Your encryption has an expiry date. The UK can lead what comes next

The UK has a genuine opportunity to lead the global transition to post-quantum cryptography. We have the foundations: GCHQ’s National Cyber Security Centre has published the most detailed national migration roadmap of any major cyber authority, with specific milestones through to 2035, and was among the first to endorse NIST’s post-quantum standards. The Government has recently committed up to £2 billion to quantum technologies. UK companies are already shipping post-quantum solutions into defence, critical infrastructure, and international markets.

But leadership is not the same as a head start. A head start is only valuable if you use it, and the window is narrower than most boardrooms realise. In February, a research team published a new architecture showing that RSA-2048, the encryption standard underpinning most of the internet’s security, could be broken with fewer than 100,000 physical qubits. Previous estimates put that figure above a million. IBM’s published roadmap targets exactly that number, a 100,000-qubit machine codenamed Blue Jay, by 2033, backed by a $100 million partnership with the University of Tokyo and the University of Chicago.

The UK’s quantum research base, its regulatory clarity, and its growing roster of post-quantum vendors give it a competitive position that few other nations can match. The question is whether industry moves fast enough to capitalise on it.

The assumptions matter, but so does the direction of travel

However, there are caveats. These results are theoretical, based on hardware specifications that do not yet exist at scale. Nobody is breaking RSA tomorrow. But the gap between what researchers need and what manufacturers are building is closing fast. A decade ago, estimates for breaking RSA-2048 required tens of millions of qubits. By 2025, that figure had fallen below a million. Now we are below 100,000, at least in theory, and each step has come faster than most observers predicted.

It’s also not just RSA. In late March, two further papers independently showed order-of-magnitude reductions in the resources needed to break 256-bit elliptic curve cryptography, the standard protecting TLS connections, digital signatures, and blockchain. One team demonstrated a 100-fold reduction using neutral-atom qubits. Google Quantum AI showed a 20-fold reduction and validated the results using a zero-knowledge proof rather than publishing the attack circuits. When researchers start self-censoring, that tells you something about how close they think we are.

Progress is also non-linear. We do not see many new factoring results published, not because they are impossible, but because that is not where current research effort is focused. And you can be fairly confident that several nation-states are spending substantial budgets on exactly this problem without publishing their results.

A national security question, not a product feature

The "harvest now, decrypt later" threat is already real. Adversaries are collecting encrypted traffic today, banking it for the day they have the capability to decrypt it. For any data with a sensitivity lifetime beyond 2035, that day may already be within reach. This is a national security concern that demands action from every organisation handling sensitive data, from government departments to financial institutions to critical infrastructure operators.

The UK Government's up to £2 billion commitment to quantum technologies shows the right level of ambition. But investment in quantum capabilities must be matched by investment in quantum resilience. The NCSC has been clear that organisations should begin planning their migration to post-quantum cryptography now. That guidance is not aspirational. It is urgent. The US, France, and Germany are each advancing their own migration strategies. The UK's advantage is not permanent: if we move slowly, we will find ourselves importing quantum-safe solutions rather than exporting them.

Cryptographic agility: the real priority

NIST finalised its first set of post-quantum cryptographic standards in 2024: ML-KEM, ML-DSA, and SLH-DSA. These are solid starting points, but we do not yet have enough cryptanalytic confidence in any single algorithm to rely on it for the next thirty years. The most important investment a technology leader can make today is therefore not picking the "right" algorithm. It is building cryptographic agility: the ability to swap out RSA and ECDSA for quantum-resistant alternatives without redesigning your architecture from the ground up.

Most enterprise network infrastructure is deeply coupled to specific cryptographic implementations. Certificates, VPN tunnels, key exchange protocols, authentication chains: all of these would need to change, and in many organisations the dependencies are poorly documented. If you wait until a cryptographically relevant quantum computer arrives, you are already years too late.

What to do next

If your infrastructure is still hardwired to RSA or ECDSA with no migration path, the time to start planning is not when a cryptographically relevant quantum computer arrives. It is now. Audit your cryptographic dependencies. Understand where your most sensitive long-lived data sits. And start building the agility to move when the standards mature, because they will.

Author

Technology and Innovation programme activities

techUK bring members, industry stakeholders, and UK Government together to champion emerging technologies as an integral part of the UK economy. We help to create an environment where innovation can flourish, helping our members to build relationships, showcase their technology, and grow their business. Visit the programme page here.