a16z's 10,000-word article (Part 1): The Misunderstood "Quantum Supremacy"—You Don't Need to Panic Before 2030

Today, market predictions about when a “cryptography-related quantum computer (CRQC)” will be born are often too radical and exaggerated—leading to calls for an immediate and comprehensive migration to post-quantum cryptography.

However, these calls often overlook the costs and risks of premature migration, as well as the drastically different risk attributes between different cryptographic primitives:

• Post-quantum encryption does indeed need to be deployed immediately, despite its high cost: "Hunter-first-decryption" (HNDL) attacks are already occurring. Sensitive data encrypted today may still be valuable even decades from now when quantum computers exist. While implementing post-quantum encryption incurs performance overhead and execution risks, it offers no alternative to data requiring long-term confidentiality in the face of HNDL attacks.
• Post-quantum signatures face a completely different computational logic: they are not affected by HNDL attacks. Moreover, the costs and risks of post-quantum signatures (larger size, worse performance, immature technology, and potential bugs) dictate that we need to adopt a thoughtful, rather than hasty, migration strategy.

Clarifying these distinctions is crucial. Misunderstandings can distort cost-benefit analyses, causing teams to overlook more critical security risks—such as code bugs.

In the migration to post-quantum cryptography, the real challenge lies in aligning the sense of urgency with actual threats. The following section clarifies common misconceptions about the quantum threat by covering encryption, signatures, and zero-knowledge proofs (especially their impact on blockchain).

How far are we from the quantum threat?

Despite the hype, the likelihood of a “cryptography-related quantum computer (CRQC)” emerging in the 2020s is extremely low.

By "CRQC," I mean a fault-tolerant, error-corrected quantum computer large enough to run Shor's algorithm within a reasonable timeframe to attack elliptic curve cryptography or RSA (e.g., cracking secp256k1 or RSA-2048 within a month at most).

A reasonable reading of public milestones and resource estimates shows we are still a long way from building such a machine. While some companies claim CRQC could be available by 2030 or 2035, currently known progress does not support these claims.

Objectively speaking, looking at all current technological architectures—ion traps, superconducting qubits, neutral atom systems—no platform today comes close to the hundreds of thousands to millions of physical qubits required to run Shor's algorithm (depending on the error rate and error correction scheme).

Limiting factors include not only the number of qubits, but also gate fidelities, qubit connectivity, and the depth of the continuous error correction circuitry required to run deep quantum algorithms. While some systems now have more than 1,000 physical qubits, simply looking at the number is misleading: these systems lack the connectivity and fidelity required for cryptographic computations.

Recent systems are beginning to approach the threshold for quantum error correction to take effect in terms of physical error rate, but no one has yet demonstrated more than a few logical qubits with sustained error-correcting circuit depth… let alone the thousands of high-fidelity, deep-circuit, fault-tolerant logical qubits actually required to run Shor's algorithm. The gap between “proving that quantum error correction is feasible in principle” and “achieving the scale required for cryptanalysis” remains enormous.

In short: CRQC remains a long way off unless both the number of qubits and the fidelity increase by several orders of magnitude.

However, people can easily get confused by corporate press releases and media reports. Here are some common sources of misunderstanding:

• Demonstrations claiming "quantum advantage": These demonstrations currently target man-made tasks. These tasks are chosen not because they are practical, but because they can run on existing hardware and exhibit huge quantum speedups—a fact often obscured in the announcements.
• Companies claiming to possess thousands of physical qubits: This usually refers to quantum annealers, not the gate model machines needed to run Shor's algorithm to attack public-key cryptography.
• The misuse of the term "logical qubit": Quantum algorithms (such as Shor's algorithm) require thousands of stable logical qubits. Through quantum error correction, we can implement a single logical qubit using many physical qubits—typically hundreds to thousands. However, some companies have misused this term to an absurd degree. For example, a recent announcement claimed to have implemented 48 logical qubits using only two physical qubits per logical qubit. This low-redundancy code can only detect errors, not correct them. True fault-tolerant logical qubits used for cryptanalysis require hundreds to thousands of physical qubits each.
• Playing with definitions: Many roadmaps use "logical qubit" to refer to qubits that only support Clifford operations. These operations can be efficiently simulated by classical computers and are therefore simply insufficient for running Shor's algorithm.

Even if a roadmap's goal is "to achieve thousands of logical qubits in year X," it doesn't mean the company expects to be able to run Shor's algorithm to break classical cryptography in that year.

These marketing tactics have severely distorted the public's (and even some seasoned observers') perception of the imminent threat of quantum mechanics.

Nevertheless, some experts are indeed excited about the progress. Scott Aaronson recently stated that, given the pace of hardware advancements, he believes it is "possible to have a fault-tolerant quantum computer running Shor's algorithm before the next US presidential election." However, he also explicitly stated that this is not the same as CRQC, which could threaten cryptography: even simply factoring 15 = 3 × 5 in a fault-tolerant system would be considered a "successful prediction." This is clearly not on the same scale as breaking RSA-2048.

In fact, all quantum experiments involving "decomposition 15" use simplified circuits instead of the full fault-tolerant Shor's algorithm; while decomposition 21 requires additional hints and shortcuts.

In short, there is no publicly available progress to prove that we can build a quantum computer that can crack RSA-2048 or secp256k1 within the next 5 years.

Even within ten years, this remains a very aggressive prediction.

The US government has proposed completing the post-quantum migration of its government system by 2035. This is the timeline for the migration project itself, not a prediction that CRQC will emerge at that time.

Which cryptographic systems are HNDL attacks applicable to?

"HNDL (Harvest Now, Decrypt Later)" refers to an attacker storing encrypted communications now, to be decrypted later when quantum computers are available.

Nation-level adversaries may already be archiving encrypted communications of the U.S. government on a large scale for future decryption. Therefore, encryption systems need to be migrated immediately, especially in scenarios where the confidentiality period is 10–50 years or more.

However, digital signatures, on which all blockchains rely, differ from encryption: they do not contain confidential information that can be traced for attack.

In other words, when quantum computers come into existence, it is indeed possible to forge signatures from that moment on, but past signatures will not be affected—because they have no secrets to reveal, and as long as it can be proven that the signature was generated before the advent of CRQC, it cannot be forged.

Therefore, the urgency of migrating to post-quantum signatures is far less than that of cryptographic migration.

Mainstream platforms have also adopted corresponding strategies:

• Chrome and Cloudflare have deployed the X25519+ML-KEM in hybrid mode for TLS.
• Apple iMessage (PQ3) and Signal (PQXDH, SPQR) also deploy hybrid quantum encryption.

However, the deployment of post-quantum signatures on critical web infrastructure has been deliberately delayed—it will only take place when CRQC is really close, because the current performance regression of post-quantum signatures is still significant.

The situation is similar for zkSNARKs (a zero-knowledge concise non-interactive knowledge proof technique). Even when using elliptic curves (non-PQ secure), its zero-knowledge property still holds in a quantum environment.

Zero-knowledge guarantees that proofs do not reveal any secret witnesses, thus preventing attackers from "collecting proofs now and decrypting them later." Therefore, zkSNARKs are not vulnerable to HNDL attacks. Just as signatures generated today are secure, any zkSNARK proof generated before the advent of quantum computers is credible—even if the zkSNARK uses elliptic curve cryptography. Only after the advent of CRQC can attackers forge proofs with false statements. Value exchange will occur day and night, constructing a completely new digital world far exceeding the scale of human economic activity.