RSA may well be be deprecated long before quantum computing can break it. Post-quantum cryptography standards are already being deployed:
GnuPG 2.5 has introduced support for Kyber (ML-KEM, FIPS-203).
Kyber is added in in OpenSSH 9.9 (September 2024) as a hybrid post-quantum key exchange algorithm and made the default key exchange mechanism in OpenSSH 10.0 (April 2025). The implementation uses a hybrid approach, combining classical cryptography (X25519) with ML-KEM-768 for key exchange (mlkem768x25519-sha256).
OpenSSH plans to add support for post-quantum signature algorithms in the future. OpenSSL 3.5.0 (April 2025) supports ML-KEM, ML-DSA and SLH-DSA.
https://medium.com/asecuritysite-when-bob-met-alice/a-long-g...
The missing context in the post by John is an exposition of why progress has been slow - decoherence and error rates - and what the rate of progression can be when these obstacles have been resolved. Shor's algorithm requires fault-tolerant quantum computing, which didn't exist in any form until recently.
Tphysical error rate must be lower than the threshold required. Different research groups and companies, using various qubit technologies have already demonstrated techniques and elements of below-threshold error correction.
https://www.nature.com/articles/s41586-024-08449-y
Agreed on your last point. It's fairly obvious I think that we won't factor 1024 bit numbers by any direct evolution of the techniques used in smaller circuits. The hope is that you reach a threshold (error correction) where a completely different regime is unlocked by allowing you to implement a fundamentally different technology.
RSA may well be be deprecated long before quantum computing can break it. Post-quantum cryptography standards are already being deployed: GnuPG 2.5 has introduced support for Kyber (ML-KEM, FIPS-203). Kyber is added in in OpenSSH 9.9 (September 2024) as a hybrid post-quantum key exchange algorithm and made the default key exchange mechanism in OpenSSH 10.0 (April 2025). The implementation uses a hybrid approach, combining classical cryptography (X25519) with ML-KEM-768 for key exchange (mlkem768x25519-sha256). OpenSSH plans to add support for post-quantum signature algorithms in the future. OpenSSL 3.5.0 (April 2025) supports ML-KEM, ML-DSA and SLH-DSA. https://medium.com/asecuritysite-when-bob-met-alice/a-long-g...
The missing context in the post by John is an exposition of why progress has been slow - decoherence and error rates - and what the rate of progression can be when these obstacles have been resolved. Shor's algorithm requires fault-tolerant quantum computing, which didn't exist in any form until recently. Tphysical error rate must be lower than the threshold required. Different research groups and companies, using various qubit technologies have already demonstrated techniques and elements of below-threshold error correction. https://www.nature.com/articles/s41586-024-08449-y
Agreed on your last point. It's fairly obvious I think that we won't factor 1024 bit numbers by any direct evolution of the techniques used in smaller circuits. The hope is that you reach a threshold (error correction) where a completely different regime is unlocked by allowing you to implement a fundamentally different technology.