JOVANA
Library Glossary Getting Started Three Levels Fields How it works Mission
Join the mission
All guides

Quantum & Cryptography

A working quantum computer could one day break the public-key crypto that protects almost everything you do online — but not today, and not by magic. This guide separates the real threat from the hype: what [[shors-algorithm|Shor's algorithm]] actually endangers, why people are already migrating, and how post-quantum cryptography and quantum key distribution solve different problems. By the end you'll be able to tell PQC and QKD apart, which is where most of the confusion lives.

Shor's threat to RSA/ECC

Most of the secure connections you use — the padlock in your browser, encrypted messaging, software signatures — rely on public-key cryptography like RSA and elliptic-curve crypto (ECC). Their security rests on math problems that are easy one way and brutally hard to reverse: multiplying two big primes is easy, but factoring the product back into those primes is so slow on a classical computer that it would take longer than the age of the universe for the key sizes we use. RSA and ECC are safe today precisely because no one has a fast way to undo them.

Shor's algorithm is a fast way — but only on a quantum computer. It doesn't 'try all the factors at once.' Instead it reframes factoring as a period-finding problem and uses the quantum Fourier transform so that, through interference, the amplitudes for wrong answers cancel out and the period you need reinforces. From that period, ordinary classical math recovers the factors. The payoff is an exponential speedup for this specific, highly structured problem — turning 'longer than the universe' into something tractable. This is the rare, genuine case where quantum changes the game.

The catch — and it is a big one — is that no such machine exists yet. We are in the NISQ era: today's processors have too few qubits, too much noise, and not enough error correction to run Shor at the scale needed to break real keys. Breaking RSA-2048 would require many millions of physical qubits assembled into a far smaller number of reliable logical qubits through fault-tolerant error correction. That is years away at best. The threat is real but future, not present.

'Harvest now, decrypt later'

If the machine is years away, why act now? Because of a strategy with a blunt name: harvest now, decrypt later. An adversary doesn't need a quantum computer today to threaten data today — they can simply record encrypted traffic now and store it, then decrypt it years later once a capable quantum computer arrives. Your secrets travel over the wire already encrypted; the attacker just has to be patient.

This flips the usual timeline. The real question isn't 'when will quantum computers break RSA?' but 'how long does my data need to stay secret, and when might a quantum attacker exist?' If those windows overlap, you are already exposed. Health records, state secrets, financial data, and long-lived identity keys can matter for decades — so data sent today could be decrypted well within its sensitive lifetime.

Post-quantum cryptography

The practical fix is not a quantum computer of your own — it's post-quantum cryptography (PQC). These are ordinary classical algorithms that run on the laptops, phones, and servers you already own, but they're built on math problems believed to be hard even for a quantum computer. Shor breaks factoring and discrete logs; PQC deliberately avoids those and leans on different foundations — most prominently structured lattice problems, plus hash-based and code-based schemes.

This is the part to internalize: PQC has nothing quantum inside it. It needs no qubits, no coherence, no special hardware. It's software you can deploy today to resist a future quantum attacker. In 2024 the U.S. standards body NIST finalized the first PQC standards — including a lattice-based key-establishment method (ML-KEM, from CRYSTALS-Kyber) and signature schemes — and migration across the internet is already underway.

Quantum key distribution & BB84

Quantum key distribution (QKD) tackles a narrower job — securely sharing a secret key — using a completely different idea. Instead of relying on a hard math problem, it relies on physics: in quantum mechanics, measuring an unknown quantum state disturbs it, and you cannot perfectly copy an unknown state (the no-cloning theorem). So an eavesdropper can't silently intercept a key encoded in single quanta — listening leaves fingerprints.

BB84 (Bennett & Brassard, 1984) is the classic protocol. Alice sends single photons, each prepared in a randomly chosen basis. Eve has to guess which basis to measure in — and the no-cloning theorem means she can't keep a perfect copy while passing the photon along. When she guesses wrong she disturbs the photon, injecting detectable errors.

  1. Alice encodes each bit on a single photon, choosing randomly between two measurement bases.
  2. Bob measures each photon, also choosing his basis at random — so he picks the matching basis only about half the time.
  3. Over a public channel they compare which bases they used (never the bit values) and keep only the bits where their bases matched.
  4. They sacrifice a sample of those shared bits to estimate the error rate; a high error rate flags an eavesdropper and they throw the key away.
  5. If the error rate is low enough, post-processing distills a final secret key that any eavesdropper has negligible information about.

QKD vs PQC: don't confuse them

This is the single most important distinction in the whole guide, and the press constantly blurs it. QKD and PQC are different things that solve different problems. PQC is *classical math* that resists quantum attacks and runs as software on your existing devices. QKD is a *physics-based* way to exchange a key over special hardware. They are not competitors so much as tools for different jobs — and for most of the internet, PQC is the one that actually fits.

                    PQC                         QKD
                    --------------------------  --------------------------
What it is          classical algorithms        physics-based key exchange
Runs on             your existing devices       special quantum hardware
Protects against    quantum + classical attack  eavesdropping on the key
Replaces            RSA / ECC directly          (only the key-sharing step)
Deployable today    yes, software update        limited, niche links
Needs new hardware  no                          yes (photonics, fiber)
Two different answers to 'what about quantum?' — PQC swaps the algorithm in software; QKD swaps how a key physically travels. Most real-world migration today is PQC.

A clean way to remember it: PQC changes the math; QKD changes the medium. If someone says 'we're quantum-safe,' the useful follow-up is 'which one — and for what?' For the broad, practical migration happening right now — browsers, servers, VPNs, software updates — the answer is overwhelmingly post-quantum cryptography. QKD remains a specialized option for a handful of high-security, fixed links.