The Quantum Threat: Why Act Now

Quantum computing is no longer a laboratory curiosity. In December 2024, Google unveiled Willow, a 105-qubit processor that solved in under five minutes a problem that a classical supercomputer would take ten septillion years to compute. A few months later, in 2025, IBM introduced Nighthawk, a 120-qubit chip integrated into a modular system designed to scale well beyond its current capacity. These breakthroughs are not isolated phenomena. They are part of a curve of technological acceleration that is reshaping the global information security landscape.

Shor's Algorithm and the End of Classical Cryptography

Public-key cryptography, as we have known it since the 1970s, relies on the mathematical difficulty of certain problems for classical computers. RSA is based on the factorization of large integers, while elliptic-curve schemes such as ECDH and ECDSA exploit the discrete logarithm problem. These problems are considered intractable for classical machines, even the most powerful ones, when sufficiently large key sizes are used.

Shor's algorithm, published in 1994 by mathematician Peter Shor, fundamentally changes this equation. This quantum algorithm can factorize integers and solve the discrete logarithm problem in polynomial time, meaning within a reasonable timeframe even for the longest keys. In practical terms, a sufficiently powerful quantum computer could break RSA-2048, ECDH-256, and ECDSA within hours, rendering virtually all encryption infrastructures deployed worldwide obsolete.

A Closer Horizon Than Expected

The scientific community estimates that the arrival of a cryptographically relevant quantum computer, known as a CRQC (Cryptographically Relevant Quantum Computer), falls between 2030 and 2035. These estimates, once considered conservative, now appear optimistic to some researchers. In May 2025, a Google researcher demonstrated that fewer than one million qubits would suffice to break RSA-2048, whereas 2021 estimates placed this threshold at twenty million qubits. This reduction of more than 95% in the number of required qubits illustrates how rapidly the barriers are falling.

These advances should not be analyzed in isolation. Progress in quantum error correction, the decreasing cost of cryogenic systems, and massive state investment in quantum research all converge toward the same conclusion: the threat is approaching faster than anticipated.

Harvest Now, Decrypt Later: Today's Threat

The most dangerous mistake would be to believe that the quantum threat is a future problem. It is already a present reality, and it has a name: Harvest Now, Decrypt Later (HNDL), sometimes called Store Now, Decrypt Later (SNDL). This strategy, documented by numerous intelligence agencies, consists of intercepting and storing classically encrypted communications today, with the intention of decrypting them once a quantum computer becomes available.

For data whose confidentiality lifespan exceeds ten years, what is known as the "vulnerability window" is already open. State secrets, medical records, defense plans, sensitive financial transactions, and strategic intellectual property: all of this information, if encrypted today with vulnerable algorithms, will be readable tomorrow. Governments, defense stakeholders, the financial sector, healthcare, and critical infrastructure operators are on the front line of this silent threat.

Regulatory Responses Accelerate

In response to this reality, standardization authorities and regulators have begun to act. In August 2024, the American NIST published the first three post-quantum standards: FIPS 203 (ML-KEM, a key encapsulation mechanism), FIPS 204 (ML-DSA, a digital signature algorithm), and FIPS 205 (SLH-DSA, a hash-based signature scheme). These publications mark the transition from theoretical research to industrial standardization. The algorithms are now available, tested, and ready to be integrated into security products.

The European Union published its PQC roadmap in 2024, recommending that all member states begin their cryptographic migration before the end of 2026 and finalize the transition of high-risk systems by 2030. In France, ANSSI announced that starting in 2027, no security product will be granted a security visa without integrating post-quantum mechanisms. This deadline, now enshrined in the French regulatory framework, transforms what was a technical recommendation into a market obligation.

The Migration Starts Now

Waiting for the effective arrival of quantum computers before beginning the migration would be a major strategic error. Cryptographic migration is a long and complex process. It involves a comprehensive inventory of cryptographic assets, a risk assessment by data type, the selection of post-quantum algorithms suited to each use case, integration into existing systems, performance validation, and obtaining the necessary certifications.

Experience shows that large-scale cryptographic transitions take between five and ten years. The move from SHA-1 to SHA-256, or the migration from TLS 1.0 to TLS 1.3, each required nearly a decade. The post-quantum transition will be even more complex, as it affects not only transport protocols but also key exchange, digital signatures, certificates, VPNs, payment systems, and trust infrastructures as a whole.

Organizations that begin their preparation now will have time to test algorithms in hybrid mode, that is, by combining a classical algorithm with a post-quantum algorithm to guarantee security even if one of the two proves vulnerable. This approach, recommended by ANSSI and the German BSI, enables a progressive transition without service disruption. Those that wait will face a wall: migrating under urgency, with the risks of error that entails, while being potentially exposed to HNDL attacks throughout the duration of the transition.

The quantum threat is not a question of "if," but of "when." And in the field of cryptography, the only viable strategy is to anticipate.