Cyber Insights 2025: Quantum and the Threat to Encryption – Source: www.securityweek.com

SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Quantum computing and the threat to encryption.

We (probably) will not get a cryptographically relevant quantum computer (CRQC) in 2025. Public key encryption (PKE) will (probably) remain safe through 2025. But… Well, there are issues. It is those issues we wish to explore here.

Quantum decryption is getting perilously close. This article is a call to arms. We need to arm ourselves with quantum safe encryption – and crypto-agility – in 2025.

Quantum’s relevance to cybersecurity

It is a given that a sufficiently powerful quantum computer will be able to decrypt current PKE (such as RSA 2048) in or within 24 hours using Shor’s quantum algorithm or a derivative or improvement. That will upend cybersecurity as we know it today. All encrypted data that has been stolen and stored (harvest now, decrypt later) will be accessible to the group that stole it. Ongoing trust in and on the internet – its communications, its digital signatures, its transactions – would all be destroyed.

This will happen if / when PKE is broken, regardless of how it is broken. The only generally accepted certainty is that it will be broken by a sufficiently powerful quantum computer. This is why NIST has been instrumental in developing new, stronger encryption algorithms based on mathematical problems that are thought to be resistant to quantum computers. This is NIST’s post quantum cryptography (PQC).

Cybersecurity must migrate from using PKE to using PQC. But the urgency is still not fully understood by everyone, because the quantum threat is not fully understood by almost anyone. We’re going to shine some light on this and its progress through 2025.

(Quick warning: quantum computers and encryption involve more acronyms than the three-letter agencies.)

The timeline toward CRQC

For CRQC, Martin Charbonneau, head of quantum safe networks at Nokia, suggests, “A good estimation of this timeline was constructed in the Global Risk Institute’s Quantum threat timeline report. In 2024, it estimated that by 2034, there was between a 17% and 34% chance that a cryptographically relevant quantum computer (CRQC) would exist capable of breaking RSA 2048 in 24 hours. The probability increases to 79% by 2044.”

An alternative approach to timeline estimation could come from federal agency requirements. “The National Security Memorandum 10 (NSM-10) sets a clear deadline for the full migration to PQC by 2035. By this date, all cryptographic systems used by federal agencies must be quantum-resistant to ensure the security of sensitive information,” comments Carlos Aguilar Melchor, chief scientist, cybersecurity at SandboxAQ.

He adds that specific agencies have tighter deadlines. “The Department of Homeland Security describes on its website a shorter transition that ends by 2030. Finally, the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), required for National Security Systems, has set PQC as preferred as soon as 2025 and as mandatory by 2030 to 2033 (depending on the application).”

These dates range from now until 2035. The implication is that government is expecting CRQC any time after ten years from now.

Meanwhile, on December 9, 2024, Hartmut Neven, founder and lead at Google Quantum AI, announced the Google Willow chip with two claims. First, it is super-fast: “Willow performed a standard benchmark computation in under five minutes that would take one of today’s fastest supercomputers 10 septillion years – a number that vastly exceeds the age of the Universe.”

Second: “Willow can reduce errors exponentially as we scale up using more qubits. This cracks a key challenge in quantum error correction that the field has pursued for almost 30 years.”

Does this affect already vague timelines, or have the already vague timelines already anticipated such events already? Frankly, we don’t know. Melchor comments, “This year theoretical advances have divided the number of required qubits by three and reduced the theoretical stability needed by a factor 10. Quantum computers steadily progress and sudden reductions on the target brought by theoretical advances can suddenly change the estimations, and strongly increase the urgency.”

For cybersecurity defenders the standard adage remains true – you may hope for the best, but you should expect and prepare for the worst. CRQCs are getting closer at an unknown rate.

The problem with qubits

The reason it is difficult to predict a date for CRQC’s arrival is the nature of the quantum computer’s fundamental unit of calculation: the qubit. A qubit uses the unique quantum properties of superposition and entanglement to allow a greater number of possible states than the classical bit’s two-states. And the more qubits you have doing this, the greater the processing potential of the computer. That potential is almost unimaginable to anyone brought up on the limited two-state binary digit driven capability of classical computing.

But qubits are not stable.

This will surprise no-one who has looked at quantum mechanics – but it is this instability that causes the biggest problem in creating a usable quantum computer. Put simply, the stability of qubits is negatively affected by everything around them, from physical jolts to atmospheric noise. This leads to the phenomenon known as decoherence (basically, the loss of the quantum state) which introduces errors into computations involving qubits. These errors must be ‘corrected’ before the computational output can be trusted. And that is very, very difficult.

One approach is to use error correcting software – but this is incredibly complex and requires a huge number of additional qubits to correct the errors in just one qubit. In loose terms, a large number of additional physical qubits are necessary for every logical (useful) qubit. A second approach is more mechanical – to develop and use qubits that are naturally more stable and resistant to decoherence.

We can expect further progress, like Willow, on both fronts during 2025 – progress but probably no timeline-altering breakthrough. The engineering problem of having enough logical qubits operating together and able to practically unleash the full theoretical potential of quantum will be measured in years – we just don’t know how many or how few.

As Jason Soroko, senior fellow at Sectigo, explains. “Not all qubits are created equal… consider the following attributes of those qubits: Coherence Time (the duration a qubit can maintain its quantum state); Gate Fidelity (the accuracy in quantum gate operations); Error Rates (the frequency of errors during qubit operations)’ and Scalability (the ability to maintain qubit quality as the system scales up).”

Gate fidelity is important. “Shor’s algorithm requires gated qubits to complete its task, using a Quantum Fourier Transform which is part of what does the factorization work necessary to break RSA-2048,” says Soroko.

“2024 saw significant quantum advances, including Quantinuum’s achievement of 99.9% 2-qubit gate fidelity in a production environment – an industry first,” says Duncan Jones, head of cyber at Quantinuum. “In 2025, we expect to build on these successes and make additional improvements in hardware, software, quantum tokens, cybersecurity, and other areas.”

Adding AI to the development mix

While declining to make any predictions (“There is no single roadmap that we have seen which will absolutely determine when a CRQC will emerge”), Skip Sanzeri – co-founder and COO at QuSecure, adds, “With AI developing so quickly we are seeing ways in which AI will speed time to a CRQC. For example, AI can help design more efficient algorithms and machine learning can simulate large numbers of quantum states enabling faster and more optimal quantum circuits.” 

AI, he adds, “will also play a role in hardware development (noise reduction and more stable qubits), optimization (quantum experiments, qubit manipulation), and quantum simulation of complex systems.” AI’s benefit to quantum technology could begin to be realized in 2025.

It is worth noting this synergy between contemporary technology’s biggest innovations – quantum and AI. Quantum computers benefitting AI may well precede CRQC, but probably not this year. Neven, who named the Google lab he founded ‘Quantum AI’, has explained, “Both will prove to be the most transformational technologies of our time, but advanced AI will significantly benefit from access to quantum computing.”

Sanzeri adds, “In our opinion, consensus of when a CRQC will be available will most likely be overestimated since we cannot determine the effect technologies like AI will have on the timeline. As such we believe a CRQC will be here in less than 5 years.”

Karl Holmqvist, founder and CEO at Lastwall, is also wary of the combination of quantum and AI. “The combination of quantum and AI will produce cryptographically relevant results faster than either alone,” he suggests. It is entirely possible – although for cybersecurity we still hope unlikely – that CRQC will be achieved within just a few years.

Cryptography’s own uncertainty principle

NIST’s quantum proof encryption competition has focused on developing new algorithms to replace the current PKE that will fall to quantum computers. The focus is on algorithms that can serve the same purpose but be based on mathematical problems that are thought to be resistant to quantum computers. This is conceptually similar to current PKE, which is based on the mathematical difficulty of factoring very large numbers with just a classical computer.

But there are two assumptions here: that PKE has not already quietly been broken by an adversary using classical computers and AI; and that the same or another adversary has not already secretly achieved CRQC. We believe that neither has happened – but we still need to ask the question. 

Sanzeri does not believe breaking PKE without quantum power is possible. “Breaking PKE will require an exponentially powerful computer, and our existing CMOS structures, even with AI optimized, cannot become exponentially powerful. The subatomic properties of superposition and entanglement enable quantum computers to reach exponential power.”

Melchor says the same thing with different words. “We could also find intelligent life in the universe in 2025, but nothing seems to indicate that today.”

Duncan Jones is slightly more cautious. He doesn’t believe that general decryption of PKE is likely before CRQC. “Near-term advances before quantum computers arrive are unlikely to fundamentally threaten properly implemented PKE systems.”

But he also adds, “Cryptography has a long history of unexpected breakthroughs – algorithms once thought secure for decades have fallen to novel attacks. While other approaches like advanced classical algorithms haven’t demonstrated feasibility for breaking PKE yet, we can never be completely certain.”

It is this lack of absolute certainty over any encryption algorithm that is the concern. Kai Roer, CEO and founder at Praxis Labs, poses the hypothetical question, ‘What if you have already broken PKE?’ “In the current geopolitical landscape, imagine the immense power your access will yield. Would you tell anyone? Would it not be tempting to pretend that you have not yet succeeded, and use your powers to harvest every single secret from every single system in the world?”

He believes that any secret adversarial ability to break PKE will more likely come from a quantum computer than from a classical computer. But therein lies our second unprovable assumption – that despite the billions of dollars being spent on quantum development, no adversarial nation has yet, secretly, developed CRQC. We don’t believe it, but we cannot prove it. “As with all things security: assume the breach has already happened, and act accordingly,” says Roer.

Holmqvist agrees that there is some uncertainty over adversarial capabilities. “The prize for breaking encryption is very high, and we know nation-state level entities are engaged in research on quantum computational systems. This means that if there were any significant breakthroughs in 2025 that might enable a system to be developed – it is possible – we might not know about them.”

Thomas Matheus, CTO at Cystel Limited, believes the bigger threat comes not from the algorithms but from their implementation. “It is more likely to happen that organizations implement post-quantum cryptographic solutions or other quantum products (such as quantum key distribution or quantum VPN) and do not configure these solutions or products correctly.”

But that assumes that the PQC algorithms are sufficiently strong, and that is yet one more uncertainty. Are NIST’s PQC algorithms themselves secure? After all, the SIKE candidate was broken with a classical computer and AI.

Frank Leymann, WSO2 technology fellow and visiting professor for quantum computing at the Vienna University of Technology, comments, “The NIST process to identify PQC algorithms is striving towards identifying hard-to-break algorithms and protocols. But there is no mathematical proof that they cannot be broken. Because there are chances that they can be broken, cryptographic agility is key. That’s the reason why NIST is continuing to identify and standardize more algorithms.”

Agility is key

While cryptography’s uncertainty principle means that we cannot know for certain, however fervently we believe it, that PKE has not already been broken by a well-resourced adversary, we are similarly uncertain that NIST’s PQC algorithms are genuinely safe. Put simply, we may believe that NIST’s PQC algorithms are quantum safe (probably safe against quantum decryption), but we cannot prove they are quantum secure (provably secure against quantum decryption). In short, PQC algorithms up the ante in ongoing encryption, but do not provably solve the problem.

In compensation, a second approach to the use of encryption systems has been quietly bubbling in the background: crypto-agility. This is not a new idea, dating from around the turn of this century. Cryptographic systems fall to attackers – that’s a fact proven by history. So, it makes sense to have an alternative encryption system ready, waiting, and easily usable. That is the concept known as crypto-agility.

What is different today is that we know our current PKE encryption is going to fall with quantum computers. We are getting ready for this event by migrating wholesale to new algorithms. But although tested and scrutinized in laboratories, these algorithms are not yet proven in the battlefield. So, if anything, the need for crypto-agility is greater than ever – something NIST recognized from the beginning. Although it has long advocated for including agility, its importance for the transition to PQC (and beyond) is clear in a document presented by Lily Chen (from the computer security division of NIST’s Information Technology Lab) in June 2024: Crypto-Transition and Agility.

Chen defines crypto-agility as, “the ability for machines to select their security algorithms in real time and based on their combined security functions; the ability to add new cryptographic features or algorithms to existing hardware or software, resulting in new, stronger security features; and the ability to gracefully retire cryptographic systems that have become either vulnerable or obsolete.” In short, it is “the flexibility to implement, update, and replace cryptographic components within IT-systems, without affecting its functionality.”

Jones puts this into context. “NIST’s PQC algorithms have undergone rigorous evaluation against both quantum and classical attacks. However, no algorithm is entirely immune to unforeseen vulnerabilities.” (The breaking of SIKE during the competition proves this.)

“This reinforces why crypto-agility is critical,” he adds. “Organizations must be able to adapt their infrastructure as algorithms evolve. Focus should be on building agile systems that can integrate new standards and algorithms when needed.”

Ray Harishankar, IBM fellow at IBM Quantum Safe, further adds, “As organizations begin the transition to post-quantum cryptography over the next year, agility will be crucial to ensure systems are prepared for continued transformation, particularly as the NIST continues to expand its toolbox of post-quantum cryptography standards.”

The time is now to start the journey to becoming quantum safe, he continues. “But equally important is the need for crypto-agility – ensuring that systems can rapidly adapt to new cryptographic mechanisms and algorithms in response to changing threats, technological advances, and vulnerabilities – ideally leveraging automation to streamline and accelerate the process.”

Summary – the encryption threat in 2025

It is ironic that the arrival of CRQC loosely suffers from quantum uncertainty. If we focus on powerful quantum computers, we do not know when we will get them. If we focus on a point in time, we do not know what we will have at that point. All we do know is that at some time within the next fifteen years, and possibly the next five years, classical PKE will fall to quantum decryption – and if we are not prepared, that could be disastrous.

Progress toward CRQC in 2025 will not be loud, but will be punctuated by occasional claims – like a new type of qubit that is more stable (such as neutral atoms), or new error correction capabilities (like Willow), or more qubits per processor (IBM is expected to introduce its ‘Kookaburra’ processor with more than 4,000 qubits).

There is now a possibility that CRQC could arrive in as little as five years. There is an equal possibility that a full migration to PQC will take some companies longer than five years. In 2025, as Kevin Bocek, chief innovation officer at Venafi points out, for those who haven’t yet started their PQC migration, “Given this uncertainty, the journey to becoming quantum-proof must start now.”

We have delved into the problems and potential solutions involved in quantum computer manufacture not because we expect any dramatic CRQC announcement during 2025, but to show how that date is getting closer. 2025 is an important year – it is probably our last chance to start our migration to PQC before we are all undone by CRQC.

Postscript: It won’t stop there. Shor’s quantum algorithm will break our current asymmetric encryption (PKE). Grover’s algorithm can attack symmetric keys (such as AES 256). But Grover ‘merely’ increases the speed of decryption – effectively halving the key length and reducing AES 256 to AES 128. 

That’s a key still considered long enough – for now – and explains why NIST has concentrated on asymmetric algorithms. But that key length won’t be long enough to withstand quantum computers powerful enough to run Shor’s algorithm and with additional help from artificial intelligence, searching for methods to attack AES. 

We may have some wiggle room if we can increase the AES key length beyond 256 bits. Technically this should be possible since AES’ underlying cipher is Rijndael, and Rijndael will support a wider range of key and block sizes.

Nevertheless, this whole process may need to be repeated at some point in the future, courtesy of the power of quantum computers.

Related: Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation

Related: Google’s Willow Chip Signals the Urgency of Post-Quantum Cryptography Migration

Related: Cyber Insights 2024: Quantum and the Cryptopocalypse

Related: Quantum Decryption Brought Closer by Topological Qubits