There is a computer being built that will break every digital bank you have. When does it arrive?

You trust that padlock in the corner of your browser. When you open your banking app, your credit card app, the Brazilian Federal Revenue website, the padlock appears and you relax. Everything is encrypted. Nobody along the way can read it.

That padlock has existed for more than 30 years. It works because of one very specific mathematical problem: factoring very large numbers is absurdly slow on conventional computers. To break an RSA-2048 key, which is the foundation of the HTTPS padlock you use every day, a conventional computer would need more time than the age of the universe.

But there is another way to compute. And in that other way, the problem stops being absurd. It becomes trivial.

The computer that thinks differently

Normal computers (your phone, the server hosting your bank, NASA's supercomputer) all work the same basic way: bits that are either 0 or 1, processed sequentially or in parallel. You can have millions of processors working together, but each one still does one thing at a time.

Quantum computers are different. They work with qubits, units that can be in a combination of 0 and 1 at the same time (a state called superposition). This is not a metaphor. It is how matter behaves at the atomic scale. A qubit explores multiple states in parallel. Two qubits explore 4. Ten qubits, 1,024. Fifty qubits, more than a quadrillion.

For certain problems, including "factoring large numbers" (which underpins RSA), this quantum parallelism is not just faster. It is an entirely different class of acceleration: a problem that would take the age of the universe on a normal computer drops to minutes on a large enough quantum computer.

The algorithm that does this is called Shor's algorithm, published in 1994 by mathematician Peter Shor. At the time it was pure theory. The hardware to run it did not exist. In 2026, it does. Small, unstable, still far from the necessary scale, but it exists.

What it breaks (and what it does not)

This is the most important point and the least understood.

What falls when the quantum computer reaches cryptographically relevant scale:

• RSA (all variants: 1024, 2048, 4096 bits). Used in around 95% of HTTPS connections today.
• Diffie-Hellman and elliptic curve variants (ECDH). Used to exchange keys at the start of every secure connection.
• ECDSA (Elliptic Curve Digital Signature Algorithm). Used to sign Bitcoin transactions, digital certificates, and SSH authentication.
• DSA. Legacy signature algorithm, still in use in some systems.

In other words: all of the asymmetric cryptography used to establish secure internet connections today falls apart. The green padlock in your browser is built on RSA or ECDH. Your SSH connection to a server is ECDSA. Your Bitcoin transaction is signed with ECDSA. All of them are vulnerable.

What stays standing:

• AES-256 (Advanced Encryption Standard). The symmetric cipher that protects data at rest: full disk encryption, databases, backups. Grover's algorithm (another quantum algorithm) cuts effective security in half: AES-256 becomes like AES-128, which is still absurdly strong.
• SHA-256, SHA-3. Hash functions. Grover also cuts them in half: SHA-256 becomes equivalent to 128 bits of security, still strong.
• ChaCha20. Alternative symmetric cipher, same situation as AES.

The practical rule: symmetric cryptography (same key on both sides) survives with larger keys. Asymmetric cryptography (public/private key pairs) is what needs to be completely replaced.

What is being built right now

This is no longer theory. In 2026, quantum computers are running in companies and laboratories. The numbers change month to month, but for a sense of scale:

• IBM Quantum announced in 2023 the Condor processor with 1,121 qubits. In 2024, it released a roadmap to surpass 100,000 qubits by 2029.
• Google Quantum AI in 2024 demonstrated the Willow chip with 105 qubits and a new error-correction architecture (published in Nature, December 2024).
• Quantinuum, IonQ, Rigetti, PsiQuantum are American companies with different approaches (trapped ions, photonics, superconductors).
• China invests heavily through the state. Pan Jianwei's group (USTC) has demonstrated quantum supremacy in specific problems. Operational details are less transparent than in the West.

Here lies the critical question: how many qubits are needed to break RSA-2048?

Current estimates (Gidney & Ekerå 2019, revised in 2024) suggest between 20 million and 100 million physical qubits, because real qubits need massive redundancy for error correction. Today's computers have on the order of 1,000 to 1,500 physical qubits. That is 4 to 5 orders of magnitude short.

It seems distant. But computing evolves exponentially. Moore's Law took 50 years to go from chips with a thousand transistors to chips with billions. Quantum computing, with combined public and private investment in the tens of billions of dollars, is advancing at a more aggressive pace.

When, then?

Honestly: nobody knows precisely. But there are reasonable reference points.

Mosca's Theorem (2015), by Canadian mathematician Michele Mosca, proposes the equation:

If X (the time your data needs to remain secure) plus Y (the time to migrate to post-quantum cryptography) is greater than Z (the time until a quantum computer arrives), you are at risk.

For sensitive personal data (medical, financial, identity), X is easy: at least 10 to 30 years. Y, for a large institution, is 5 to 10 years. Z, according to most analysts in 2026, is between 2030 and 2040, with the pessimistic scenario putting it at 2028 and the optimistic scenario at 2050.

If X plus Y is 30 years and Z is 15, you are already at risk today. Not because the computer exists, but because what you encrypt now can be intercepted and decrypted when it arrives. Migration cannot wait for the machine to arrive.

Governments are not waiting. In 2022, the White House issued memorandum NSM-10 requiring all American federal agencies to migrate to post-quantum cryptography by 2035. The UK has a similar timeline. The European Union as well. Brazil, officially, still has no federal mandate, but banks in the Febraban consortium and the Central Bank began working groups on migration in 2025.

The good news: the solution is already ready

In August 2024, NIST finalized the first three post-quantum cryptography standards:

• ML-KEM-768 (Module-Lattice Key Encapsulation Mechanism) replaces RSA and Diffie-Hellman. Based on mathematical problems over lattices that no known quantum computer can solve efficiently.
• ML-DSA (Module-Lattice Digital Signature Algorithm) replaces ECDSA and RSA for digital signatures.
• SLH-DSA (Stateless Hash-based Digital Signature Algorithm), an alternative signature scheme based on hash functions, ultra-conservative.

These algorithms were evaluated over 8 years in an open public competition. Hundreds of cryptographers worldwide tested, attacked, and found flaws in competing candidates and refined the finalists. The ML-KEM-768 that exists today had predecessor variants broken. It survived because they were corrected. That is how cryptographic standardization works.

ML-KEM-768 does not require special hardware. It runs on a standard server, a phone, or a browser (via WebAssembly). Encryption is reasonably fast, around 1 ms on a typical laptop. The public key is larger than RSA (1,184 bytes versus around 300 for RSA-2048), but perfectly practical.

Libraries implementing the standard are publicly available: @noble/post-quantum in JavaScript, liboqs in C/Rust, native support in Bouncy Castle for Java. In other words: the replacement is feasible today, not in 2030.

"OK, but what about me?"

To change the cryptography of the entire internet, you depend on banks, governments, and providers moving. You do not control that timeline.

For your personal data under your own control (passwords, documents, sensitive notes, 2FA codes, private photos, digital inheritance), you do not need to wait.

TAIVA Vault uses the hybrid model recommended by NIST. It combines classical cryptography (Argon2id, brute-force-resistant key derivation) with ML-KEM-768 (post-quantum resistance). If either algorithm is broken in the future, the other continues protecting your data. This is exactly the pattern that American and European governments are adopting for migration.

The integrity of what is in your vault can be independently verified: each operation is chained in a SHA-256 Merkle chain and anchored daily in Bitcoin via OpenTimestamps. Software releases are digitally signed with Cosign and logged on Rekor's transparency log. You can verify that the software running is exactly what was published, without trusting anyone.

The summary in one sentence

The quantum computer is real. It is being built now. It will arrive sometime between 2030 and 2040. And when it does, it will break most of the cryptography in use today in minutes.

You have two paths:

1. Wait for banks and governments to finish migrating (which could take 10 to 15 years) and hope that no attacker is accumulating your data today to decrypt later.
2. Migrate what is under your control now.

The second path is less dramatic. It is also smarter.

Previous in the series: Hackers are already stealing your data today to open it in a few years. There is a name for this.. The attack happening right now whose consequences you will only feel in 10 years.

TAIVA Vault: personal digital vault with post-quantum cryptography. Hybrid ML-KEM-768 with Argon2id, MPC 2-of-3 across 3 independent servers, Bitcoin-anchored audit chain. Create free account →