Separating Threat from Hype with Quantum Computing

We are often asked about the quantum computing threat to RSA. Adversaries may already be harvesting encrypted traffic for future decryption, NIST has finalized post-quantum standards, and NSA's CNSA 2.0 timeline calls for transition by 2030. What is tiCrypt doing about it?

Rather than keep this answer in inboxes, we are putting it on the record.

---

The compliance position

tiCrypt's encryption architecture is built around FIPS-validated cryptography, as CMMC Level 2 requires. Under SC.L2-3.13.11, the cryptographic module must carry a current CMVP validation, and all operations must use approved algorithms.

NIST published algorithm standards for ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) in August 2024. On the same day, CMVP updated SP 800-140C and SP 800-140D to list these algorithms as approved methods under FIPS 140-3. CAVP algorithm certificates for ML-KEM and ML-DSA implementations followed shortly. The PQC algorithms are standardized and approved.

However, algorithm approval and module validation are distinct steps in the FIPS 140-3 framework. CMMC Level 2 (SC.L2-3.13.11) requires that cryptographic operations run inside a CMVP-validated module, not merely that they use an approved algorithm. As of this writing, the first CMVP module certificates covering PQC algorithms are beginning to emerge, and several general-purpose cryptographic libraries are in the CMVP validation queue. Until a validated module is available and integrated, deploying PQC as the sole protection for CUI creates a compliance gap.

This does not mean PQC adoption must wait for RSA deprecation. In hybrid key exchange, a CMVP-validated classical algorithm runs alongside a PQC algorithm such as ML-KEM. This maintains compliance because the validated algorithm continues to protect the key exchange. The PQC layer adds defense in depth without removing the validated baseline. This is the approach tiCrypt intends to pursue as validated PQC modules become available.

The most aggressive government timeline comes from NSA's CNSA 2.0 guidance, which phases out RSA and elliptic curve cryptography for national security systems on the following schedule:

Date	Milestone
January 2027	No new NSS acquisitions using RSA or ECC for key establishment
2030	Deprecation of RSA-2048
2033	Exclusive use of CNSA 2.0 algorithms across all national security systems

Two points of context. First, CNSA 2.0 applies to NSS (classified and national security environments), not to CMMC-assessed contractor environments. Second, the timeline is precautionary, driven by the harvest-now, decrypt-later concern for classified data with multi-decade sensitivity. It is not a response to a demonstrated quantum factoring capability.

That is the compliance answer. The rest of this article addresses a more fundamental question: is RSA-2048 actually under threat from quantum computers?

---

The only viable attack: Shor's algorithm

To break RSA-2048, an attacker must factor a 2048-bit semiprime (a product of two large primes). This number has approximately 617 decimal digits.

Shor's algorithm, published by Peter Shor in 1994, is the only quantum algorithm capable of factoring large integers in polynomial time. Shor's algorithm reduces integer factorization to quantum period-finding using the Quantum Fourier Transform (QFT). Regev (FOCS, 2023) proposed an alternative quantum factoring algorithm with different resource trade-offs, but all practical resource estimates for breaking RSA center on Shor's algorithm and its variants.

Other quantum computing paradigms, such as adiabatic quantum annealing, do not implement Shor's algorithm and cannot scale to factor numbers of cryptographic size. Adiabatic annealing solves optimization problems. Integer factorization can be reformulated as an optimization problem, but the resulting formulations do not scale tractably to RSA-2048.

Shor's algorithm is the primary path. Everything that follows depends on whether it can be physically implemented at the scale RSA-2048 requires.

In plain terms

RSA encryption works like a padlock that can only be opened by finding two secret prime numbers that were multiplied together to make one very large number. Shor's algorithm is the only known quantum shortcut for finding those two primes. The rest of this article asks: can that shortcut actually be built?

---

The current state of quantum factoring

The largest number factored by a quantum computer using Shor's algorithm is 21 = 3 × 7, achieved in 2012 (Martin-Lopez et al., Nature Photonics, 2012). The previous record was 15 = 3 × 5, factored in 2001.

These are two-digit numbers.

RSA-2048 requires factoring a 617-digit number. The gap between current quantum capability and the requirements for RSA-2048 is vast, as the following sections explain.

To put this in perspective:

	Largest number factored	Size	Year
Classical (general number field sieve)	RSA-250	829 bits (250 decimal digits)	2020
Quantum (Shor's algorithm)	21 = 3 × 7	5 bits (2 decimal digits)	2012

Classical factoring has advanced steadily over decades. Quantum factoring has been stuck at two digits for over thirteen years. The integer factorization records on Wikipedia track both efforts; the quantum section has not been updated since 2012.

This does not mean the field has stalled. Research has shifted from demonstrating Shor's algorithm on toy numbers to building the fault-tolerant infrastructure (error correction, magic state distillation, surface codes) that a cryptographically relevant machine would require. The factoring record reflects the limits of pre-fault-tolerant hardware, not the state of the field.

---

The precision challenge

Understanding the quantum threat requires examining what Shor's algorithm demands from the hardware and how fault-tolerant quantum computing addresses those demands.

How Shor's algorithm uses phase rotations

Shor's algorithm relies on the Quantum Fourier Transform, which applies a sequence of controlled phase rotation gates to a quantum register. For an $n$-qubit register, the QFT applies gates that rotate the quantum phase by progressively smaller angles:

$$R_k = \begin{pmatrix} 1 & 0 \\ 0 & e^{2\pi i / 2^k} \end{pmatrix}$$

The gate $R_k$ applies a phase shift of $\frac{2\pi}{2^k}$ radians. The QFT on $n$ qubits requires gates up to $R_n$, meaning the smallest phase rotation is:

$$\theta_{\min} = \frac{2\pi}{2^n}$$

What RSA-2048 demands

To factor a 2048-bit number, Shor's algorithm operates on a register of at least $n = 2048$ qubits (some formulations require $2n = 4096$). Taking the minimum $n = 2048$, the smallest phase rotation required is:

$$\theta_{\min} = \frac{2\pi}{2^{2048}}$$

To appreciate how small this is:

$$2^{2048} \approx 10^{617}$$

So the required phase precision is on the order of $10^{-617}$ radians.

Physical limits on analog precision

How far is $10^{-617}$ radians beyond physical reality? Consider what the laws of physics actually permit.

The Planck angle. The Planck length ($\ell_P \approx 1.6 \times 10^{-35}$ m) and the radius of the observable universe ($r \approx 4.4 \times 10^{26}$ m) define the finest rotation conceivable under quantum mechanics at cosmic scale: a disk the size of the universe, turned by one Planck length.

$$\theta_{\text{Planck}} = \frac{\ell_P}{r_{\text{universe}}} \approx \frac{1.6 \times 10^{-35}}{4.4 \times 10^{26}} \approx 3.6 \times 10^{-62} \text{ radians} \approx \frac{2\pi}{2^{207}}$$

That precision is sufficient to run Shor's algorithm on a key of roughly 207 bits.

The universe as a computer. The Margolus-Levitin theorem bounds computation: a system with energy $E$ can perform at most $2E / \pi\hbar$ orthogonal state transitions per second. Devote all the energy in the observable universe ($E \approx 1.35 \times 10^{70}$ J) to generating distinguishable quantum phase states for its entire age ($t \approx 4.35 \times 10^{17}$ s):

$$N \approx \frac{2 \, E_{\text{universe}} \cdot t_{\text{universe}}}{\pi\hbar} \approx 3.5 \times 10^{121}$$

The finest achievable phase resolution is $2\pi / N \approx 10^{-121}$ radians, or roughly $2\pi / 2^{403}$. Every quantum operation the observable universe could have performed since the Big Bang, devoted entirely to phase precision, factors an RSA key of at most 403 bits.

Scenario	Phase precision	RSA key size
Best achieved measurement (LIGO interferometry)	$\sim 10^{-11}$ rad	~39 bits
Planck angle (cosmic disk, Planck-length arc)	$\sim 10^{-62}$ rad	~207 bits
All energy in the universe for its entire lifetime	$\sim 10^{-121}$ rad	~403 bits
RSA-2048 requirement	$\sim 10^{-617}$ rad	2048 bits

Note that classical computers have already factored RSA keys of 829 bits (RSA-250, factored in 2020 using the general number field sieve). The physical limits of analog quantum phase precision, under the most extreme conceivable conditions, fall short of what classical methods already achieve.

In plain terms

Build a dial the size of the observable universe and turn it by the smallest distance quantum mechanics allows. That turn is precise enough to factor a 207-bit key. Harness every particle in the universe and let it compute since the Big Bang: you reach a 403-bit key. RSA-2048 demands precision roughly $10^{500}$ times finer. No amount of engineering closes that gap through more precise analog components.

From algorithm to implementation

If Shor's algorithm required direct analog phase rotations at these scales, the threat to RSA-2048 would be nonexistent. But fault-tolerant quantum computing does not work that way.

In the fault-tolerant model, arbitrary-angle phase rotations are not performed as direct analog operations. Instead, they are decomposed into sequences of discrete gates from the Clifford+T gate set (a universal set of quantum operations). The Solovay-Kitaev theorem guarantees that any rotation can be approximated to precision $\varepsilon$ using $O(\log^c(1/\varepsilon))$ gates from this set. The precision emerges from the length of the gate sequence, not from the physical fidelity of any individual gate.

Each physical gate requires only error rates around $10^{-3}$ (99.9% fidelity), which current quantum hardware approaches. The $10^{-617}$ radian rotation is not performed directly. It is synthesized from a sequence of discrete gates that each operate at physically achievable precision.

In plain terms

This is like building a precise angle out of Lego bricks. Each brick snaps to fixed positions; you cannot bend a brick by a fraction of a degree. But by stacking enough bricks in the right sequence, you can approximate any angle you want. The precision comes from how many bricks you use, not from how precise each brick is. Fault-tolerant quantum computing works the same way: many standard-precision gates chained together to achieve the precise rotation the algorithm needs.

The approximate QFT

The approximate QFT (Coppersmith, IBM Research Report, 1994) further reduces the challenge. Because phase rotations below a precision threshold contribute negligibly to the algorithm's output, each qubit needs at most $O(\log n)$ controlled rotations rather than $n$. Fowler and Hollenberg (Physical Review A, 2004) showed that rotations of only $\sim\pi/64$ ($\approx 0.05$ radians) suffice to factor integers thousands of bits long. For RSA-2048, this reduces the QFT from millions of gates to roughly 53,000 controlled rotations. The remaining rotations are synthesized through Clifford+T decomposition, with each rotation consuming T gates produced through magic state distillation.

The precision requirement does not vanish; it shifts from a demand for analog physical precision to a demand for digital resources (more T gates, more magic state distillation, more physical qubits). The cost is real and large, but it scales polynomially with the input size.

The trade-off

Shor's algorithm does not eliminate the difficulty of factoring. It transforms it.

At the algorithm level, the trade-off is stark: exponential speedup demands exponential precision. The QFT phase rotations shrink as $2\pi / 2^n$, exponentially small in the input size. Classical factoring pays with computational steps. Shor's algorithm pays with phase precision. The difficulty changes form, not magnitude.

Fault-tolerant quantum computing resolves this by converting the exponential precision demand into polynomial resource overhead. Through Clifford+T gate synthesis, a rotation that would require $10^{-617}$ radian analog precision is approximated by a polynomial-length sequence of discrete gates, each operating at physically achievable fidelity. The approximate QFT discards the smallest rotations entirely. What remains is a circuit of $10^{10}$ to $10^{12}$ logical gates, each implemented across many error-corrected physical qubits.

This conversion (from exponential precision to polynomial resources) is what makes the quantum threat to RSA theoretically viable and what reduces the question to one of engineering scale rather than physical possibility. The price of the speedup is paid in qubits and time, not in impossible precision. Whether the engineering required can be achieved on any practical timeline is the real question.

In plain terms

Classical computers break a code by trying combinations one at a time, like testing every key on a giant keyring. Shor's algorithm is like a shortcut that skips most of the keys, but the shortcut requires an enormously complex and delicate machine to execute. The debate is not whether the shortcut exists on paper (it does). The debate is whether anyone can build and operate the machine it requires.

---

The resource estimates

The fault-tolerant model establishes that breaking RSA-2048 is a question of resources (qubits, gates, time, and error correction overhead), not of impossible physical precision. The critical question becomes: how many resources, and how far does current hardware stand from that threshold?

Surface code error correction

Modern quantum error correction centers on the surface code, a two-dimensional lattice of physical qubits that suppresses errors as the code distance $d$ increases. The surface code achieves exponential suppression of logical error rates with polynomial qubit overhead:

$$P_{\text{logical}} \approx p^{(d+1)/2}$$

where $p$ is the physical error rate. Google's 2024 experiments on the Willow processor (Acharya et al., Nature, 2024) demonstrated this scaling experimentally, achieving a suppression factor of approximately 2.14 for each step of 2 in code distance. At a physical error rate of $10^{-3}$, roughly 1,000 physical qubits encode one logical qubit with sufficient fidelity for large computations.

In plain terms

Error correction works like spell-check for quantum operations. If you write every word three times and compare the copies, you can catch and fix typos. The surface code does the same thing with qubits: many physical qubits work together to protect one "logical" qubit from errors. The more physical qubits you use, the more reliably the logical qubit behaves, but you need a lot of them.

Current estimates

The most widely cited estimate for factoring RSA-2048 is Gidney and Ekerå (Quantum, 2021): approximately 20 million noisy physical qubits and 8 hours of computation, assuming physical gate error rates of $10^{-3}$ and surface code error correction.

In May 2025, Gidney published a substantial revision: fewer than 1 million physical qubits and under one week of runtime, using improved magic state cultivation and approximate modular arithmetic.

Where the hardware stands

The gap between these estimates and current capability remains vast:

• The largest number factored using Shor's algorithm on a quantum computer is still $21 = 3 \times 7$, achieved in 2012
• Current quantum processors operate with hundreds to low thousands of noisy physical qubits
• Sustained logical error rates at the scale needed for RSA-2048 have not been demonstrated
• No quantum computation has run coherently for the hours or days that Shor's algorithm on RSA-2048 would require

The engineering trajectory is real: qubit counts are growing, error rates are falling, and resource estimates have dropped by more than an order of magnitude in four years. But the gap between current hardware and what RSA-2048 requires remains at least two to three orders of magnitude in qubit count. Sustained fault-tolerant computation at that scale has never been demonstrated.

---

The investment question

Billions of dollars flow into quantum computing annually. A significant share of that investment is motivated, directly or indirectly, by the promise of Shor's algorithm breaking public-key cryptography.

The facts:

1. The only practical quantum factoring algorithm is Shor's algorithm.
2. Fault-tolerant implementations address the algorithm's precision demands through digital gate synthesis and error correction, converting the problem from one of physical precision to one of engineering scale.
3. The best current estimate for RSA-2048 requires fewer than 1 million physical qubits and days of coherent computation (Gidney, arXiv, 2025).
4. Current quantum hardware operates at hundreds to low thousands of noisy qubits. The quantum factoring record is $21 = 3 \times 7$, set in 2012.
5. Resource estimates have fallen by more than an order of magnitude in four years. The trajectory is moving toward feasibility, not away from it.

The theoretical path from algorithm to implementation exists. The engineering path from current hardware to a cryptographically relevant machine remains long, and no consensus exists on when it will be completed. Quantum computers have legitimate near-term applications in quantum simulation, optimization heuristics, and certain sampling problems. Whether the RSA threat materializes depends on sustained engineering progress over an uncertain timeline.

---

What this means for tiCrypt

tiCrypt uses RSA-2048 for its public-key infrastructure and AES-256 for symmetric encryption. The quantum threat profile for each is different:

Algorithm	Quantum attack	Effective impact
RSA-2048	Shor's algorithm	Theoretically feasible via fault-tolerant quantum computing, but requires hardware far beyond current capability
AES-256	Grover's algorithm	Reduces effective key strength from 256 bits to 128 bits; 128-bit security remains computationally infeasible

AES-256 under Grover's algorithm retains 128 bits of security, well above any practical attack threshold. Grover's algorithm also has fundamental parallelization constraints. Zalka (Physical Review A, 1999) proved that $k$ quantum computers can at best achieve $O(\sqrt{N/k})$ query complexity, meaning parallelism provides only a square-root improvement rather than a linear one. The reduced 128-bit search remains practically infeasible.

In plain terms

AES-256 is the lock on your actual data. Even a quantum computer can only cut the strength of this lock in half, from 256-bit to 128-bit. A 128-bit lock still has more possible combinations than there are atoms in the universe. Throwing more quantum computers at the problem barely helps: ten machines are only about three times faster than one, not ten times.

Harvest-now, decrypt-later

The harvest-now, decrypt-later (HNDL) concern is valid. The exposure in tiCrypt's architecture is specific and well-defined.

AES-256-encrypted data at rest is not the concern. Grover's algorithm reduces AES-256 to an effective 128-bit security level, which remains computationally infeasible regardless of the quantum timeline.

The exposure is the RSA-2048-wrapped key material. In tiCrypt's architecture, each file is encrypted with a unique AES-256 key, and that key is encrypted under the RSA-2048 public key of each authorized user. These RSA-encrypted key blobs are stored on the server and transmitted during file access and sharing operations. All transit occurs inside TLS, so a network adversary harvesting traffic would need to break both the TLS session and the RSA key wrapping to recover file keys. The more direct exposure is the stored key material: if an adversary gains access to the server database, the RSA-wrapped blobs are available without a TLS barrier. In both cases, recovering file encryption keys requires a cryptographically relevant quantum computer capable of factoring RSA-2048.

VM session establishment uses a separate protocol. The user and VM authenticate via their RSA key pairs, then negotiate a symmetric session key through Diffie-Hellman key exchange. The RSA signatures used during authentication do not wrap key material, so they do not create a harvest-now target on their own. However, the Diffie-Hellman exchange relies on the discrete logarithm problem, which is also vulnerable to Shor's algorithm. The HNDL surface therefore includes both the stored RSA-wrapped file keys and the DH key exchange material from VM sessions.

This is a narrower exposure than "all encrypted traffic is at risk," but for data that must remain confidential for decades, it is the right surface to evaluate. The practical risk depends on two factors: the timeline for a quantum computer capable of factoring RSA-2048 (which remains distant but is narrowing), and the sensitivity window of the protected data.

Transport and network considerations

tiCrypt's end-to-end encryption operates at the application layer, independent of the network transport. As described above, TLS provides defense in depth for key material in transit: an attacker cannot passively harvest tiCrypt's RSA-wrapped key blobs from network traffic without also breaking the TLS session that protects them.

The transport layer does carry its own quantum exposure. If a VPN or TLS session uses RSA or ECDH for key exchange, that session's symmetric keys are themselves harvestable by a future quantum adversary. As TLS implementations adopt PQC key exchange (such as ML-KEM-based TLS 1.3), this transit-layer exposure closes on its own timeline, independent of tiCrypt's migration. In environments where the VPN does not terminate at the enclave boundary, or where intermediate network segments carry sensitive traffic, the transport provider's PQC readiness is an independent consideration outside tiCrypt's cryptographic boundary.

Crypto agility and the transition plan

tiCrypt's architecture separates key wrapping from bulk data encryption. Every file's AES-256 ciphertext is independent of the asymmetric algorithm used to wrap its key. A transition to PQC requires only re-wrapping the per-file AES-256 keys, not re-encrypting any file data.

NIST recommends using classical and post-quantum algorithms simultaneously, so that an attacker must defeat both to recover a key. In tiCrypt's case, this means wrapping the existing RSA-encrypted key material with a post-quantum algorithm, producing a doubly-protected key blob.

Because wrapping a key requires only the public half of the recipient's PQC key pair, the server can perform this migration without coordinated user participation. The private half never leaves the user's control. The migration proceeds in three steps:

1. Key generation: Each user generates a post-quantum key pair. The private key remains client-side. The public key is stored on the server alongside the user's existing RSA public key.

2. Server-side re-wrapping: A scheduled job identifies users who have post-quantum public keys but still have asset keys in the old format, and wraps each existing RSA-encrypted asset key with the user's PQC public key. The RSA layer remains intact underneath. This process requires only the public key and runs without user interaction.

3. Steady state: All asset keys are now doubly wrapped: an inner RSA layer and an outer PQC layer. Recovering a file key requires breaking both algorithms.

If a post-quantum algorithm is later compromised or superseded, the same layered structure enables recovery:

1. The user generates a new PQC key pair.
2. The server receives the old PQC private key and the new PQC public key.
3. The server removes the outer PQC wrap and re-wraps with the new PQC public key. The RSA layer remains intact throughout, so no exposure occurs unless the attacker also breaks RSA. The new private key never leaves the user's possession.

Per-file AES-256 encryption, vault structure, and application logic are unaffected by any of these operations. Only the key-wrapping layer changes.

Algorithm selection remains an open decision. The choice carries trade-offs in key size, performance, and implementation maturity. CMVP-validated modules must be available before deployment. We are actively tracking the CMVP validation pipeline for ML-KEM and ML-DSA implementations, and once a target algorithm is selected and validated, we estimate two to three months to implement, test, and deploy the migration to production.

---

So when does RSA-2048 actually break?

The theoretical path to breaking RSA-2048 with a quantum computer is understood: Shor's algorithm, implemented with fault-tolerant error correction on a machine of sufficient scale. The algorithm's phase precision demands are met through digital gate synthesis, not analog hardware precision. The question is not whether such a machine is theoretically possible, but when the required engineering can be achieved.

As of this writing, quantum computers cannot factor numbers beyond single digits. The best resource estimates call for hundreds of thousands to millions of physical qubits operating coherently for days. No consensus exists on when that capability will be reached. Credible estimates range from ten years to several decades away.

tiCrypt's cryptographic architecture remains sound. We are not waiting for RSA deprecation to begin preparing. We are tracking the CMVP validation pipeline, and our server-side re-wrapping architecture means migration can proceed without coordinated user downtime once a validated PQC module is ready. The goal is to adopt PQC as soon as validated implementations and operational readiness allow. This adds protection against the harvest-now, decrypt-later risk while maintaining the FIPS compliance posture that regulated environments require.