Racing the Quantum Apocalypse

Averting disaster requires deploying new quantum-resistant encryption. And that will require a massive, coordinated effort: Every major tech company must update its software and hardware, governments must secure classified communications, financial institutions must overhaul their cryptographic systems, and even physical infrastructure — satellites, ATMs and cell towers, for example — must be fortified against quantum decryption to avoid catastrophic consequences.

If we fail, bad actors could sabotage critical infrastructure such as power grids, air traffic control systems and nuclear facilities. It would be open season for wide-scale financial fraud and identity theft. Stock markets could be thrown into chaos, military secrets stolen, GPS signals and self-driving vehicles hijacked.

Quantum computers could cut through blockchain like a cake, wiping out the value of cryptocurrency overnight.

Even now, it may be too late. Your data might already be lost to an adversary. It could take years to fully realize quantum computing’s potential, but intelligence agencies warn that criminals and hostile foreign governments are probably stockpiling sensitive information right now so they can decrypt it when quantum technology matures. The groundwork for future attacks may already be laid.

Superposition, Entanglement and the End of Encryption

The power of quantum computing lies in its ability to exploit the seemingly magical behavior of subatomic particles in the quantum realm, which can exist in multiple states at once and influence each other across vast distances — phenomena known as superposition and entanglement.

Harnessing those properties allows quantum computers to calculate vast numbers of possible solutions at once, exponentially boosting processing speed to the point that the difficult math problems underpinning modern encryption — practically impossible to break with today’s computers — would be child’s play.

Quantum computers aren’t designed for everyday tasks like browsing the internet or powering your smartphone, so they won’t replace current-generation machines. Instead, as renowned physicist Richard Feynman envisioned in 1981, quantum computers’ promise lies in their unique ability to perform simulations on a molecular level, making them game-changers for fields such as drug discovery, materials science and climate modeling.

In the right hands, they could help design self-healing materials and longer-lasting batteries, break down microplastics, create hyper-accurate weather forecasts that transform disaster response and agriculture, revolutionize logistics, and optimize gene-editing for disease prevention.

In the wrong hands, quantum computers could destroy the pillars upon which we’ve built modern cybersecurity: a mathematical concept called prime factorization.

At the dawn of the computer age, prime factorization was the foundation of digital security, protecting everything from financial transactions to sensitive government data and, later, internet traffic.

How it works is seductively simple: Most high-school students could multiply together two three-digit prime numbers. But reverse engineering that calculation without knowing which numbers you started with is really, really hard. The most powerful computer today would need 300 trillion years — that’s 22,000 times the age of the universe — to crack this type of encryption, which secures much of modern communication and digital computing.

A quantum computer, though, could break it in less than 10 seconds. The key to cracking encryption using a quantum computer is Shor’s algorithm, which first revealed the vulnerabilities of modern encryption techniques in the 1990s — at least on paper. At the time, Shor’s algorithm was a startling but purely theoretical exercise, and quantum computing was in its nascency.

Matthew Green, a cryptographer and professor at Johns Hopkins University, says quantum computing equipped with Shor’s algorithm is much more than an academic curiosity today. While a few critical technical hurdles remain, engineers have demonstrated enough progress to shift the consensus around quantum decryption from a question of “if” to “when.”

“It's not a theoretical impossibility,” Green says. “All that's standing between the cryptography of the world being broken is engineering. And that's not a good place to be.”

The Race for Quantum Supremacy

So when can we expect the quantum apocalypse? The short answer: We don’t know. Many estimates range from three years to 20 or more. Some say it’ll never arrive.

“The standing joke is that it's always 10 years in the future, because it was 10 years in the future 10 years ago,” says Nigel Smart, a professor at the Computer Security and Industrial Cryptography research group at the University of Leuven and chief academic officer at Zama, an open-source cryptography company.

According to a survey conducted by the Rand Corporation, on average, experts expect quantum computers capable of being applied to cryptography to arrive around 2033.

Right now, quantum computing is still an emerging field using experimental technology — quantum computers are highly error-prone and hypersensitive to interference. Still, the competition to reach quantum supremacy — the point at which quantum computers can accomplish tasks classical computers can’t — has been steadily intensifying. Experts expect it to become the defining technological battleground of the future, eclipsing today’s rivalry over artificial intelligence.

Governments including the U.S., China and the E.U., along with big tech companies, are funneling vast resources into the race. Worldwide investments in quantum computing research have already surpassed $44.5 billion, a figure projected to more than double by 2040, according to McKinsey.

Advances Are Coming at a Steady Pace.

In December 2024, Google announced it had developed an experimental chip that took less than five minutes to solve a mathematical problem that would take today’s supercomputers 10 septillion years. The head of the company’s quantum research division said in February that his team is “optimistic that within five years we’ll see real-world applications that are possible only on quantum computers."

Neal Ziring, the technical director of the National Security Agency’s (NSA) Cybersecurity Directorate, predicted recently that cloud-based quantum computing would enter the workforce in three to five years. That’s an assessment shared by Bill Gates, who thinks that, though it could take longer, three to five years isn’t an unreasonable timeline for practical quantum computing.

One of the most striking recent developments came from Gates’ Microsoft, which said in early 2025 the company has found a way to create an entirely new state of matter — something that’s neither solid, liquid nor gas — to enable the design of quantum processors small enough to fit onto a chip you could hold in your hand. That would be a big leap from the quantum computers of today, which fill entire rooms and need highly controlled environments.

The bold claim raised eyebrows among skeptical experts and tech rivals who have since poked holes in the science. But Microsoft insists its developments could lead to a functional quantum computer within “years, not decades,” likening the innovation to the semiconductors that unlocked the modern computer age and made today’s smartphones, computers and electronics possible.

The CEO of Microsoft’s quantum rival, IBM, Arvind Krishna is bullish on quantum prospects and has given his company until the end of the decade to build a far more reliable, fully error-corrected system, capable of running 100 million operations per second. The company said it will release the biggest quantum computer ever made this year, after having released its most powerful to date in November 2024, which was 50 times more powerful than its predecessor.

Meanwhile, the CEO of chip manufacturer Nvidia, Jensen Huang, spoiled the party by wiping $8 billion worth of value off of quantum stocks overnight with a single sentence in January when he said useful quantum technology wouldn’t be available for another two decades. Two months later, he backpedaled, admitting his comments came out wrong but not explicitly altering his prediction.

A Global Threat, a Global Opportunity

Building a quantum computer requires billions of dollars in research, potentially decades of development and an army of specialists. So security experts are less concerned about petty criminals using quantum computing to drain your bank account and are instead preparing for how nation-states could wield the technology.

“We assume that state actors are two years ahead of where the commercial vendors are,” Mark Horvath, a VP at consultancy firm Gartner who tracks quantum developments and cryptography, told CSO.

Governments around the world see the threat as urgent enough to act now. In one of his final acts in office this past January, President Joe Biden signed a cybersecurity executive order mandating that government agencies transition to post-quantum cryptography to protect sensitive data against theft and decryption.

Across the Atlantic, Europol, the European Union's law enforcement agency, last month urged financial institutions and policymakers to prioritize the adoption of quantum-proof standards. The agency warned that the rapid advancement of quantum computing presents an "imminent threat" to the financial sector.

The U.K.’s National Cyber Security Center this month warned key sectors and organizations of the need to stay ahead of the quantum threat by safeguarding sensitive information.

Despite the haziness of the quantum computing timeline, security experts consider the threat immediate because bad actors could be stockpiling secure data today so they can decrypt it when the technology becomes available. China, potentially along with other global powers, is reported to likely be attempting this “harvest now, decrypt later” strategy.

Even if today’s data were to be hacked a decade or more from now, the fallout could be grave: national intelligence compromised, corporate secrets stolen, reputational damage to financial institutions and the publication of private bank records. An autocratic government could even retroactively unmask and prosecute perceived dissidents using end-to-end encrypted messages sent years prior.

Dustin Moody is a mathematician at the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) who leads the agency’s post-quantum cryptography project. Moody’s academic background focused on the properties of elliptic curves, algebraic structures that form the basis of a cryptographic system used to secure digital communications. “I find it absolutely fascinating,” Moody says, that a purely mathematical concept could have such critical real-world applications.

Moody’s team at NIST had been tracking quantum advancements since 2010 and, well aware of how long developing and transitioning from one cryptosystem to another can take, by 2015 had decided it was the right moment to leap into action. Around the same time, security analysts grew increasingly concerned, and the NSA concluded that major breakthroughs in quantum computing were near enough to warrant big changes.

It was high time to start future-proofing encryption. Moody’s team turned to the public for help concocting mathematical problems so fiendish that even the most powerful computers imaginable wouldn’t be able to solve them. In 2016, NIST issued a call for quantum-proof algorithms, a bat signal for cryptographers the world over. “This is a global threat, and the cryptographic expertise isn’t centered in any one place,” says Moody. “We needed a way to pull everyone together and get the cryptographic community at large to do this work.”

Top researchers sent in 82 different submissions from six continents and almost 30 different countries. The evaluation phase that followed, beginning in 2017, was like a cybersecurity World Cup, structured into knockout rounds. As well as assessing the algorithms internally, NIST posted the entrants online so any security expert could probe their resilience and performance. And like any memorable World Cup, the standardization project brought shocking upsets.

Moody, a crossword enthusiast, says a love of puzzles is a common trait among cryptographers, who need inquisitive minds, curiosity and imagination to dream up novel avenues of attack. Success in the field means looking beyond the surface, thinking like an adversary and having a willingness to break things your colleagues worked hard to build.

“From a technical perspective, it was a lot of fun,” Moody says of the standards competition.

Of the 26 algorithms that advanced to the second round, only seven finalists and eight alternates remained by the third. Along the way, once-promising contenders failed, some in dramatic fashion. An algorithm called Rainbow remained unscathed through the third round but crashed out of the competition when an IBM researcher revealed a severe vulnerability, proving an assailant could crack it in a weekend with a common laptop.

It looked like another algorithm called SIKE might go the distance after enduring years of stress tests and barrages of attacks — and winning a spot in the fourth round of analysis. But two independent teams of researchers ended SIKE’s deep run, a turn of events nobody had seen coming, according to Moody.

“SIKE was broken quite spectacularly,” he says. The attack was quickly improved to the point that the algorithm could be broken in mere seconds. Its downfall came from a long-known theorem that had been hiding in plain sight, but no one had thought to deploy against SIKE. “It was shocking to a lot of people,” Moody says.

Throughout the NIST standardization competition, one approach quickly rose above the others as the most effective: lattice-based cryptography.

Imagine being blindfolded, put in a cab, and dropped somewhere in a city grid like Manhattan with nothing but a 2D map to guide you. It might be easy to find a designated point and return to where you started. Now, stretch that same map into hundreds, or even thousands, of dimensions — many more than humans can visualize. Suddenly, pinpointing even your nearest grid reference becomes impossibly hard. So tough that even quantum computers would be stumped.

Those multidimensional maps are called lattices. Experts generate them using linear algebra and introducing what’s called “noise.” You might remember the days of solving systems of equations in high-school math, using simple algebraic techniques. If you take those systems of equations and scramble them by adding small errors, they suddenly become nearly unsolvable without a key.

After a marathon eight-year effort, NIST finally announced the four winning algorithms in 2022, all based on lattices. The finalized algorithms were released in August 2024. For good measure, a backup algorithm was released in March 2025, just in case, as with SIKE, someone figures out a novel way to crack the final four. “We don’t have all our eggs in one basket,” Moody says.

These winning algorithms mean the lion’s share of mathematicians’ work is done. The mantle now passes to the engineers responsible for implementing the algorithms.

According to Moody, the rollout won’t be “fast, easy or painless.”

Averting a Digital Doomsday

Successful implementation depends on “people like me, the internet engineers, who bridge the gap between theory and practice,” says Nick Sullivan, former head of research at Cloudflare and the co-chair of the Crypto Forum Research Group (CFRG) at the Internet Research Task Force.

“We know the algorithm, we know the math that we want to use, but now it’s all about engineering: How do we get this into all these systems?” he says. “And that's being worked through right now — in standards bodies, in software development libraries, in banking regulations.”

Sullivan likens the challenge to earthquake preparedness in California. No one knows when "the big one" — a long-overdue, catastrophic earthquake that’s predicted to devastate the West Coast — will hit. But proactive measures, like retrofitting buildings and strengthening infrastructure, can mitigate future damage. The challenge for post-quantum cryptography, Sullivan says, is getting millions of people to take action before disaster strikes. That requires policy changes, incentives and making preparedness financially viable.

Similarly, there’s no fixed deadline, no Y2K-style countdown, to when quantum computers will break encryption. It could happen in five years, 20, or never. That uncertainty makes it more challenging to incentivize action today. Historically, transitioning from one cryptosystem to another takes 10 to 15 years. But, according to Sullivan, we don’t have that kind of time. “Ten years puts us right up against the boundary where a lot of people think quantum computing will exist.”

“It’s a race,” he adds. “The people who build the products of society are racing against the scientists and engineers who are building the quantum computers.… We want to have a lights-out day, so that somebody harvesting now will not be able to decrypt later. And we want that to happen as early as possible.”

Myriad technical obstacles stand before the rollout of NIST’s standardized algorithms. But there’s good news, too: The transition is already underway. Apple, for instance, has introduced post-quantum cryptography into iMessages. And other tech players will be able to transition swifty, according to Smart: Web browsers are ready for quantum, so ensuring internet security should be relatively straightforward. For end users, it’s as easy as updating Chrome or Safari.

“That will probably fix about 80 percent of the problem,” says Kenny Patterson, a professor in the Institute of Information Security at ETH Zurich, where he leads the Applied Cryptography Group. The remaining 20 percent, Patterson says, will be the “long tail” of cryptographic implementations for systems that aren’t as well maintained as the big ones like web browsers: bespoke systems developed by smaller software vendors, for instance, or old protocols that are no longer supported.

Even the very first step — figuring out what cryptographic system an organization uses and how to replace it — can be arduous, according to Smart: “Over the last 10 or 15 years, we've had various cryptography apocalypses when algorithms had to be replaced. It turned out companies aren’t very good at knowing what cryptography they're using.”

The updates necessary for transitioning to post-quantum cryptography could have the added benefit of improving what's known as “crypto agility,” Smart says, the ability to swiftly swap out cryptographic systems when needed, something many organizations struggle with today.

Cryptography is often embedded in legacy systems using old protocols that make them difficult to upgrade. Credit card encryption, for example, still relies on technology from the 1970s. Banks originally hardwired a small, 64-bit data field (only enough space for a 16-digit number) for encryption, making updates a huge challenge. Post-quantum encryption, by comparison, requires a bigger data field. “If you want to increase that hardwired data field, you have to replace all the databases,” Smart says. “You have to replace every ATM machine on the planet.”

Upgrading hardware means designing new microchips, physically replacing equipment — climbing cell phone towers to install new components, for instance — and coordinating international standards to ensure interoperability, according to Sullivan. “It just takes a lot of time and a lot of coordination.”

The limited data field in legacy systems poses a serious obstacle, Green says. “You have parts of the security protocols that are the size of Skittles, and now you're going to stick in something the size of a sweet potato.”

Moving beyond prime factorization, which Shor’s algorithm can exploit, and using harder, less structured math means cryptographers must rely on much bigger encryptions.

Take bluetooth. Small smart devices such as light bulbs, door locks and printer cartridges all rely on some level of encryption for a connection. When your phone pairs with these devices, it sends a small encrypted message, called a handshake. “The amount of data you can pack in those messages is pretty limited,” Green says. “So if you're going to increase it by 10 or 20 times the size, bluetooth blows up. You have all these places where everything gets messy.”

Other, bigger, devices pose unique challenges. Modern cars, for instance, which Smart describes as “200 computers with some wheels attached,” roll off the dealership lot with software that’s intended to last their entire lifespan and no expectation of returning for an upgrade. Unlike a simple software patch for smartphones or laptops, recalling cars can be prohibitively costly and time-consuming.

At least smart light bulbs, ATMs and cell towers are here on planet Earth. Space technology is another conundrum. In March, Moody spoke with a NASA team that relies on cryptography for the GPS signals it uses to land objects on the Moon. They were concerned that NIST’s new algorithms wouldn’t fit within their systems. And for satellites already in orbit, hardware upgrades are impossible, adding a layer of complexity to an already thorny dilemma.

The switch to post-quantum cryptography has parallels with other historic technical transitions, especially Y2K. The “Millenium Bug” is often dismissed as an overblown panic, a doomsday that never arrived, a punchline about clueless tech paranoia.

But that narrative ignores the scale of the effort that went into averting disaster. Behind the scenes, governments, corporations and engineers across the world poured billions into upgrading systems, combing through outdated code and fixing the bug before it could wreak havoc. Y2K felt like a false alarm only because thousands of people worked tirelessly to ensure it never became a crisis.

Just like Y2K, the real work in post-quantum cryptography is happening quietly. A global effort is already underway to upgrade cryptographic systems before they can be cracked. If all goes well, Q-day will come and go without catastrophe, and people will shrug and wonder what everyone was worried about, perhaps without realizing that was exactly the point.

In many ways, it’s a thankless task: “If we do our jobs properly as cryptographers,” says Patterson, “nobody will notice a damn thing.”