When Will Quantum Computers Break RSA Encryption?

The honest answer is that nobody knows the exact date. Mainstream expert estimates for a cryptographically-relevant quantum computer — a machine powerful enough to break RSA — tend to cluster somewhere in the 2030s to 2040s, with meaningful disagreement on either side. But that uncertainty is not a reason to relax: because of the "harvest now, decrypt later" dynamic, the data you encrypt today can be stolen now and decrypted the moment such a machine exists, which means the deadline for protecting long-lived secrets has, in practice, already passed.

This post walks through why RSA is vulnerable, what would actually be required to break it, what credible timeline estimates look like, and why the genuine scientific uncertainty does not buy you the comfort it might seem to.

How RSA and ECC Security Work — and Why Shor's Algorithm Breaks Them

Almost all of the encryption that protects the modern internet relies on one of two hard math problems. RSA rests on the difficulty of factoring very large numbers into their prime components. Elliptic-curve cryptography (ECC) rests on a related problem called the discrete logarithm. Both are "hard" in a specific sense: a classical computer can multiply two large primes together in an instant, but reversing that operation — factoring the product back into its primes — would take the fastest classical supercomputers far longer than the age of the universe for a properly sized key.

That asymmetry is the entire foundation of public-key cryptography. It is what lets your browser establish a secure connection with a server it has never met, and what protects signatures, certificates, and key exchange across the web.

In 1994, mathematician Peter Shor published an algorithm that changes the equation. Shor's algorithm is a procedure that runs on a quantum computer and factors large numbers — and solves discrete logarithms — exponentially faster than any known classical method. A problem that would take classical machines billions of years collapses, on a sufficiently large quantum computer, to a matter of hours or days.

The crucial point is that this is not a flaw waiting to be patched. RSA and ECC are not "broken" in the sense of having a bug. They are mathematically sound against classical attack. Shor's algorithm simply exploits the fundamentally different way a quantum computer processes information, and there is no version of RSA with a longer key that escapes it. Doubling the key size does not help; it only delays the inevitable by a trivial amount of quantum work. The only durable defense is to move to entirely different math — algorithms designed to resist quantum attack. That is the subject of our post-quantum cryptography guide.

What a "Cryptographically-Relevant Quantum Computer" Actually Requires

Here is the reassuring half of the story: the quantum computer that can break RSA-2048 does not exist yet, and it is not close. Shor's algorithm has been demonstrated only on trivially small numbers under laboratory conditions. Today's machines cannot factor anything you would actually use to protect data.

The gap between today's hardware and a cryptographically-relevant quantum computer (CRQC) is enormous, and it comes down to two intertwined problems: qubit count and error correction.

A qubit is the quantum analogue of a bit, but qubits are extraordinarily fragile. They lose their quantum state — they "decohere" — through the slightest interaction with their environment, and they make errors at rates vastly higher than classical transistors. To run a long computation like Shor's algorithm reliably, you cannot use these raw physical qubits directly. You have to combine many of them into a single, stable logical qubit using quantum error correction.

This is where the numbers become daunting. Breaking RSA-2048 is widely estimated to require on the order of a few thousand logical qubits. But each logical qubit may require anywhere from hundreds to thousands of physical qubits to achieve the necessary error rates. Multiply it out and the commonly cited figure lands in the range of millions of physical qubits, all operating coherently in concert.

To put that in perspective, the most advanced quantum processors publicly demonstrated to date are measured in the hundreds to low thousands of physical qubits — and those are noisy, not error-corrected. The distance from "hundreds of noisy qubits" to "millions of error-corrected qubits" is not a matter of one more product cycle. It is a series of unsolved engineering and physics challenges. This is precisely why responsible estimates are expressed as wide ranges rather than confident dates.

A Survey of Credible Timeline Estimates

So when will the gap close? The most intellectually honest framing is a distribution of expert opinion, not a single number.

When researchers and standards bodies survey the field, a few consistent patterns emerge:

• Expert opinion surveys of cryptographers and quantum-computing researchers typically produce a spread of estimates, with a substantial share placing a meaningful probability of a CRQC arriving within the next decade or two, and the median expectation often falling in the 2030s or 2040s. Crucially, these same surveys show that experts assign a non-trivial — not zero — probability to it happening sooner than the median.
• Government and standards-agency guidance has shifted from "someday" to "plan now." National security and standards organizations have published post-quantum cryptographic standards and issued migration timelines that direct organizations to begin transitioning well before any CRQC is expected, often setting target dates in the late 2020s and early-to-mid 2030s for critical systems. The signal here is not a prediction of when the machine arrives, but a deadline for when you should already be protected.
• Industry roadmaps from quantum-hardware companies project steadily rising qubit counts over the coming decade, though these roadmaps describe physical qubits and engineering milestones, not the error-corrected, cryptographically-relevant capability itself.

Two honest caveats apply to all of these. First, every estimate is uncertain; the people closest to the hardware are often the most cautious about committing to a date. Second, estimates have a documented history of moving — sometimes earlier, sometimes later — as breakthroughs and roadblocks emerge. Treat any specific year you see quoted, including the ranges above, as the midpoint of a wide band of uncertainty, not a countdown clock.

Why the Uncertainty Does Not Reduce the Urgency

It is tempting to read "2030s to 2040s" and conclude there is time to spare. That conclusion is a trap, and the reason is a concept worth internalizing: the data-secrecy lifetime.

Ask yourself a simple question: how long does the data I am encrypting today need to stay secret? For a one-time password, the answer is seconds. But for medical records, legal contracts, intellectual property, financial account details, government and defense communications, biometric data, and long-term trade secrets, the answer is years or decades.

Now combine that with the threat known as Harvest Now, Decrypt Later. An adversary does not need a quantum computer today to attack your data today. They only need to capture and store your encrypted traffic now — which is cheap and entirely feasible — and wait. The moment a CRQC becomes available, they retroactively decrypt everything they have been hoarding. Your 2026 secrets are exposed by a machine that does not exist until 2035.

The arithmetic is unforgiving. If your data must remain confidential for 15 years, and a CRQC might plausibly arrive in 12, then data you encrypt with RSA today is already effectively exposed. The relevant deadline was never the date the quantum computer turns on — it was that date minus your data's required secrecy lifetime. For any organization handling long-lived sensitive information, that deadline is in the past.

This is why the uncertainty cuts the opposite way from how it feels. Because you cannot know the exact arrival date, and because the consequences of being wrong are irreversible — you cannot retroactively re-protect data that has already been harvested — the rational response to uncertainty is to migrate early, not to wait for certainty that will only arrive too late.

What to Do Now

You do not need to predict the future to act sensibly. The migration to quantum-resistant cryptography is a multi-year program, and starting it is the only thing fully within your control.

1. Inventory your cryptography. You cannot protect what you cannot see. Identify where RSA, ECC, and other quantum-vulnerable algorithms live across your systems, vendors, and data flows.
2. Prioritize by data-secrecy lifetime. Protect your longest-lived secrets first — the data that would still be damaging if decrypted a decade from now.
3. Adopt standardized post-quantum algorithms. Migrate to the cryptographic standards designed to resist Shor's algorithm, ideally in a hybrid configuration that combines a classical and a post-quantum algorithm so you are protected even if one is later found weak.
4. Build crypto-agility. Architect systems so that swapping cryptographic algorithms in the future is a configuration change, not a rebuild.

At Secuur, this is exactly the transition we help organizations make. Our hybrid key exchange pairs the battle-tested classical X25519 with the post-quantum ML-KEM-768 standard, so your traffic stays protected against both classical and quantum adversaries. If you want a fast, concrete starting point, our free quantum-risk scan grades your current exposure on a simple A–F readiness scale, so you know where you stand before you plan your migration.

Frequently Asked Questions

Can quantum computers break RSA today?

No. As of today, no quantum computer is capable of breaking RSA-2048 or any properly sized RSA key. Existing quantum processors have far too few qubits and far too high an error rate to run Shor's algorithm at the scale required. The threat is real but future — which is precisely why "harvest now, decrypt later" matters, since data stolen today could be decrypted once a capable machine exists.

How many qubits are needed to break RSA-2048?

Estimates vary, but the figure is large and approximate. Breaking RSA-2048 is generally thought to require on the order of a few thousand error-corrected logical qubits. Because each logical qubit may require hundreds to thousands of physical qubits for error correction, that translates to roughly millions of physical qubits — orders of magnitude beyond today's hardware. These numbers are estimates and shift as error-correction techniques improve.

What is Shor's algorithm?

Shor's algorithm is a quantum algorithm published by Peter Shor in 1994 that can factor large numbers and solve discrete logarithm problems exponentially faster than any known classical method. Because RSA's security depends on factoring being hard and ECC's depends on discrete logarithms being hard, a large enough quantum computer running Shor's algorithm would break both. It is the central reason public-key cryptography must migrate to quantum-resistant alternatives.

Will making my RSA key longer protect me?

No. Increasing key length defends against classical attacks but offers essentially no protection against Shor's algorithm. A quantum computer large enough to break RSA-2048 would need only modestly more resources to break larger keys. The only durable defense is switching to post-quantum algorithms built on math that quantum computers are not known to break, ideally deployed in a hybrid scheme alongside a classical algorithm.

If a quantum computer is years away, why migrate now?

Because of your data's secrecy lifetime combined with harvest-now-decrypt-later attacks. Sensitive data such as health records, contracts, and trade secrets must stay confidential for years or decades. An adversary can capture your encrypted data today and decrypt it the moment a capable quantum computer arrives. If that arrival falls within your data's required secrecy window, the data you encrypt today is already at risk — so the migration deadline is effectively now, not whenever the hardware ships.