Timeline of quantum threats: how to actually prepare for post-quantum encryption

When will quantum computers be able to decrypt our data? This question has been debated for years, but often apocalyptic predictions lack solid technical foundations. The truth requires a more nuanced understanding: the threat exists, but its timeline and severity depend on the type of encryption we’re discussing. An original article by a16z researcher examines this topic through the lens of real technical realities, not marketing promises.

Real timelines: is quantum cracking imminent?

The first thing to understand: claims that quantum computers will break cryptography by 2030 are not based on actual progress in the field. Researchers point out a fundamental disconnect between what companies announce and what is actually happening in laboratories.

To decrypt modern encryption (like RSA-2048 or secp256k1), a quantum computer would need error correction capabilities, a sufficient number of logical qubits, and high gate fidelity. Currently, no one has achieved even close to this. Systems with 1,000 physical qubits look impressive on paper, but without the necessary fidelity and connectivity, they remain largely experimental.

Main sources of misunderstanding:

“Quantum advantage” is not the same as usefulness. When companies announce “quantum advantage,” they often demonstrate specially designed problems that run faster on their hardware than on classical computers. But these tasks have no practical application.

Thousands of qubits are far from enough. Most claims about “thousands of qubits” refer to quantum annealing, not the gate-model quantum computers needed for cryptographic attacks.

Logical vs. physical qubits — a huge difference. Claiming 48 “logical qubits” using only two physical qubits per logical qubit seems implausible due to insufficient error correction in such a configuration.

Mapping charts can be misleading. Many forecasts show thousands of logical qubits by a certain year, but these qubits may only support “Clifford operations,” which classical computers can simulate efficiently. Shor’s algorithm requires “non-Clifford operations” (T gates), which are absent in such setups.

The simple conclusion: expectations of a quantum computer capable of breaking RSA-2048 within the next five years are not supported by public achievements. Even ten years is an ambitious estimate. But that doesn’t mean we can relax, especially regarding certain types of data.

The “steal now, decrypt later” threat: who is truly at risk?

This is the most critical distinction for understanding why post-quantum encryption demands immediate action, while post-quantum signatures do not.

For encryption: An attacker can intercept and store encrypted data today, then decrypt it once quantum computers are available. This means data that must remain confidential for 10–50+ years already needs post-quantum protection. Government agencies are even now collecting gigabytes of intercepted US communications for future decryption. Therefore, hybrid encryption combining classical and post-quantum schemes is already being implemented in browsers (Chrome with Cloudflare), messaging apps (Signal, Apple iMessage).

For digital signatures: The situation is fundamentally different. If you can prove that a signature was created before the advent of quantum computers, it cannot be retroactively forged. Quantum computers will only be able to forge new signatures from the moment they appear. This means post-quantum signatures are not as urgent as post-quantum encryption.

For zero-knowledge proofs (zkSNARKs): They are also resistant to “steal-decrypt” attacks because their zero-knowledge property guarantees that no information about the secret is revealed—even to a quantum computer. Thus, a zkSNARK created today will remain cryptographically secure tomorrow, regardless of elliptic curve cryptography used.

Post-quantum signatures: why rushing is risky

This involves practical considerations of transition. Post-quantum signature schemes have significant trade-offs:

Size and performance: Hash-based signatures (the most conservative from a security standpoint) are 7–8 KB—100 times larger than current elliptic curve signatures (64 bytes). ML-DSA is 2.4–4.6 KB (40–70 times larger). Even Falcon, a more compact scheme (0.7–1.3 KB), faces implementation challenges.

Implementation complexity: Falcon involves floating-point operations in constant time and has been subject to side-channel attacks. One of its developers called it “the most complex cryptographic algorithm I’ve ever implemented.”

Immaturity: Rainbow and SIKE/SIDH, candidates for NIST standardization, have been broken by classical computers. This demonstrates the risk of standardizing and deploying schemes too early.

The internet infrastructure already indicates that migrating to post-quantum signatures can be done anytime; there are no strict deadlines. Caution is justified, as mistakes at this stage could be costly. Blockchains should adopt a similar cautious approach.

Blockchain under pressure: who is vulnerable to quantum attacks?

Public blockchains (Bitcoin, Ethereum): Mostly safe from “steal-decrypt” attacks because they use non-post-quantum signatures for authorization, not encryption. The quantum threat to Bitcoin is forging signatures and stealing funds, not decrypting already published transaction data. Even the Federal Reserve has misjudged Bitcoin’s vulnerability to quantum attacks via HNDL.

However, Bitcoin faces unique challenges: slow protocol upgrades, millions of “sleeping” addresses with known public keys, worth billions of dollars. Even if quantum computers don’t arrive before 2035, the logistics of transition could take years. This compels Bitcoin to start planning now—not because quantum threats are imminent, but because coordination is necessary.

Private blockchains: They are genuinely at risk. If recipient addresses and amounts are encrypted or hidden (like in Monero), these confidential data can be intercepted today and de-anonymized via quantum attacks tomorrow. They require post-quantum encryption or hybrid schemes now, or a redesign that doesn’t store decrypted secrets on-chain.

Seven steps toward post-quantum cryptographic security

Based on the above analysis, here are practical recommendations:

1. Implement hybrid encryption immediately where long-term confidentiality is needed. Hybrid schemes (post-quantum + classical) protect against “steal-decrypt” attacks and mitigate weaknesses of purely post-quantum schemes.

2. Use hash-based signatures in low-risk scenarios (firmware updates, device patches). Their size is manageable, and they provide conservative security.

3. Blockchains should not rush signatures but must start planning. Developers should exercise caution, as with traditional PKI.

4. Bitcoin needs a specific migration plan for handling “sleeping” funds and protocol upgrades. Management and coordination are the main challenges, not technical.

5. Allocate time for research into post-quantum SNARKs and combined signatures. It will take years, but avoiding premature adoption of suboptimal solutions is worth the effort.

6. Consider abstracting addresses in smart contract wallets for greater flexibility during the transition to post-quantum primitives.

7. Private blockchains should migrate as quickly as feasible given performance considerations, due to real threats like HNDL.

The greater risk: implementation, not quantum computers

The most important often-overlooked conclusion: over the next few years, vulnerabilities will stem more from implementation flaws, side channels, and error introduction than from quantum computers. For complex systems like SNARKs and post-quantum signatures, implementation errors can have catastrophic consequences.

Invest in audits, fuzzing, formal verification, and layered security. Don’t let quantum fears obscure more immediate, pressing threats.

Listen critically to news about quantum breakthroughs. Every milestone often proves that we are still far from the goal. Press releases are reports of achievements that require critical analysis, not signals for panic or haste.