Explainer series 1 of 5: What is Shor's algorithm, why does it matter, and how close are we to it breaking encryption

[GreenEcho]

Welcome to the first of five explainer threads on core quantum and AI concepts. No maths, no assumed knowledge. If you have ever seen the words quantum computing in a headline about encryption being broken and wondered what any of it actually means, this thread is for you. Ask anything. Nobody here will make you feel bad for not knowing.

Shor's algorithm is a set of instructions written in 1994 by a mathematician named Peter Shor. It tells a quantum computer how to find the prime factors of a very large number incredibly quickly. That sounds dry until you understand why it matters. Almost all of the encryption that protects your bank account, your messages, and the internet runs on a simple trick: multiplying two enormous prime numbers together is easy, but reversing that process, finding the original primes from their product, is so hard that the best classical computers in the world would take longer than the age of the universe to do it. Shor's algorithm would do that same calculation in minutes on a sufficiently powerful quantum computer.

The catch, and it is a significant one, is that we do not have a sufficiently powerful quantum computer yet. Breaking the RSA-2048 encryption that secures most of the internet is estimated to require somewhere between 10,000 and 20 million physical qubits depending on how good the error correction is. The best machines today have around 1,000 to 1,500 physical qubits and they make far too many errors to run Shor's algorithm at any meaningful scale. The largest number ever factored using Shor's algorithm on real quantum hardware is 21. That is the number 21.

The timeline question is where it gets uncomfortable. In March 2026 Google published research showing that breaking elliptic curve encryption, which protects Bitcoin among other things, might need fewer resources than previously thought, potentially under half a million physical qubits. A separate Caltech and Berkeley collaboration estimated that 10,000 to 26,000 neutral atom qubits might be enough for some attacks. The expert consensus has shifted from decades away to somewhere between five and fifteen years, and that window has been compressing. The honest answer is nobody knows exactly when, but the direction of travel is clear enough that governments and companies are already preparing for it

Quantum Computers Could Break Encryption Far Sooner Than We Realized

https://www.sciencealert.com/quantum-computers-could-break-encryption-far-sooner-than-we-realized

[JustMartin]

Wait so the number 21 is genuinely the biggest thing Shor's algorithm has factored on real hardware. That is simultaneously hilarious and reassuring

[DQ Eric]

It is both of those things yes. 21 equals 3 times 7 and the experiment in 2012 needed significant shortcuts to even achieve that. We are extraordinarily far from RSA-2048

[Ruby_50]

If we are that far away why are governments already spending billions on post quantum cryptography migration

[Chris_50]

Because the harvest now decrypt later threat is real. Adversaries can record encrypted traffic today and decrypt it later once quantum hardware exists. For data that needs to stay secret for 10 to 20 years you have to act now

[HeartbreakKidStinger64]

I had never heard of harvest now decrypt later before. That is genuinely alarming when you think about medical records or intelligence communications

[Lucy05]

It is the reason the urgency is front loaded relative to the actual capability. The data with the longest secrecy requirements needs the most lead time to protect

[GreenEcho]

The five to fifteen year window feels very wide. Is there a more specific estimate anyone stands behind

[Shane96]

What is post quantum cryptography actually, is it just stronger versions of current encryption

[Red Builder]

No it is mathematically different. Current encryption relies on factoring being hard. Post quantum cryptography relies on different mathematical problems that Shor's algorithm does not solve. NIST finalised four standards in 2024

[Di87]

So even after a quantum computer exists the new encryption would still be safe

[BlueFalcon]

That is the idea. The new algorithms are designed to be hard for quantum computers as well as classical ones. Nothing is guaranteed forever but the mathematical foundations are different enough that the threat model changes

[FinnHalliday]

The honest answer is no. The range reflects genuine uncertainty in how fast error correction improves. If neutral atom qubits deliver on the ETH Zurich results from this month the lower end gets more plausible

[Danny47]

Should I be worried about my bank account right now

[Bussin99]

No. Today your bank account is safe. The practical advice is to make sure any sensitive communications use end to end encryption with post quantum options enabled where available, and watch for when your bank announces PQC migration