Recent quantum computing advances do not mean RSA and elliptic curve cryptography will break tomorrow. They do mean enterprise leaders should treat crypto-agility as a current risk-management priority, especially because harvest-now-decrypt-later attacks are already underway. 

If you follow cybersecurity news, the last few weeks have been busy. Google published a resource-estimate paper for attacking elliptic curve cryptography. Oratomic showed that Shor’s algorithm could theoretically run on as few as 10,000 qubits. Both stories got their share of headlines and LinkedIn coverage, usually from journalists doing their best with a topic that rewards specialization. 

Another preprint landed last month. A joint team from Harvard, MIT, and QuEra Computing published a preprint titled “Towards Ultra-High-Rate Quantum Error Correction with Reconfigurable Atom Arrays”. The key takeaway is one number that is worth paying attention to: 50 percent. 

That is the encoding rate the team demonstrated: one logical qubit, the kind you can actually compute with, for every two physical qubits in the system. The ratio that determines how big a quantum computer needs to be to break today’s encryption. The higher it climbs, the smaller (and closer) that machine becomes. 

Key Takeaways 

• Quantum computing research is steadily reducing the estimated resources needed to threaten today’s public-key cryptography. 

• Harvest-now-decrypt-later attacks make the risk relevant before a capable quantum computer exists. 

• PQC compliance and crypto-agility are related but not the same. 

• Crypto-agility gives organizations the ability to adapt as standards, algorithms, and threats evolve. 

 

The Tax Nobody Talks About 

Quantum computers are fragile. Their physical hardware makes errors constantly, so to do anything useful you have to bundle many physical (noisy) qubits together to form a single reliable logical (high quality) qubit. This bundling is quantum error correction, and it is the central engineering challenge of the field. 

For years the dominant approach has been surface codes, which are well understood, experimentally demonstrated, and the foundation of results like Google’s Willow chip. They are also expensive. Current surface-code implementations need roughly a hundred physical qubits to produce one logical qubit, an encoding rate of about one percent. 

In practical terms, that meant early estimates for attacking RSA-2048 with Shor’s algorithm called for something like a million physical qubits. That was the number that gave security teams cover to defer the post-quantum conversation indefinitely; a million qubits sounded like decades of engineering work away. 

Then high-rate codes began to arrive. The Oratomic/Caltech paper from March 2026 demonstrated encoding rates of around thirty percent. Their projections brought the RSA-2048 qubit requirement down to roughly 13,000. One paper cut two zeros off the qubit requirement. 

Important Caveats

The Harvard/MIT/QuEra team has now pushed that encoding rate past fifty percent: one logical qubit per two physical qubits. 

This is a quantum memory result, which means the team demonstrated that logical information can be stored with very low error rates at high encoding efficiency. Storing information and computing on it are related but distinct problems. The decoder has not yet been optimized for real-time hardware. Idling errors, atom loss, and correlated noise still need to be characterized. And the paper is a preprint, ahead of peer review. The authors themselves note that “further developments will be needed to establish all ingredients for full fault-tolerant computation.” 

They also make the case for why the result matters: “Memory is the foundation. If a quantum computer can’t hold information reliably, it can’t compute reliably either. The encoding efficiency demonstrated here directly determines how large that computer needs to be.” 

As it stands, fault-tolerant quantum computing has not been solved. One of its most fundamental requirements has, however, just become demonstrably closer to being met. The reason to pay attention is less about individual headlines and more the direction of travel across the whole field. 

Cutting Zeros 

It is worth being clear about what is and is not being claimed. The recent results are not machines; they are carefully scoped experimental and theoretical contributions, and it would be a mistake to read them as anything else. 

It’s important to note that quantum computing companies have commercial incentives to publish aggressive timelines. They are competing to build the first genuinely useful quantum computer, and their marketing reflects that competition. A reader who factors in that bias is reading correctly. 

Even accounting for it, the peer-reviewed literature points consistently in one direction. In the early 2010s, resource estimates for attacking RSA-2048 ran into the hundreds of millions of physical qubits. In 2019, Gidney and Ekerå brought the estimate down to around twenty million. More recent surface-code analyses put the number under a million. Oratomic’s March 2026 architecture brought it to roughly 13,000 for RSA-2048 and 11,000 for 256-bit elliptic curve. And the new memory result, once extended to a full computing architecture, has the potential to compress those numbers further. 

This is more than a decade of papers chipping away at what looked like a generational engineering problem. The field has been narrowing the gap year by year, quietly enough that most outside it haven’t registered how far the line has moved.

The Fire Insurance Principle 

The trajectory above gets a predictable reaction: interesting, distant, not urgent. Here is the argument against that reaction, and it doesn’t depend on quantum physics at all.

People buy fire insurance not because they believe their house will catch fire next Tuesday, but because being wrong without it is catastrophic, and the cost of coverage is small relative to that downside. It is a judgment about asymmetric consequences rather than a prediction about probability. 

The same logic applies to the data an organization holds. The most valuable thing most organizations own is neither real estate nor physical assets nor, honestly, their people. What drives value are repositories of private data accumulated over years of operation: strategic communications, intellectual property, client relationships, and the competitive intelligence embedded in internal documents that were never meant to leave the building. 

That data currently sits behind RSA and elliptic curve cryptography. The trajectory for breaking those algorithms has moved consistently in one direction for more than a decade, and this year alone has produced several meaningful steps forward, even accounting for the work still ahead. 

While skepticism is completely fair for an emerging technology that generates so much noise, what if that skepticism turns out to be wrong? Frankly, being wrong is years of competitive advantage exposed, client trust damaged, and intellectual property in the hands of people who should not have it. None of that is recoverable through explanation or apology. 

That asymmetric downside is the whole argument: being honest on what it would cost to be wrong, and it doesn’t take believing the threat to be imminent to adopt that perspective.  

The Threat You’re Already Facing 

Before moving on to what to do about any of this, there is a related problem that does not require a capable quantum computer to exist today. It is called “harvest now, decrypt later.” 

Right now, sophisticated adversaries are capturing encrypted network traffic and holding it, intending to decrypt it once capable quantum hardware arrives. Those adversaries include nation-states, well-funded criminal organizations, and competitors who do not share your scruples. Storage is cheap, patience costs nothing, and the value of years of captured strategic communications, once decryptable, is enormous. 

Every week that passes without quantum-safe encryption on the most sensitive channels is another week of exposure accumulating in archives the organization does not control. Traffic your organization transmitted in 2021, 2022, and 2023 may already be sitting somewhere, waiting to become useful. The advances across multiple papers and multiple teams this year each solve a piece of that puzzle, and every piece that falls shortens the window between when data was captured and when it becomes readable. 

This is already a current problem, and every new result makes it worse. 

What Crypto-Agility Actually Is 

Crypto-agility is the ability to identify, manage, and update cryptographic algorithms, certificates, and keys across an organization as threats and standards change. 

Post-quantum compliance and crypto-agility are not the same thing, and it is worth being explicit about the distinction. 

PQC compliance means an organization has swapped its vulnerable algorithms for quantum-resistant ones. That is good and necessary work, but it is not sufficient on its own. 

Crypto-agility means an organization has built the infrastructure to update its cryptographic posture continuously, as the threat landscape changes and as standards evolve. It knows at any given moment exactly which algorithms are running on every system in its environment: every certificate, every key, every algorithm embedded in every application and third-party dependency. And it can change those configurations without turning the effort into a multi-year infrastructure project. 

The reason this matters is that the post-quantum transition will not be a one-time event. NIST has finalized its first post-quantum standards in ML-KEM, ML-DSA, and SLH-DSA, but cryptographic standards change over time. The Supersingular Isogeny Diffie-Hellman protocol was once considered a strong post-quantum candidate. A classical attack broke it in 2022, and organizations that had hardcoded it into their infrastructure were forced to scramble. 

When a standard shifts or an algorithm falls, crypto-agile organizations update their systems rather than rebuilding them from scratch. That distinction shows up everywhere in practice, from migration cost to the length of the window in which an adversary can exploit the transition. 

The enterprise value extends beyond avoiding catastrophe. Crypto-agile organizations carry lower cyber insurance risk profiles, compete more effectively in government and regulated industry procurement where quantum-safe security is increasingly a baseline requirement, earn credibility with enterprise clients managing the same risks, and can read each new quantum computing headline from a position of confidence rather than exposure. 

The Moral Dimension 

When clients, customers, and partners hand an organization their data, they are extending a form of trust that goes beyond what a terms-of-service document describes. They are trusting that the organization will protect that data with the best tools available at the time. 

In 2026, meeting that expectation honestly means being aware of a documented, consistent trajectory in which the machines capable of breaking current encryption are getting closer with each paper and each experimental result. It means understanding that harvest-now, decrypt-later attacks are already operational, and recognizing that the research community has been telling us so, steadily and without interruption, for more than a decade. 

Investing in crypto-agility is risk management, but it is also something closer to keeping a promise: to shareholders who are owed honest accounting of existential risks, to customers who trust the organization with something they consider important, and to the broader ecosystem that depends on serious institutions taking this problem seriously. 

Organizations that move now will arrive at the transition prepared. Organizations that wait for a definitive signal may find that by the time the signal arrives, the data that needs to be protected has already been harvested. The window for moving on your own timeline, and at a manageable cost, is open now. 

FAQ 

What is crypto-agility? 

Crypto-agility is the ability to identify, manage, and update cryptographic algorithms, certificates, keys, and protocols across an organization as threats and standards change. It helps organizations adapt without turning every cryptographic change into a major infrastructure project.   

How is crypto-agility different from PQC compliance? 

PQC compliance means replacing vulnerable algorithms with quantum-resistant ones. Crypto-agility is broader: it means having the infrastructure and visibility to keep updating cryptography over time as standards evolve, algorithms change, or new risks emerge.   

Why does quantum computing make crypto-agility urgent? 

Recent quantum computing research has continued to reduce estimates for the resources needed to threaten RSA and elliptic curve cryptography. While these results do not mean a cryptographically relevant quantum computer exists today, they show that the gap is narrowing and that organizations should prepare before the transition becomes urgent. 

What is harvest now, decrypt later? 

Harvest now, decrypt later is a threat model in which adversaries capture encrypted data today and store it until future quantum computers can decrypt it. This makes quantum risk relevant now, especially for sensitive data that must remain confidential for years.   

Why should boards care about post-quantum cybersecurity? 

Boards should treat post-quantum cybersecurity as a risk-management issue because encrypted data, intellectual property, strategic communications, and customer information may remain valuable long after they are captured. Preparing for quantum risk through crypto-agility can reduce future disruption and help organizations move on their own timeline. 

Why isn’t migrating to post-quantum cryptography a one-time project? 

Cryptographic standards change over time, and some algorithms that once appeared promising may later become vulnerable. A crypto-agile organization can update its cryptographic posture as standards and threats evolve, instead of rebuilding systems from scratch each time a change is required.
 

Referenced Research 

• “Towards Ultra-High-Rate Quantum Error Correction with Reconfigurable Atom Arrays” (Zhao, Duckering, Gu, Maskara, Zhou; arXiv:2604.16209, April 2026),  

• Kasai at the Institute of Science Tokyo 

• Oratomic/Caltech (arXiv:2603.28627)  

• Resource estimates from Google Quantum AI (March 2026).