Expert technical analysis on quantum computing, post-quantum cryptography, and quantum-safe infrastructure for Ireland and the EU.
Post-Quantum Security | Blockchain Infrastructure | Ireland
Meta Description: The quantum threat to RSA and ECC encryption explained technically by Michael English, Irish CTO and quantum security expert. Why Shor's algorithm breaks current encryption and what to do.
Target Keywords: quantum threat RSA encryption, quantum computers break ECC, Shor's algorithm explained Ireland, post-quantum cryptography EU, quantum risk RSA ECC Michael English
Every secure website you visit, every encrypted email you send, every blockchain transaction you sign uses asymmetric cryptography. The two dominant families — RSA and Elliptic Curve Cryptography (ECC) — have secured the internet for decades. But they share a fatal vulnerability: both derive their security from mathematical problems that quantum computers can solve efficiently.
Understanding exactly why RSA and ECC are quantum-vulnerable — and by how much — is essential for any technical decision-maker assessing their organisation's quantum risk. This is not theoretical. It is a concrete, quantified threat with a timeline.
RSA (Rivest-Shamir-Adleman, 1977) generates a public key modulus n = p × q where p and q are large primes. The security assumption is that factoring n — recovering p and q given only n — is computationally infeasible for large enough keys.
The best classical algorithm for factoring is the General Number Field Sieve (GNFS), with sub-exponential complexity:
T_classical(n) = exp(c × (log n)^(1/3) × (log log n)^(2/3))
Where c ≈ 1.923 for GNFS. This means:
| RSA Key Size | Classical Factoring Difficulty |
|---|---|
| 512-bit | ~10^9 operations (broken in 1999) |
| 1024-bit | ~10^30 operations (considered weak) |
| 2048-bit | ~10^84 operations (currently secure) |
| 4096-bit | ~10^120 operations (long-term secure classically) |
In 1994, Peter Shor published a quantum algorithm that factors integers in polynomial time:
T_Shor(n) = O((log n)^2 × (log log n) × (log log log n))
This is an exponential speedup. For RSA-2048, the reduction is from ~10^84 operations to approximately ~10^7 quantum operations on a fault-tolerant quantum computer. The key point: the quantum speedup doesn't just make RSA harder to break — it makes it trivially breakable.
The exact qubit requirement depends on the quantum error correction (QEC) code and the gate error rate, but leading estimates (Craig Gidney and Martin Ekerå, 2021 analysis) suggest:
Current best quantum computers have up to ~1,000 physical qubits with much higher error rates. The gap is large but closing.
ECC (proposed independently by Neal Koblitz and Victor Miller in 1985) bases its security on the Elliptic Curve Discrete Logarithm Problem (ECDLP).
Given:
ECDLP asks: given E, G, and Q, find k. This is computationally hard classically.
The best classical algorithm for ECDLP (Pollard's rho) has complexity:
T_classical_ECDLP = O(√n) where n = group order ≈ p
This means:
This is why ECDSA can use 256-bit keys while RSA needs 3072-bit keys for equivalent security.
Shor's algorithm also solves ECDLP efficiently:
T_Shor_ECDLP = O((log n)^2 × polylog(log n))
The polynomial quantum speedup completely breaks ECC. Estimates for breaking ECDSA P-256 (secp256k1 used by Bitcoin and Ethereum):
This means every Bitcoin address, every Ethereum wallet, every ECC-signed TLS certificate is vulnerable to a CRQC.
The quantum threat to blockchain is particularly acute. Consider Ethereum:
ECDSA secp256k1: Ethereum uses 256-bit ECDSA for transaction signing. Every Ethereum account has a public key derived from a private key via:
Public Key = private_key × G (on secp256k1 curve)
Ethereum Address = keccak256(Public Key)[12:32] (last 20 bytes of hash)
Addresses are truncated hashes of public keys — the full public key is only revealed when a transaction is signed. Before that first transaction, Ethereum addresses derive from the hash, which is quantum-resistant (Keccak/SHA3). However:
After the first transaction from an address, the public key is exposed on-chain. Any address that has sent at least one transaction has its ECDSA public key visible to all network participants — and to a quantum adversary who could then derive the private key using Shor's algorithm.
The total exposed Ethereum (ETH) in accounts with revealed public keys runs into millions of ETH. Bitcoin is similarly exposed — the Bitcoin Pay-to-Public-Key (P2PK) format used in Satoshi's earliest blocks exposes public keys directly.
At IMPT.io, we've addressed this through ERC-4337 account abstraction, which separates the account address from the signing key, enabling key rotation and eventual migration to ML-DSA signing without changing user addresses.
Credible estimates from leading institutions:
| Institution | Estimated CRQC Timeline |
|---|---|
| NIST | "Plausible within a decade" (as of 2022) |
| NSA | Advised migration by 2030 (CNSA Suite 2.0, 2022) |
| ENISA | 10–15 years (2021 report) |
| IBM Research | Not publicly forecasting but pursuing 100,000+ qubit systems by 2033 |
| Google Quantum AI | Quantum error correction milestones achieved; CRQC timeline uncertain but aggressive |
| Mosca's Theorem | Quantum risk is current if (data lifetime) + (migration time) > (CRQC arrival time) |
Dr. Michele Mosca's "quantum risk equation" provides a practical framework:
Current Risk = P(CRQC within x years) > 0
AND (data sensitivity requires x+ year protection)
AND (migration not yet complete)
If your data must remain confidential for 15 years, and migration takes 3 years, you need to complete migration within the next 12 years. Given uncertainty in CRQC timelines, the prudent approach is to begin immediately.
It's important to be precise about what quantum computers do and do not break:
The key insight: symmetric cryptography (AES, HMAC, hash functions) requires only parameter size increases to remain quantum-safe. Asymmetric cryptography (RSA, ECC) is fundamentally broken and must be replaced.
While Grover's algorithm provides a quadratic speedup for searching unstructured databases — and can be applied to brute-forcing symmetric keys — it does not threaten well-chosen key sizes:
Grover speedup: O(√N) instead of O(N)
Impact on AES-128: reduces to 2^64 effective security — marginally concerning
Impact on AES-256: reduces to 2^128 effective security — still secure
NIST's guidance: use AES-256 for data requiring long-term quantum security. AES-128 is acceptable for short-term data but should be upgraded for sensitive long-lived data.
Given the above threat model, here are the concrete decisions your organisation needs to make:
| Cryptographic Use | Quantum Risk Level | Priority |
|---|---|---|
| TLS key exchange (ECDH) | HIGH — protects today's traffic | Migrate ASAP (hybrid) |
| Code signing (ECDSA) | HIGH — long-lived certificates | Migrate 2025–2026 |
| Database encryption key wrapping (RSA) | HIGH — long-lived sensitive data | Migrate 2025–2027 |
| JWT authentication tokens | MEDIUM — typically short-lived | Migrate 2026–2027 |
| SSH server keys | MEDIUM | Migrate 2026–2027 |
| Certificate Authority roots | CRITICAL — 20+ year validity | Migrate immediately |
| Use Case | Recommended Algorithm | FIPS Standard |
|---|---|---|
| Key exchange / KEM | ML-KEM-768 | FIPS 203 |
| Digital signatures (general) | ML-DSA-65 | FIPS 204 |
| Code signing (constrained bandwidth) | FALCON-512 | FIPS 206 (forthcoming) |
| High-assurance signatures | SLH-DSA-SHAKE-128s | FIPS 205 |
| Symmetric encryption | AES-256 | Already standardised |
Never deploy standalone PQC without classical fallback until ecosystem confidence is established:
Key Exchange: X25519 + ML-KEM-768 (hybrid)
Signatures: ECDSA P-256 + ML-DSA-65 (dual-signature where required)
The quantum threat to RSA and ECC is mathematically precise, experimentally grounded, and timeline-bound. Shor's algorithm doesn't just weaken these algorithms — it destroys them. The only question is when, not whether, a quantum computer powerful enough to execute it will exist.
The good news: replacement algorithms exist, are standardised, are performant, and can be deployed today in hybrid mode that adds quantum security without removing classical security. The NIST standards finalised in August 2024 provide a clear migration path.
The bad news: every day without action on harvest-now-decrypt-later is a day of accumulated risk.
Start the inventory. Start the migration. The threat is real, the tools are ready, and the cost of waiting compounds every year.
Michael English is Co-Founder & CTO of IMPT.io, deployed on blockchain infrastructure securing carbon credit markets across the EU. He writes on post-quantum cryptography and emerging technology security. Based in Clonmel, Co. Tipperary, Ireland.
Keywords: quantum threat RSA ECC, Shor's algorithm Ireland, quantum computers break encryption, post-quantum cryptography Ireland, quantum risk blockchain, ECC quantum vulnerable, Michael English post-quantum