The Danger Period of Quantum Computers: When Will They Truly Threaten Cryptographic Security?

When Will Quantum Computing Break Encryption? The answer to this question is often distorted by corporate hype and media sensationalism. From milestone demonstrations by tech companies to government policy planning, the timeline of quantum threats is repeatedly exaggerated, fueling urgent calls for “immediate and comprehensive transition to post-quantum cryptography.” But these voices often overlook a key reality: different cryptographic tools face fundamentally different quantum threats, and acting too early may carry costs far greater than the risks of delay.

According to in-depth analysis by a16z research partner Justin Thaler, we need to approach the discussion of the “dangerous period for computers” rationally — not all cryptographic tools are in the same state of urgent danger.

The Real Threat Period for Quantum Computers: The Truth Behind Data Disassembly

Regarding the timeline for quantum computers to crack encryption, there are many conflicting predictions in the market. Some companies claim they can achieve this by 2030 or even 2035, but a closer look at technical details reveals a huge gap between these promises and actual progress.

The so-called “cryptography-related quantum computers” capable of breaking encryption must meet several stringent conditions: first, they must be fault-tolerant and capable of error correction; second, they must be able to run Shor’s algorithm (the key to cracking modern cryptography); third, their scale must be sufficient to break standards like elliptic curve cryptography or RSA-2048 within a reasonable time frame (e.g., less than a month).

Based on publicly available milestone assessments, such computers are still far beyond the horizon. Even systems with over 1,000 qubits show only numerical breakthroughs, not practical capabilities. These systems generally lack the connectivity and fidelity needed for cryptographic computations.

The core bottleneck is not quantity but quality. Breaking modern cryptography requires hundreds of thousands, or even millions, of physical qubits — this is only a rough estimate. More challenging are the issues of qubit connectivity, gate fidelity, and the error correction needed for deep quantum algorithms. Currently, even the most advanced systems cannot reliably operate more than a few logical qubits; the gap to thousands of high-fidelity, fault-tolerant logical qubits needed for running Shor’s algorithm is exponential.

Rational judgment: Before quantum bits (qubits) increase by 3 to 4 orders of magnitude in number and fidelity, truly dangerous “computers” capable of breaking modern cryptography will not exist.

However, corporate press releases and media reports often create confusion:

• The illusion of “quantum advantage”: Most current demonstrations are carefully designed tasks, not practical applications, simply because they can run on existing hardware and appear fast. This is often understated or hidden in publicity.

• Misleading claims about physical qubits: The “thousands of physical qubits” often cited refer to quantum annealers, not gate-model quantum computers capable of running Shor’s algorithm — these are entirely different.

• Misuse of “logical qubits”: Some companies claim to achieve 48 logical qubits at the cost of only 2 physical qubits per logical qubit, which is meaningless technically, as the error correction codes used cannot correct errors but only detect them.

• Misleading roadmaps: Many roadmaps mention “logical qubits” supporting only Clifford operations, which can be efficiently simulated classically and cannot run the large T-gate-intensive Shor’s algorithm. So even if a roadmap claims to reach thousands of logical qubits, it does not mean they expect to crack encryption at that point.

These practices distort public understanding of quantum progress, even among seasoned industry observers.

“Steal Now, Decrypt Later”: Who Is Truly in the Danger Period?

To understand the urgency of quantum threats, we must distinguish between two types of cryptographic tools: encryption and digital signatures.

“Harvest Now, Decrypt Later” (HNDL) attacks work like this: an attacker stores encrypted traffic today, waiting for future quantum computers to decrypt it. State-level adversaries are likely archiving large amounts of encrypted communications from governments and corporations, preparing for that day.

Therefore, encryption indeed needs immediate upgrading — at least for data that requires confidentiality for 10 to 50 years. This is a real, unavoidable danger period.

But digital signatures are entirely different. Digital signatures do not involve confidentiality that can be traced back. Even if quantum computers appear in the future, they can only forge signatures from that point onward, not “decrypt” past signatures like breaking encryption. As long as you can prove a signature was generated before the quantum computer’s advent, it will never be forgeable.

This distinction is crucial because it determines the urgency of upgrading different tools.

In practice, platforms are acting accordingly:

• Chrome and Cloudflare have deployed hybrid schemes combining X25519 and ML-KEM for TLS encryption. “Hybrid” is key — using both post-quantum secure schemes and classical ones, preventing HNDL attacks and maintaining security if post-quantum schemes have vulnerabilities.

• Apple’s iMessage (PQ3 protocol) and Signal (PQXDH and SPQR protocols) have also adopted similar hybrid post-quantum encryption.

In contrast, deployment of post-quantum digital signatures on critical infrastructure has been delayed — not because they are unnecessary, but because current post-quantum signature schemes tend to have significant performance drawbacks and implementation complexity.

The Quantum Crisis in Blockchain: Real Threat or Overhyped?

This is good news for cryptocurrencies: Most blockchains are not easily vulnerable to HNDL attacks.

Non-private chains like Bitcoin and Ethereum primarily use classical signatures for transaction authorization, not encryption. These signatures do not pose an HNDL risk. Bitcoin’s blockchain is fully public — every transaction is visible on-chain. The quantum threat lies in signature forgery (and thus theft of funds), not in decrypting already public data.

This key fact has often been misunderstood by authorities. For example, the Federal Reserve and others have incorrectly claimed Bitcoin is vulnerable to HNDL, greatly overstating the urgency of migration.

The real exception is privacy coins. Many privacy-focused chains encrypt or hide recipient addresses and amounts. These confidential data can be stolen now and later de-anonymized once quantum computers can break elliptic curve cryptography. Monero’s ring signatures and key images could allow full reconstruction of transaction graphs.

Therefore, if privacy coin users care about their transactions not being exposed in the future, these chains should transition to post-quantum primitives or hybrid schemes as soon as possible, or adopt architectures that do not put decryptable secrets on-chain.

The Bitcoin Dilemma: Why Not Just Wait for Quantum Computers?

For Bitcoin, practical reasons drive the immediate planning of post-quantum migration, but these are largely unrelated to quantum technology itself.

First, governance speed: Bitcoin’s governance is extremely slow; any contentious change risks a disruptive hard fork. Social coordination is the fundamental challenge.

Second, passive migration is impossible: Holders must actively move their coins to new signature schemes, meaning abandoned or quantum-vulnerable coins cannot be protected by the protocol. It’s estimated that millions of such “sleeping” coins worth billions of dollars could be vulnerable.

But this is not an “overnight apocalypse.” Early quantum attacks will be costly and slow; attackers will rationally target high-value wallets selectively. Also, users who avoid address reuse and do not use Taproot (which hides the public key until spending) are relatively safe — their public keys remain hidden behind hashes until they spend, giving a brief window for attack.

The truly vulnerable are coins with exposed public keys: early P2PK outputs, reused addresses, and Taproot addresses (which reveal the public key on-chain).

For abandoned vulnerable coins, solutions are tricky: the community could set a “deadline” after which un-migrated coins are considered destroyed, or accept that they may be seized by future quantum-capable adversaries. The latter raises serious legal and security issues.

Bitcoin also faces a unique challenge: low transaction throughput. Even if migration plans are set, moving all vulnerable funds at current speeds could take months.

Conclusion: Bitcoin must start planning for post-quantum transition now, but not because quantum computers are expected to appear before 2030 (which is unsupported), but because the governance, coordination, and technical logistics of migrating hundreds of billions of dollars will take years. The threat is real, but the time pressure mainly stems from Bitcoin’s own constraints, not an imminent quantum computer.

The Cost and Risks of Post-Quantum Migration: Why Rushing Is Dangerous

Post-quantum cryptography mainly relies on five classes of hard problems: hash-based, code-based, lattice-based, multivariate quadratic, and supersingular isogeny-based. The diversity exists because: more structures often mean higher efficiency, but also more potential attack avenues — a fundamental trade-off.

• Hash-based schemes are the most conservative (most confidence in security) but have the worst performance. NIST-standardized hash signatures are at least 7–8 KB, compared to about 64 bytes for current elliptic curve signatures — a hundredfold difference.

• Lattice schemes are the focus of deployment. The NIST-selected ML-KEM and two of the three signature schemes (ML-DSA and Falcon) are lattice-based.

• ML-DSA signatures are about 2.4–4.6 KB, 40–70 times larger than current signatures.

• Falcon signatures are smaller (0.7–1.3 KB) but extremely complex to implement, involving constant-time floating-point operations, with successful side-channel attacks reported. One of its creators called it “the most complex cryptographic algorithm I have ever implemented.”

Implementation security is even more challenging: lattice-based signatures have more sensitive intermediate values and complex rejection sampling, requiring stronger side-channel and fault-injection protections.

Historical lessons should warn us: leading candidates in the NIST process, like Rainbow (multivariate signatures) and SIKE/SIDH (isogeny-based cryptography), have been broken by classical computers. This underscores the risks of premature standardization and deployment.

Internet infrastructure has adopted a cautious approach to signature migration, which is especially important because cryptographic transitions are lengthy — the migration from MD5/SHA-1 took years and is still not fully complete.

What to Do Now: Practical Recommendations

Based on the above realities, we should follow these principles: Take quantum threats seriously, but do not assume that a dangerous period computer will appear before 2030, because current progress does not support this. Meanwhile, some actions can and should be taken now.

01. Deploy hybrid encryption immediately

Where long-term confidentiality is needed and costs are acceptable, deploy hybrid post-quantum encryption schemes now. Many browsers, CDNs, and communication apps (iMessage, Signal) have already started. Hybrid schemes (post-quantum + classical) prevent HNDL attacks and mitigate potential weaknesses in post-quantum schemes.

02. Use hash signatures in tolerant scenarios

For low-frequency, large-size scenarios (software/firmware updates), hybrid hash-based signatures can be used now. They provide a conservative “lifeboat” in case quantum computers appear unexpectedly early.

03. Blockchain should start planning immediately

While urgent deployment of post-quantum signatures on blockchains is unnecessary, planning should begin now, following the cautious approach of the PKI community, to mature solutions.

04. Define migration pathways

Public chains like Bitcoin need clear post-quantum migration plans and policies for “sleeping” vulnerable funds. Bitcoin especially must start planning now — the main challenges are governance and social coordination, not technical.

05. Allocate time for research maturation

Post-quantum SNARKs and aggregatable signatures need years to mature; rushing into suboptimal solutions risks locking in vulnerabilities.

06. Account design insights

For platforms like Ethereum, upgradeable smart contract wallets could provide smoother migration paths. Account abstraction (decoupling identity from signature schemes) offers greater flexibility, aiding post-quantum transition and enabling features like sponsored transactions and social recovery.

07. Privacy coins should prioritize

Privacy coins’ confidentiality is exposed to HNDL attacks. They should transition promptly (if performance allows), possibly via hybrid schemes or architecture changes that do not put decryptable secrets on-chain.

08. Short-term priorities: security first

In the coming years, addressing implementation vulnerabilities and side-channel attacks is more immediate than quantum threats. Invest now in audits, fuzzing, formal verification, and layered defenses — don’t let quantum anxiety overshadow more pressing security risks.

09. Continue funding research

From a national security perspective, sustained investment in talent development is essential. Adversaries gaining early quantum cryptanalytic capabilities pose serious risks.

10. Rationally interpret quantum news

Milestones will continue, but each one demonstrates how far we are from real threats. News should be critically evaluated as progress reports, not signals for rushed action.

Epilogue: Finding Balance Before the Danger Period Arrives

Technological breakthroughs may accelerate or bottlenecks may extend timelines. We do not claim that a threat could not emerge within five years, only that the likelihood is low based on current publicly available data.

Following these recommendations helps us avoid more immediate and tangible risks: implementation flaws, rushed deployments, and poor cryptographic transitions. These issues are not distant future problems but can already cause harm in the years before truly dangerous quantum computers threaten us.