even when using elliptic curves (not PQ-secure), their zero-knowledge properties remain valid in a quantum environment.

Zero-knowledge proof systems guarantee that no secret witness is leaked, so attackers cannot “collect proofs now and decrypt later.” Therefore, zkSNARKs are not easily vulnerable to HNDL attacks. Just as signatures generated today are secure, any zkSNARK proofs generated before the appearance of quantum computers are trustworthy—even if they use elliptic curve cryptography. Only after CRQC appears can attackers forge false proofs. This will enable continuous value exchanges, building a new digital world far beyond human economic scale.