Currently, predictions about when "Cryptographically Relevant Quantum Computers (CRQC)" will emerge are often overly aggressive and exaggerated—leading to calls for an immediate and comprehensive migration to post-quantum cryptography.
However, these calls often overlook the costs and risks of premature migration, as well as the vastly different risk profiles of various cryptographic primitives:
- Post-quantum encryption does indeed need to be deployed immediately, despite the high costs: "Harvest Now, Decrypt Later" (HNDL) attacks are already happening. Sensitive data encrypted today may still be valuable decades later when quantum computers emerge. Although implementing post-quantum encryption incurs performance overhead and execution risks, for data requiring long-term confidentiality, there is no alternative in the face of HNDL attacks.
- Post-quantum signatures, however, face a completely different computational logic: They are not affected by HNDL attacks. Moreover, the costs and risks of post-quantum signatures (larger size, worse performance, immature technology, and potential bugs) dictate a thoughtful, rather than rushed, migration strategy.
Clarifying these distinctions is crucial. Misunderstandings distort cost-benefit analyses, causing teams to overlook more immediate and critical security risks—such as code bugs.
The real challenge in migrating to post-quantum cryptography is matching the sense of urgency with the actual threat. The following sections will clarify common misconceptions about the quantum threat by covering encryption, signatures, and zero-knowledge proofs (particularly their impact on blockchain).
How Far Are We from the Quantum Threat?
Despite the hype, the likelihood of a "Cryptographically Relevant Quantum Computer (CRQC)" emerging in the 2020s is extremely low.
By "CRQC," I mean a fault-tolerant, error-corrected quantum computer, large enough to run Shor's algorithm to attack elliptic curve cryptography or RSA in a reasonable time (e.g., breaking secp256k1 or RSA-2048 in at most a month).
A reasonable reading of public milestones and resource estimates shows we are still far from building such a machine. Although some companies claim CRQC could appear before 2030 or 2035, currently known public developments do not support these claims.
Objectively, looking at all current technical architectures—ion traps, superconducting qubits, neutral atom systems—none of these platforms today come close to the hundreds of thousands to millions of physical qubits required to run Shor's algorithm (depending on error rates and error correction schemes).
The limiting factors are not just the number of qubits, but also gate fidelities, qubit connectivity, and the sustained error-corrected circuit depth needed to run deep quantum algorithms. Although some systems now have over 1,000 physical qubits, focusing solely on the number is misleading: these systems lack the connectivity and fidelity required for cryptographically relevant computations.
Recent systems are beginning to approach the threshold where quantum error correction becomes effective in terms of physical error rates, but no one has yet demonstrated more than a few logical qubits with sustained error-corrected circuit depth... let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits actually needed to run Shor's algorithm. The gap from "proving quantum error correction works in principle" to "achieving the scale needed for cryptanalysis" remains vast.
In short: unless both the number of qubits and their fidelities improve by several orders of magnitude, CRQC remains out of reach.
However, it's easy to be confused by corporate PR and media reports. Here are some common sources of misunderstanding:
- Demonstrations claiming "quantum advantage": These currently target artificially designed tasks. They are chosen not for their utility, but because they can run on existing hardware and exhibit massive quantum speedup—a point often glossed over in announcements.
- Companies claiming to have thousands of physical qubits: This usually refers to quantum annealers, not the gate-model machines needed to run Shor's algorithm against public-key cryptography.
- Misuse of the term "logical qubit": Quantum algorithms (like Shor's) require thousands of stable logical qubits. Through quantum error correction, we can implement one logical qubit using many physical qubits—typically hundreds to thousands. But some companies have abused this term to an absurd degree. For example, a recent announcement claimed 48 logical qubits using only two physical qubits per logical qubit. Such low-redundancy codes can only detect errors, not correct them. True fault-tolerant logical qubits for cryptanalysis each require hundreds to thousands of physical qubits.
- Playing with definitions: Many roadmaps use "logical qubit" to refer to qubits that only support Clifford operations. These operations can be efficiently simulated by classical computers and are therefore entirely insufficient for running Shor's algorithm.
Even if a roadmap aims for "thousands of logical qubits by year X," this does not mean the company expects to run Shor's algorithm to break classical cryptography that year.
These marketing tactics severely distort the public's (and even some seasoned observers') perception of how imminent the quantum threat is.
Nonetheless, some experts are indeed excited about the progress. Scott Aaronson recently stated that, given the speed of hardware advances, he considers it "possible to have a fault-tolerant quantum computer running Shor's algorithm before the next US presidential election". But he also made clear that this is not equivalent to a CRQC threatening cryptography: even just factorizing 15 = 3 × 5 under a fault-tolerant regime would count as "fulfilling the prophecy." This is clearly not on the same scale as breaking RSA-2048.
In fact, all quantum experiments "factorizing 15" use simplified circuits, not the full fault-tolerant Shor's algorithm; factorizing 21 even required additional hints and shortcuts.
Simply put, no public progress demonstrates that we can build a quantum computer capable of breaking RSA-2048 or secp256k1 within the next 5 years.
Predicting it within ten years is still very aggressive.
The US government's proposal to complete the post-quantum migration for government systems by 2035 is a timeline for the migration project itself, not a prediction that CRQC will appear by then.
Which Cryptographic Systems Are Susceptible to HNDL Attacks?
"HNDL (Harvest Now, Decrypt Later)" refers to attackers storing encrypted communications now to decrypt them later when quantum computers become available.
Nation-state adversaries are likely already archiving encrypted US government communications on a massive scale for future decryption. Therefore, encryption systems need immediate migration, especially for scenarios where confidentiality is required for 10–50 years or more.
However, digital signatures, which all blockchains rely on, are different from encryption: they contain no secret information vulnerable to retrospective attacks.
In other words, when quantum computers arrive, they could indeed forge signatures from that moment onward, but past signatures remain unaffected—because they泄露 no secret. As long as it can be proven that a signature was generated before the advent of CRQC, it could not have been forged.
Consequently, the urgency to migrate to post-quantum signatures is far lower than for encryption migration.
Mainstream platforms have adopted corresponding strategies:
- Chrome and Cloudflare have deployed hybrid X25519+ML-KEM for TLS.
- Apple iMessage (PQ3) and Signal (PQXDH, SPQR) have also deployed hybrid post-quantum encryption.
But the deployment of post-quantum signatures on critical web infrastructure has been deliberately delayed—it will only happen when CRQC truly approaches, because the performance regression of current post-quantum signatures is still significant.
The situation is similar for zkSNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge). Even those using elliptic curves (not PQ-secure) retain their zero-knowledge property in a quantum context.
The zero-knowledge guarantee means the proof does not leak any secret witness, so attackers cannot "harvest proofs now and decrypt later." Therefore, zkSNARKs are not susceptible to HNDL attacks. Just like signatures generated today are secure, any zkSNARK proof generated before the advent of quantum computers is trustworthy—even if that zkSNARK uses elliptic curve cryptography. Only after CRQC emerges could attackers forge proofs for false statements. Value exchange will continue day and night, constructing a new digital world far exceeding the scale of the human economy.
