Every few months a headline announces that quantum computers are about to break all encryption. It is also true that no quantum computer on earth can break any encryption you actually use, and none will for years. Both statements are correct, which is what makes this a hard topic to hold a straight line on.

So let me try to answer the three questions people actually ask me, in order. Does quantum computing really work? Is the threat worth taking seriously? And is any of it viable — or is it the cold fusion of cyber security, always a decade away?

I have spent a while going through the primary sources for this — NIST, the NCSC, the NSA, the Nature papers, the vendor roadmaps — rather than the trade-press summaries of them. The honest picture is more interesting than either the hype or the eye-rolling.

Does it actually work?

As physics, yes — and 2024 gave us the milestone that mattered.

The hard part of quantum computing was never getting a qubit. It was that qubits are appallingly fragile, and the more you chain together, the more errors you get, faster than you can correct them. For twenty-five years the entire enterprise rested on a promise: that above a certain quality threshold, adding more physical qubits to an error-correcting code would make the logical result better, not worse. Until recently, nobody had shown it.

In December 2024, Google's 105-qubit Willow processor did. Published in Nature, it ran a quantum memory below the surface-code threshold — each time they made the code bigger, the error rate fell by a factor of about 2.1, exponentially, the right way. A logical qubit outlived its best physical component. That is not a press release. That is the thing the field had been waiting for, and it is real.

Now the deflating part. Willow demonstrated one logical qubit, as a memory, doing no computation. The best machine you can point at today — Quantinuum's Helios, from November 2025 — has 98 physical qubits and a few dozen error-corrected logical ones. Breaking RSA-2048, the encryption sitting under a good chunk of the internet, needs something on the order of a million physical qubits, per the current best estimate from Google's own Craig Gidney.

A hundred versus a million. That is a factor of ten thousand, and no framing of "quantum supremacy" closes it. The science works. The machine that threatens your cryptography does not exist, and is not close.

This is worth saying to a board plainly, because the headline qubit counts are engineered to confuse. Physical qubits, benchmark logical qubits, and fault-tolerant general-purpose qubits are three different things, and the number in the announcement is almost always the least meaningful one.

Then why does it matter now?

Because of one genuinely clever, genuinely uncomfortable idea: harvest now, decrypt later.

An adversary does not need a quantum computer today to benefit from one arriving in 2032. They need only to record your encrypted traffic now — copy it, store it, sit on it — and decrypt it retroactively when the machine exists. A nation state with cheap storage and patience is almost certainly already doing this to traffic it cares about.

That inverts the usual deadline logic. The question is not "when does the quantum computer arrive." It is "how long does this data need to stay secret, and how many years will it take me to migrate my cryptography." Subtract the second from the first. If the answer is uncomfortable, your problem is not in the 2030s. It is now.

For most short-lived data — a session token, tomorrow's lunch order — this is a non-event. For anything with a long confidentiality shelf life, it is not: state and defence secrets, health and genetic records, intellectual property, legal files, and above all the long-lived keys and certificates that everything else hangs from. Those are being copied today to be read later, and there is nothing you can do about the copies already taken. You can only stop adding to the pile.

What actually breaks — and what doesn't

Here the precision matters, because "quantum breaks encryption" is wrong in a way that leads to bad decisions.

Quantum computing breaks public-key cryptography. Shor's algorithm, run on a machine that does not yet exist, factors the large numbers that RSA depends on and solves the discrete-log problem under elliptic-curve and Diffie-Hellman. That is the maths beneath key exchange and digital signatures — which is to say beneath TLS, VPNs, PKI, code signing, and the padlock in your browser. Against that layer, a capable quantum computer is a skeleton key.

Symmetric cryptography mostly survives. The best quantum attack on AES or on a hash function is Grover's algorithm, and it offers only a quadratic speed-up — it roughly halves the effective security. AES-256 drops to about 128-bit strength, which remains comfortably out of reach for anything, quantum or not. The practical instruction is dull and reassuring: use AES-256 and SHA-384 or better, and your bulk encryption is fine.

So the accurate sentence is not "quantum breaks encryption." It is "quantum breaks the key exchange and the signatures, while the bulk cipher holds." That is a much more tractable problem, and it tells you exactly where the migration work is.

The good news the headlines leave out

The fix already exists, it is standardised, and you have very probably used it today without noticing.

In August 2024, NIST finalised the post-quantum standards after an eight-year open competition: ML-KEM for key exchange, ML-DSA and SLH-DSA for signatures. In March 2025 it added HQC, a backup built on entirely different mathematics, as insurance in case the lattice maths under ML-KEM is ever broken — a sensible hedge, given that ML-KEM's security is believed rather than proven.

And it is deployed. Chrome and Firefox turned on hybrid post-quantum key exchange by default in 2024. Cloudflare reported that by October 2025, more than half of all human-initiated traffic to its network was already post-quantum encrypted. Apple's iMessage has used a post-quantum protocol since early 2024. The migration of the public internet is quietly, unglamorously, already well underway.

The word to hold onto is hybrid: these deployments run the classical algorithm and the post-quantum one together, so you lose nothing if either is later found wanting. That belt-and-braces approach is the correct migration posture, and it is what the sober end of the industry has settled on.

The thing being sold to you that you should decline

There is a competing pitch: quantum key distribution, QKD, which uses the physics of photons rather than mathematics to exchange keys, and is marketed as unbreakable.

Both the NSA and the NCSC tell you not to rely on it, and they are right. QKD provides no authentication, so it cannot tell you who is on the other end — the exact problem that gets people breached. It cannot be done in software; it needs dedicated fibre and trusted relay hardware, which is expensive and introduces its own insider risk. And it is fragile to denial of service by design. The NSA calls post-quantum cryptography "a more cost effective and easily maintained solution." The NCSC states flatly that it "will not support the use of QKD for government or military applications."

It is a physics answer to what is really an engineering problem. When someone offers to sell you a quantum-safe future built on dedicated fibre, keep your hand on your wallet.

Is it viable — and what do I do about it?

Viable as a cryptographic weapon, today? No. Viable this decade? Genuinely uncertain, and that uncertainty is the whole point.

The vendor roadmaps — IBM's "Starling" in 2029, Quantinuum's "Apollo" in 2030 — are real engineering plans, but they are targets from companies with an interest in the dates, in a field with a long history of optimism. Treat them as the earliest credible edge, not a forecast. The more useful number comes from the Global Risk Institute's annual survey of the researchers actually doing the work: they put the chance of a cryptographically-relevant quantum computer within ten years at somewhere between one-in-three and one-in-two — and rising year on year.

That is not a countdown clock. It is a risk you would manage rather than ignore. And the authorities have already decided it is not optional: the NCSC requires UK organisations to complete post-quantum migration by 2035, with a cryptographic inventory and a plan done by 2028 and the highest-priority systems migrated by 2031. The US equivalent, CNSA 2.0, runs on a similar horizon with a 2027 procurement gate.

Stripped of the physics, what you actually do is familiar, and it is mostly good hygiene you should want regardless.

Know what you have. You cannot migrate cryptography you cannot see, and almost nobody has a real inventory of where they use RSA and elliptic curve — across TLS, VPNs, certificates, code signing, and the embedded kit with a fifteen-year service life. That discovery exercise is the 2028 milestone, and it is the hard part.

Prioritise by shelf life. Rank by how long the data must stay secret and how long the system will live. Long-lived secrets on long-lived hardware first — that is precisely where harvest-now-decrypt-later does its damage.

Become able to change your cryptography. The durable capability is crypto-agility: swapping an algorithm without re-architecting the system around it. Ask yourself honestly whether you could change your cipher suite next quarter if you had to. Most organisations cannot, and that — not the quantum computer — is the real exposure.

Then turn on the free wins and ignore the noise. Enable hybrid post-quantum TLS where it already exists; it costs almost nothing. Put a post-quantum roadmap question on your vendor due-diligence. And ignore three things: QKD as a substitute, "quantum-safe" black boxes that are not built on the NIST standards, and the headline qubit counts entirely.

The honest summary

Real physics, deferred threat, present-tense homework. That is the whole of it.

The machine that breaks your cryptography does not exist, and the people telling you it is imminent are usually selling something. But the threat is real enough to act on now, for the narrow and important reason that your long-lived secrets are being copied today to be read later. The defence is standardised, hybrid, mostly free, and already running in the browser you are reading this in.

So the answer to "is it worth it" is the least dramatic one available. Do not fear a computer that is not there. Start the dull, well-documented migration that will still be dull and well-documented whenever the computer finally arrives — and get your long-lived secrets behind post-quantum cryptography while the clock is only ticking, not yet run out.