Quantum Computing Cryptography FAQ: 20+ Questions Answered

This quantum computing cryptography FAQ answers more than 20 of the most-asked questions on how quantum computers threaten classical encryption, which algorithms are at risk, what NIST's post-quantum standards mean in practice, and how crypto holders and developers can prepare. Whether you are a developer evaluating migration paths, an investor assessing portfolio risk, or a curious reader who heard the phrase "Q-day" and wants a clear explanation, you will find accurate, mechanism-level answers below — no hype, no hand-waving.

Part 1: Quantum Computing Fundamentals

What is a quantum computer, and how does it differ from a classical computer?

A classical computer stores information as bits — each bit is either 0 or 1. A quantum computer uses qubits, which exploit two quantum-mechanical properties:

These properties allow a quantum computer to evaluate a vast number of possible solutions to certain problems in parallel, rather than sequentially. This does not make quantum computers universally faster — they offer specific, dramatic speedups for specific mathematical problem types.

What kinds of mathematical problems can quantum computers solve faster?

Quantum computers provide provable or theoretical speedups for:

Problem typeClassical bestQuantum algorithmSpeedup
Integer factorisationSub-exponential (GNFS)Shor's algorithmExponential
Discrete logarithm (finite field)Sub-exponentialShor's algorithmExponential
Elliptic-curve discrete logarithm (ECDLP)Fully exponentialShor's algorithmExponential
Unstructured searchO(N)Grover's algorithmQuadratic (√N)
Lattice problems (LWE, SIS)ExponentialNo known polynomial algorithmMinimal

The first three rows cover almost every cryptographic primitive in widespread use today — RSA, Diffie-Hellman, and ECDSA (used by Bitcoin and Ethereum).

How many qubits does a quantum computer need to break RSA-2048?

Academic estimates cluster around 4,000 logical (error-corrected) qubits to break RSA-2048 using Shor's algorithm in a reasonable timeframe. Because current hardware operates with noisy physical qubits rather than perfect logical qubits, you need roughly 1,000 physical qubits per logical qubit under leading error-correction schemes — implying millions of physical qubits. As of 2025, the largest publicly disclosed systems have reached thousands of physical qubits, but without the error-correction depth required. The gap remains real, though the trajectory is shortening.

---

Part 2: Threats to Classical Cryptography

Which encryption algorithms are directly broken by Shor's algorithm?

Shor's algorithm efficiently solves the integer factorisation problem and the discrete logarithm problem, which underpin:

These algorithms protect the majority of TLS connections, SSH sessions, code-signing certificates, hardware security modules, and cryptocurrency transaction signing.

Is AES (symmetric encryption) also broken by quantum computers?

Not directly. Grover's algorithm can search an unstructured space in O(√N) operations, which effectively halves the security level of a symmetric cipher. AES-128 drops to roughly 64-bit effective security. The mitigation is straightforward: upgrade to AES-256, which retains approximately 128-bit post-quantum security. NIST considers 128-bit quantum security adequate for most applications.

What is "Q-day"?

Q-day is the colloquial term for the date on which a sufficiently powerful, error-corrected quantum computer first runs Shor's algorithm against a real-world RSA or ECDSA key and recovers the private key in practical time. No credible public estimate pins Q-day before the early 2030s, and many researchers place it in the 2030–2040 window. The uncertainty itself is the risk: organisations that have not migrated by Q-day will be exposed immediately.

What is the "harvest now, decrypt later" attack?

Adversaries — typically state-level actors — can intercept and store encrypted traffic or signed data today, at low cost, and decrypt it once a cryptographically-relevant quantum computer exists. For long-lived secrets (classified documents, blockchain keys with large balances, private health records), the threat timeline is not Q-day minus some migration window — it is *right now*. CISA, NSA, and the UK NCSC have all published advisories urging immediate inventory and migration planning on this basis.

Are Bitcoin and Ethereum wallets vulnerable?

Yes, under the following conditions:

  1. Reused addresses: If a wallet's public key has been published on-chain (which happens when you spend from an address), Shor's algorithm can derive the private key from the public key. Bitcoin P2PK outputs and early P2PKH addresses where the public key is visible are directly at risk once a cryptographically-relevant quantum computer exists.
  2. Unspent outputs with exposed public keys: P2WPKH outputs do not expose the public key until the first spend. Funds that have never signed a transaction are somewhat better protected — though not indefinitely.
  3. Time-in-mempool attacks: A fast enough quantum computer could derive a private key from a public key during the window between broadcast and confirmation. Current block times (10 minutes for Bitcoin) impose a tight but potentially feasible attack window once hardware matures sufficiently.

Ethereum uses ECDSA on the secp256k1 curve — same vulnerability profile as Bitcoin.

---

Part 3: Post-Quantum Cryptography (PQC)

What is post-quantum cryptography?

Post-quantum cryptography (PQC) refers to classical (non-quantum) cryptographic algorithms that are believed to be secure against both classical and quantum adversaries. These algorithms run on ordinary hardware and do not require quantum communication infrastructure. They replace the vulnerable asymmetric primitives (RSA, ECDSA) with problems for which no efficient quantum algorithm is known.

What mathematical problems do post-quantum algorithms rely on?

The main families are:

What did NIST standardise in its PQC process?

NIST completed its multi-year post-quantum standardisation process and published three final standards in August 2024:

StandardAlgorithmPrimitiveHard problem
FIPS 203ML-KEM (Kyber)Key encapsulationModule-LWE
FIPS 204ML-DSA (Dilithium)Digital signatureModule-LWE / SIS
FIPS 205SLH-DSA (SPHINCS+)Digital signatureHash-based

A fourth standard, FN-DSA (FALCON), was finalised shortly after. NIST explicitly recommends organisations begin transitioning to these algorithms now.

What is lattice-based cryptography, specifically?

A lattice is a regular grid of points in high-dimensional space. The hard problem underpinning lattice cryptography is that, given a "bad" (non-orthogonal) basis for a lattice, finding the shortest vector or a vector closest to a given point is computationally infeasible at high dimensions — even for quantum computers. The best known quantum algorithms (including variants of the quantum approximate optimisation algorithm) offer negligible advantage over classical algorithms for well-parameterised lattice problems. This is why lattice schemes form the core of NIST's PQC standards.

How do ML-KEM (Kyber) key sizes compare to RSA?

ParameterRSA-2048ML-KEM-768 (NIST Level 3)
Public key size256 bytes1,184 bytes
Private key size~1,200 bytes2,400 bytes
Ciphertext / encapsulated key~256 bytes1,088 bytes
Signature size (DSA equivalent)~256 bytesN/A (KEM)
Quantum securityBroken by Shor~184-bit quantum security

The larger key and ciphertext sizes are acceptable for most applications. Network bandwidth and storage overhead are modest at modern speeds.

---

Part 4: Migration, Implementation, and Crypto Asset Implications

What is "hybrid cryptography" and why is it recommended during migration?

Hybrid cryptography combines a classical algorithm (e.g., ECDH) with a post-quantum algorithm (e.g., ML-KEM) in a single key exchange or signature scheme. The combined security is at least as strong as the stronger of the two components. NIST, ETSI, and the BSI (German federal cybersecurity agency) all recommend hybrid schemes during the transition period, because:

How should developers begin migrating to post-quantum standards?

A practical migration checklist:

  1. Inventory: Catalogue every place asymmetric cryptography is used — TLS certificates, code-signing, API authentication, key derivation, and data-at-rest encryption.
  2. Prioritise by data lifetime: Long-lived secrets and high-value keys migrate first.
  3. Adopt hybrid schemes in TLS: Modern versions of OpenSSL and BoringSSL support X25519+ML-KEM hybrid key exchange. Enable it in your server configuration.
  4. Replace signature schemes: Evaluate ML-DSA or FALCON for JWT signing, document signing, and firmware attestation.
  5. Update certificate pipelines: Work with your CA to obtain ML-DSA certificates when the Web PKI supports them.
  6. Test performance: Benchmark on your target hardware. Lattice signatures are larger; hash-based signatures (SLH-DSA) are slower to generate but fast to verify.
  7. Engage hardware vendors: HSMs and smart cards need firmware or hardware updates to support new algorithms.

What does post-quantum security mean for cryptocurrency wallets?

A post-quantum cryptocurrency wallet replaces ECDSA key generation and transaction signing with a PQC-aligned scheme — typically a lattice-based digital signature algorithm such as ML-DSA or FALCON. This ensures that even if a cryptographically-relevant quantum computer is available, an adversary cannot derive a private key from the on-chain public key. Projects building such wallets face two compounding challenges: selecting algorithms with sufficient cryptanalytic maturity and maintaining compatibility with existing blockchain transaction formats.

BMIC.ai is one example of a project building a quantum-resistant wallet using lattice-based, NIST PQC-aligned cryptography, targeting exactly this threat surface for token holders.

Can existing Bitcoin or Ethereum holdings be "migrated" to quantum-safe addresses?

In principle, yes, for any blockchain that supports a soft or hard fork to new signature schemes. Practically:

Is quantum key distribution (QKD) the same as post-quantum cryptography?

No. They are distinct approaches:

For internet-scale and blockchain applications, PQC is the practical migration path. QKD is relevant for high-security government and financial backbone links.

How long does it realistically take an organisation to complete a PQC migration?

CISA's 2023 guidance estimates five to fifteen years for large organisations with complex legacy systems. Key variables include:

Given the "harvest now, decrypt later" threat, the recommended posture is to begin immediately with highest-priority systems, even if full migration takes years.

Are there any known attacks against NIST's finalised PQC algorithms?

As of mid-2025, no practical attacks against ML-KEM, ML-DSA, SLH-DSA, or FN-DSA have been published. However:

---

Part 5: Staying Current

Where can I track the latest PQC developments?

Monitoring IETF draft publication and NIST special publications (SP 800-208 for hash-based signatures, forthcoming SP 800-227 for KEM guidance) is the most reliable way to stay current with production-ready recommendations.

Frequently Asked Questions

What is quantum computing cryptography, and why does it matter?

Quantum computing cryptography describes the intersection of quantum computing capabilities with the security of cryptographic systems. Quantum computers running Shor's algorithm can efficiently solve the mathematical problems — integer factorisation and discrete logarithm — that underpin RSA, ECDSA, and Diffie-Hellman, the algorithms protecting most internet traffic and cryptocurrency wallets today. Post-quantum cryptography (PQC) is the field developing replacement algorithms, such as lattice-based schemes, that remain hard even for quantum computers.

How soon could a quantum computer break Bitcoin's ECDSA keys?

Breaking ECDSA on Bitcoin's secp256k1 curve requires an estimated 4,000+ logical qubits running Shor's algorithm. Current hardware has thousands of noisy physical qubits but lacks the error-correction infrastructure to produce that many logical qubits. Most credible research places a cryptographically-relevant quantum computer — one capable of breaking real keys in practice — in the 2030–2040 window, though this is uncertain. The 'harvest now, decrypt later' threat means exposed public keys are at risk even before that date.

Which NIST post-quantum algorithms should I use for new projects?

NIST finalised three primary standards in August 2024: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) as a hash-based signature alternative. FN-DSA (FALCON) was also finalised for applications needing compact signatures. For most new projects, ML-KEM for key exchange and ML-DSA for signing are the recommended starting points. During the transition, using hybrid classical+PQC schemes provides defence-in-depth.

Does Grover's algorithm break AES encryption?

Grover's algorithm provides a quadratic speedup for searching unstructured spaces, which effectively halves the security level of symmetric ciphers. AES-128 drops to roughly 64-bit effective quantum security, which is considered insufficient. AES-256 retains approximately 128-bit quantum security, which NIST regards as adequate. The fix for symmetric encryption is therefore straightforward: use AES-256 or equivalent 256-bit key lengths. Grover's algorithm does not 'break' AES outright.

What is the difference between post-quantum cryptography and quantum key distribution?

Post-quantum cryptography (PQC) uses classical mathematical algorithms — particularly lattice problems — that are hard for both classical and quantum computers. It runs on standard hardware and requires only software updates. Quantum key distribution (QKD) uses the physical properties of quantum particles to detect eavesdropping, but requires specialised optical hardware and is limited by distance and infrastructure cost. For internet-scale applications and blockchain, PQC is the practical migration path. QKD is suited to dedicated high-security backbone links.

How can cryptocurrency holders protect themselves against the quantum threat today?

Practical steps include: (1) avoid reusing Bitcoin or Ethereum addresses, since reuse exposes your public key on-chain; (2) move funds to fresh addresses after each transaction so the public key is exposed only briefly; (3) monitor protocol-level developments such as Bitcoin's P2QRH proposals and Ethereum's quantum-safe account abstraction EIPs; (4) for long-term storage, consider quantum-resistant wallet solutions that implement NIST PQC-aligned signature schemes. Acting now is prudent given the 'harvest now, decrypt later' attack model.