Everything youâve learned in this book, the handshakes, the cipher suites, the key exchanges, the signatures, all of it rests on one assumption: certain math problems are hard to solve.
RSA assumes factoring large numbers is hard. ECDHE assumes the discrete logarithm problem on elliptic curves is hard. These assumptions have held for decades. Classical computers canât solve them in any reasonable time.
Quantum computers change that.
A sufficiently powerful quantum computer running Shorâs algorithm can factor large numbers and solve discrete logarithms efficiently. That means:
Every TLS handshake youâve seen in this book uses at least one of these. The key exchange that creates the shared secret, the signature that proves the serverâs identity, both rely on math that quantum computers can undo.
Symmetric encryption (AES) and hashing (SHA-256) are not broken by quantum computers. Groverâs algorithm gives a quadratic speedup against them, which means AES-128 becomes effectively AES-64 in strength. The fix is simple: use AES-256. The symmetric parts of TLS survive.
The asymmetric parts do not.
Hereâs why this is urgent even though large-scale quantum computers donât exist yet. An attacker can record encrypted TLS traffic today. The symmetric encryption protects the data for now. But the key exchange that created those symmetric keys used ECDHE or RSA. When a quantum computer becomes available, the attacker can break the key exchange, recover the symmetric keys, and decrypt all that stored traffic.
Data with a long shelf life, government secrets, medical records, financial data, intellectual property, is already at risk. If it needs to stay secret for 10 or 20 years, and a quantum computer arrives in that window, the encryption you used today wasnât enough.
The fix is called post-quantum cryptography (PQC): new algorithms based on math problems that quantum computers canât solve efficiently. NIST has standardized the first set:
TLS 1.3 already supports hybrid key exchange, where the handshake uses both ECDHE and ML-KEM together. If either algorithm holds, the connection is secure. Chrome and CloudFront are already doing this in production.
The signature migration (replacing ECDSA in certificates) is harder and slower, because it affects the entire PKI chain. But itâs coming.
This chapter gives you the âwhyâ of the quantum threat to TLS. For the full story, including how quantum computers actually work, why Shorâs algorithm breaks RSA, what the new algorithms look like inside, and whoâs deploying them today, read The Practical Guide to Encryption, TLS, and Post-Quantum Cryptography.
For how post-quantum signatures affect certificates and the trust chain, read PKI From First Principles.