Warning: Bad actors may already be in store-now-decrypt-later mode

[.Scott]

TL;DR

Assessing the adequacy of current on-line encryption methods - especially the industry standard RSA–2048.

A Feb 2026 Google security report states:

And while we’re not there yet, malicious actors are not waiting until a Cryptographically Relevant Quantum Computer (CRQC) is ready. They are likely already carrying out “store now, decrypt later” attacks and collecting encrypted data, just waiting for the day when a quantum computer can unlock it.

Just to decode that, a CRQC would be a quantum computer able to effectively perform cryptanalysis on commonly used encryption methods. No such CRQC has yet been engineered. The world is working on expanding the capacity of quantum computers for many practical purposes such as developing new drugs. Those same machines will eventually become usable as CRQC devices.

The first cryptanalysis QC algorithm developed was Shor's Algorithm. Given the right QC machine, this method can be used to factor large numbers into their prime number composites - thus defeating RSA cryptosystems.

The US National Institute of Standards and Technology (NIST) issued an "Initial Public Draft" of crypto standards in November 2024 which included this table:

Again, to decode: for RSA, "112 bits of security strength" refers to RSA-2048 - with a 2048-bit encryption key. You are likely using this method in many of you apps and settings today. What this table shows is that RSA-2048 should be deprecated (not used in new situations) after 2030 and no RSA method (for example RSA-4096) be used at all after 2035.
This is only a 18-month-old "public draft", but I have not found any more recent NIST interest in this topic.

But there is new reason to suspect that RSA may need an earlier sunset. In a report posted to arxiv yesterday and announced on the Caltech site today, the CRQC bar for breaking RSA-2048 may not be as high as has been supposed. The report's authors are quoted in that Caltech article as follows:

Xu adds, "For decades, qubit count has been viewed as the main obstacle to fault-tolerant quantum computing. I hope our work helps shift that perspective." The report stresses that the team's findings mean that fault-tolerant quantum computers could be on the horizon. Previously, experts in quantum computing thought that such an accurate machine would take another 10 or even 20 years to build. "I've been working on fault-tolerant quantum computing longer than some of my coauthors have been alive," Preskill says. "Now at last we're getting close." Huang says, "I always considered theoretical research on the usefulness of large-scale quantum algorithms to only be of interest in the distant future. Our new study made me realize they might come true in the next few years."

 

[DaveC426913]

They are likely already carrying out “store now, decrypt later” attacks and collecting encrypted data, just waiting for the day when a quantum computer can unlock it.

I mean, I guess that makes sense.

In the future, any data transplanted from an archaic security protocol would have to be treated as compromised. The only secure data is data that's germinated within the latest security protocols.

 

[.Scott]

In the future, any data transplanted from an archaic security protocol would have to be treated as compromised. The only secure data is data that's germinated within the latest security protocols.

You quoted from the Google security report.

The question is whether RSA-2048 should now be put into that "archaic" category for information that needs to be secure for more than just a few years. The NIST recommendations (or draft recommendations ) may not be as cautious as one would expect.