RSA Becomes the First Casualty of the Quantum Era
Let's get to the point. Is this a clickbait title? No, this is reality, and RSA's fate seems sealed. By 2030, it will be deprecated. Another standard is already being defined, which we will get to shortly.
Does this mean the end of GPG encryption and the use of public/private keys? Definitely not. What will change is the algorithm. The process itself will remain largely the same, but the mathematics behind it must be strengthened. As the title suggests, quantum computing is coming, and it has no mercy for weak algorithms. What was strong in the past, quantum computers don't take seriously. We need to strengthen our position and respond to the threat.
There are plenty of apocalyptic and dramatic posts on both tech and non-tech portals. It is no surprise, at least not to me. In today's world, sensation is often more appealing than facts. Does quantum mean the death of encryption? Again, no. As hardware evolves, so do software and algorithms. To stay relevant, we need to keep pace with the latest developments. That's both the curse and the beauty of this profession.
Enough philosophy, let's talk about the real world and what the future brings. The future is hybrid. We rely on AES for strength today, and prepare for quantum-safe algorithms tomorrow. That's the storyline of this post.
PGP/GPG Encryption
For those less familiar with the topic, PGP (Pretty Good Privacy) is a commercially available encryption tool. Its counterpart GPG is an open-source, free implementation of the OpenPGP standard. Both use asymmetric encryption with a pair of private and public keys. The idea is simple but powerful. You keep your private key secret, while your public key can be shared with the world. Anyone can use your public key to encrypt a message, but only you can decrypt it with your private key. Remember that your private key should never be shared!
✗ gpg --full-generate-key
gpg (GnuPG) 2.4.8; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 7
Key expires at Sun Sep 14 17:36:06 2025 CEST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Quantum Computing
Email address: rsa@example.com
Comment: This is demo.
You selected this USER-ID:
"Quantum Computing (This is demo.) <rsa@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub rsa2048 2025-09-07 [SC] [expires: 2025-09-14]
uid Quantum Computing (This is demo.) <rsa@example.com>
sub rsa2048 2025-09-07 [E] [expires: 2025-09-14]
To export public key:
✗ gpg --armor --export rsa@example.com > public.asc
✗ cat public.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFzLm7kBCADQrtGi2GQ0Jd2R3klvKhHwGXRCBG2BrM5aAcPxtzT5Gm2m0u2R
m7v5nAkugC6ukcAdGqfXy6g6EhxnDnbls8Hc0WQAhY3tq6b6sl3jW6A1QBuVzqSK
....
=tGhy
-----END PGP PUBLIC KEY BLOCK-----
The Lock-and-Box Analogy for Public-Key Encryption
It’s time for a bedtime story.
Imagine a time long ago, when two castles needed to exchange secret messages without the courier being able to read them. The participants are John and Jane. Each of them owns a padlock and its matching key.
The courier cannot break the padlocks open as he lacks the tools and time, so his only role is to carry a locked box back and forth between John and Jane.
Here is the problem: how can John and Jane exchange the message if neither has the other's private key, and they cannot simply hand over their own keys to the courier (because then he could unlock the box and read the contents)?
The solution is simple, though not immediately obvious!
- Jane prepares the box. She puts the message inside, locks it with her padlock, and keeps her key.
- The courier delivers this locked box to John.
- John adds his padlock. He cannot open Jane’s lock, but he adds his own padlock on the same box and sends it back.
- Jane removes her padlock.
- The box is still locked by John’s padlock, but Jane’s is now gone.
- The courier delivers the box back to John.
- John unlocks his padlock. Now John can open the box and read the message.
At no point did Jane or John share their private keys. Instead, the padlocks themselves acted like public keys. They were exchanged freely, while the keys to open them remained private. The courier, despite carrying the box multiple times, never had the ability to peek inside.
Lock and Box Analogy Mapping
I wish I came up with this story, but this is something that I listened 30ish years ago from my mentor. It stuck with me ever since.
Why RSA is Becoming Obsolete
RSA encryption, and especially decryption , is computationally heavy. Its security is based on the difficulty of factoring the product of two large prime numbers. With today's classical computers, factoring a 2048-bit number would take millions of years. However, RSA does not scale well. As computing power increases, key sizes must also increase, which quickly becomes inefficient.
RSA also isn't suitable for encrypting large files. In practice, it can only handle data roughly up to the size of the key. That is why it is mostly used to encrypt session keys or small pieces of data, rather than full documents.
Shor's Algorithm, a quantum algorithm for factoring large numbers, has been known since 1994, but until now classical hardware wasn't powerful enough to make it relevant. As quantum computing advances, this threat is becoming real. With sufficient quantum resources, RSA encryption could be broken in a matter of hours or even minutes, regardless of key size.
Cryptocurrency and Cryptography in Quantum Era
Harvest now, decrypt later is a surveillance strategy that relies on the acquisition and long-term storage of currently unreadable encrypted data, awaiting possible breakthroughs in decryption technology that would render it readable in the future – a hypothetical date referred to as Y2Q (a reference to Y2K) or Q-Day.
In theory, "harvest now, decrypt later" is a problem for crypto, but only in some cases. For example, Bitcoin addresses in a wallet are safe if they haven not been used. By "used" I refer to transactions from that address in a wallet, meaning that the public key has not been exposed. Somebody can harvest the public key from the transaction (because it is public obviously) and then, when they have enough quantum power, derive the private key from it. Today this would require millions of years, but with quantum computing achieving enough power, it could become a matter of minutes or hours.
However, we are still 15–20 years away from this possibility. The migration is already underway to post-quantum algorithms that protect against quantum attacks. So, if the address has been revealed by a transaction and it is not migrated into a new wallet, there is a possibility that in 15–20 years somebody who harvested the public key now could be able to unlock the target wallet. To do that, they would need a few million qubits, and those must be error-corrected qubits, not just physical ones. Currently, quantum computers operate with fewer than 100 error-corrected qubits, even though we have passed the 1,000 physical qubit mark. Theoretical threats may become concerning after 2040.
What To Use Today
The practical answer is hybrid encryption. Until post-quantum algorithms are fully standardized and widely deployed, continue using RSA (or ECC) for key exchange, while relying on symmetric algorithms like AES for actual data encryption. AES remains strong even against quantum threats. It only requires larger key sizes to stay secure.
There is no need to panic today. RSA is not "broken" yet, at least not that we are aware about, but organizations like NIST have already announced plans to deprecate RSA and elliptic-curve cryptography (ECC) by the early 2030s, replacing them with post-quantum algorithms.
Final Thoughts
With that, we can close this chapter. The main takeaway, beyond moving away from RSA, is the importance of following best practices and trusted sources in technology. Sensationalism is not our friend. Facts and knowledge are.