A classical bit is 0 or 1. A qubit can be a blend of both — a superposition — until you measure it. The arrow on the sphere is the qubit's state; while it spins around the equator it is equally |0⟩ and |1⟩.
Press Measure: the superposition collapses at random to a single 0 or 1. Stack many qubits and they explore exponentially many combinations together — the source of quantum computing's power, and its danger to cryptography.
Entangle two qubits and they lose independent identities. Measure one and the other's outcome is fixed in the same instant — however far apart they are.
Press Measure A: A collapses at random, and B's result is locked to it immediately. Entanglement is the wiring that lets many qubits compute together — and it's what algorithms like Shor's exploit.
Each qubit you add doubles the states the machine holds at once. n qubits explore 2ⁿ possibilities in superposition.
Add qubits and watch the count explode. Around 300 qubits, 2ⁿ exceeds the number of atoms in the observable universe — which is why the right quantum algorithm can outrun any classical computer ever built.
RSA's security rests on one fact: factoring a huge number is impossibly slow for classical computers. Shor's algorithm turns factoring into period-finding — something a quantum computer does efficiently.
Watch the remainders of aˣ mod N cycle around the ring. The length of that repeating cycle — the period — hands you the factors. What takes classical machines longer than the age of the universe for RSA-2048 becomes tractable for a large enough quantum computer.
Shor's real magic is the QFT. Feed it the repeating signal from aˣ mod N and it concentrates all that information into one sharp spike — the period — in a single quantum step.
The wave on top is the periodic input; the bars below are its frequencies. Classically, finding that frequency means checking values one by one. The QFT reveals it all at once.
Grover's algorithm finds a needle in an unsorted haystack of N items in about √N steps. Each iteration pumps amplitude into the right answer until it's almost certain.
For symmetric crypto that's a square-root speedup — it effectively halves your key strength. The fix is simple and cheap: double the key. AES-256 stays safe; AES-128 does not.
Breaking RSA-2048 needs millions of high-quality physical qubits. Today's machines have hundreds — but the count is climbing, and error-correction keeps improving.
Nobody can name the exact year. Conservative estimates put a cryptographically-relevant quantum computer in the early 2030s — well inside the lifetime of data you encrypt today.
An adversary doesn't need a quantum computer today. They can capture your encrypted traffic now, store it cheaply, and decrypt it the day a cryptographically-relevant quantum computer arrives.
Anything whose secrecy must outlive that arrival is exposed the moment it's sent. Drag data shelf-life: if your secret must last past the quantum line, it's already at risk — which is the whole reason migration can't wait for the hardware.
See the Mosca modelPost-quantum schemes like ML-KEM and ML-DSA rest on lattice problems: given a point hidden by noise, find the nearest point of a vast grid. Easy in 2D — exponentially hard in a thousand dimensions, and Shor's algorithm gives no shortcut.
The green dot is hidden among the lattice by random noise. With the secret basis it's trivial to recover; without it, you're lost in the haystack. That asymmetry is the foundation NIST standardised for the post-quantum era.
Post-quantum security isn't free on the wire. ML-KEM and ML-DSA keys and signatures are far larger than RSA or ECC — and SLH-DSA larger still.
That's kilobytes per handshake, multiplied across millions of connections: MTUs, packet limits, HSM throughput and storage all feel it. Planning the byte budget is part of a real migration.
ML-KEM rests on a deceptively simple idea: linear equations are trivial to solve — until you hide each answer under a little random noise.
Press Add noise: the clean line scatters and the secret becomes hard to recover, even for a quantum computer. Knowing the secret key turns it back into easy algebra. That asymmetry is the whole game.
SLH-DSA (FIPS 205) takes the most conservative route: trust nothing but a hash function. Many one-time keys are folded into a single Merkle root that becomes your public key.
A signature reveals one leaf plus the short path of hashes up to the root. No new number-theory assumptions — just hashing, which quantum computers barely dent. Slow and large, but rock-solid.
You don't have to bet everything on a young algorithm. A hybrid key exchange runs a classical one (X25519) and a post-quantum one (ML-KEM) together and mixes both into one shared secret.
An attacker must break both to win. If PQC has an undiscovered flaw, the classical half still protects you today; if a quantum computer arrives, the PQC half holds. It's how most real deployments are starting.
The lasting fix isn't one migration — it's building so the cipher is a pluggable module, not hard-wired through your code.
Press Swap: the RSA module slides out, ML-KEM slides in, and the application keeps serving. Get this right once and the next algorithm change is a config update, not a multi-year project. It's exactly what KavachQ's CBOM and migration planning are for.
You've seen the threat and the defence. See where your estate stands today — then plan the move.