Cryptographically Relevant Quantum Computers (CRQCs) & The Quantum Threat

What is the quantum threat, and is it real?
The boy who cried (quantum) wolf: being honest about the threat and what it means for you

A cryptographically-relevant quantum computer (CRQC) is a quantum computer that can run algorithms to crack or weaken existing (so-called “classical”) cryptography.  

Today, I’ll explain when — or if — this CRQC is likely to exist, what the real threat is, and how it might affect your data and assets. After reading this, you should get 100% on these quantum quiz questions:

• When will a cryptographically-relevant quantum computer (CRQC) be ready?
• How can you identify a quantum time-waster?
• How and when will the quantum threat affect your data and assets?

What is a cryptographically relevant quantum computer (CRQC)?

Yes, you are hearing a lot about quantum computers (QCs) existing today, and that’s true — they do exist! But there is a critical distinction missing: none of today’s quantum computers are “cryptographically relevant”. That means they don’t yet have enough stability, enough qubits, or the right code to be able to crack even the weakest classical cryptography by quantum means (here’s looking at you, 256-bit RSA).  

I hear you ask, “OK, so when will we have a cryptographically-relevant quantum computer?” Those are known as CRQCs, and that’s what I’m here to answer for you.

(Read all about quantum-safe cryptography & the NIST post-quantum process.)

On cryptography and being quantum-annoying

There are two important points to make here:

• Not all cryptography is vulnerable to a quantum computer (specifically, hash functions).
• Different types of cryptography are not equally vulnerable to quantum computers.

Put simply: not all cryptography is equally vulnerable to quantum attack.  

Which means we can prioritise! In the same way you should prioritise patching systems — by threat, severity of impact, and criticality of vulnerability — you should also prioritise which cryptographic assets to migrate first, if you need to migrate at all. In fact, here’s two very clear recommendations for you:

• You can safely put symmetric cryptography low on your list of priorities for the foreseeable future. That’s because symmetric cryptography (i.e. AES) is less vulnerable than asymmetric cryptography (i.e. RSA, ECDH).
• You can also ignore hash functions completely, which can be considered essentially quantum-safe (i.e. SHA256, SHA3).  

(Side note: One of my favourite latest innovations is the concept of being “quantum-annoying”: not quantum-safe, but ‘annoying’ enough that it’s not worth the work for an adversary to crack it.)

When will a cryptographically relevant quantum computer (CRQC) exist?

The truth is this: quantum computers already exist, but today they don’t have enough qubits (quantum bits) or the stability to be CRQCs.  

So, your next question might be when CRQCs will exist? No-one knows for certain, and it may actually never come to exist. But we can have a decent guess. An annual estimate, using the latest research and industry developments, has found that since the 1980s, a CRQC has been estimated to be 15 years away. Most recently, at an annual quantum conference run by ETSI in winter 2022, Professor Michele Mosca shared a presentation on this topic: 

(Source: Slide 25 of Mosca's PDF.)

At this point, someone usually points out Moore’s Law, but remember: Moore’s Law applies to classical computers. We cannot say if the same rate of advancement will apply to quantum computing.  

Importantly, it’s not just about how many qubits you have — quantum computers also need stability to be cryptographically-relevant. Today, they lack the necessary stability. We also don’t know how stability will be affected as the number of qubits increases.

However, there was a now discredited Chinese academic paper published in late 2022 that claimed to lower the number of qubits needed to run relevant attacks. Advances like this, even if they aren’t real, spook people at the very least. And if the paper had been true, it would have suddenly brought the quantum threat horizon much closer.

How and when will the quantum threat affect my data and assets?

So, the quantum threat is a way off right now, but you might want to start preparing. You might wonder how this will all affect your data and your assets. And it’s a great question.  

I promise I will give some crunchy answers to that question now, but first — this will take a while. Like all things, the answer depends on your context, threat model, and real problems. Let’s start with the theory and work up from there.

CRQCs will be able to run two algorithms that impact cryptography:

• Shor’s algorithm, which completely breaks key establishment schemes and signatures, namely RSA, Diffie-Hellman, elliptic curve Diffie-Hellman, ECDSA, etc. 
• Grover’s algorithm, which reduces the security of symmetric key algorithms (like AES) by a square root, i.e. 256-bit to 128-bit.

So you can already see that different types of cryptography are impacted differently, but timelines also matter!  

You need to work out the lifetime of your data that needs to be secret or signed, and this will vary for every single organisation. If you’re developing a product or you make embedded hardware that lasts for decades, your answer will be different to a large retailer handling transactions and some customer data, where the security requirements for that data diminish over time.

Luckily for you, here is the rubric to follow:

1. Work out the lifetime of your data that needs to be secret or signed. This is because data is vulnerable to the “harvest-and-decrypt” threat, so you need to work out what data you have that needs to remain secret and for how long.
2. Understand how long it would take you to migrate to post-quantum cryptography.
3. Work out when you think a CRQC will exist.

Now time for some (simple) maths! This is known as Mosca’s inequality. Essentially, you’re fine for as long as:

Required Security Lifetime of Data + Time to Migrate < Time to Develop a CRQC

Perhaps some data, like telemetry, you just won’t care about in 15 years. Some data, like medical or financial records, you likely will. Your range of influence varies too. You can’t do much about when a CRQC will exist, but you can minimise the time it would take to migrate your systems, by preparing for it.

Consider your vulnerability and impact, too

We know that the threat is not real today, and won’t be for a while. But the risk is not just decided by threat: it’s a combination of the vulnerability and impact too.  

At least at first, CRQCs will only be accessible to sophisticated adversaries who can harvest and store lots of your data today, i.e. nation states. And if these threat actors are currently stealing your data with ease — because your systems have been unpatched for months or years — they aren’t going to suddenly switch TTPs and start using expensive CRQCs.

So fix those vulnerabilities first! (And with that, I’ll leave you with something fun…)

How to identify a quantum time-waster

Armed with this knowledge, here’s my short guide to find a quantum time-waster! Despite all the people pushing snake oil and telling you that you should have moved to quantum like yesterday, we now know that’s not the case.

So how can we identify those quantum time-wasters? Simply state these two facts and if there’s disagreement, you’re best off politely excusing yourself to take a call:

• Quantum computers (QC) exist today but they lack the stability and qubits to be cryptographically-relevant. The largest quantum computer today has 433 qubits, but estimates say you need anything from 4000 to 10000, and no-one knows if Moore’s Law will apply as QCs scale. 
• The fact that a CRQC is some time away doesn’t mean you shouldn’t be thinking about migration today. For example, if you are embedding signatures in devices that you won’t be able to update, where the device lifetime is in the order of decades, or if you’re worried about the “harvest-and-decrypt” threat. But it doesn't mean you SHOULD be thinking about migration today either. That depends!

Quantum quiz time

Test time! You should be able to tell me now:

1. When a cryptographically-relevant quantum computer (CRQC) will be ready.
2. How and when will the quantum threat affect your data and assets.
3. How you can identify a quantum time-waster.