Is RSA-2048 Quantum Safe?

Technical Analysis

RSA-2048 is NOT quantum safe. **How RSA-2048 Works:** RSA (Rivest-Shamir-Adleman) is an asymmetric encryption algorithm invented in 1977 that revolutionized public-key cryptography. It relies on a mathematical trapdoor function based on the product of two large prime numbers. In RSA-2048, the modulus (n) is 2048 bits long — the product of two secret 1024-bit prime numbers (p and q). The public key contains n and an encryption exponent e (typically 65537), while the private key contains the decryption exponent d, which is calculated using p and q. Encryption is performed by raising the message to the power e modulo n, while decryption requires raising the ciphertext to the power d modulo n. The security of RSA depends entirely on the computational difficulty of factoring n back into its prime components p and q. With classical computers, factoring a 2048-bit number using the best-known algorithms (General Number Field Sieve) would require millions of years of computation on current hardware. This classical hardness has made RSA the backbone of internet security for decades — it protects TLS/SSL connections, secures email via S/MIME and PGP, authenticates software updates, and underpins certificate authorities. **Quantum Vulnerability Explained:** Shor's algorithm, developed by mathematician Peter Shor in 1994, fundamentally breaks RSA's security model. Unlike classical factoring algorithms that scale exponentially with key size, Shor's algorithm solves integer factorization in polynomial time using quantum computers. Specifically, a quantum computer with approximately 4,000-10,000 stable logical qubits could factor a 2048-bit RSA modulus in a matter of hours, not millions of years. The attack works by transforming the factoring problem into a period-finding problem, which quantum computers can solve exponentially faster using quantum Fourier transforms. Current quantum computers (as of 2024-2025) have reached hundreds of physical qubits, but lack the error correction needed to create thousands of logical qubits. However, adversaries are already executing "harvest now, decrypt later" (HNDL) attacks — capturing encrypted traffic today with the expectation of decrypting it once quantum computers mature. **Migration Path:** Organizations must replace RSA-2048 with post-quantum cryptographic standards before cryptographically relevant quantum computers (CRQCs) emerge. NIST has standardized three replacement algorithms: - **ML-KEM (FIPS 203)**: Module-Lattice-Based Key Encapsulation Mechanism replaces RSA for key exchange. Deploy ML-KEM-768 for 192-bit security or ML-KEM-1024 for 256-bit security. - **ML-DSA (FIPS 204)**: Module-Lattice-Based Digital Signature Algorithm replaces RSA for digital signatures. Use ML-DSA-65 for general applications or ML-DSA-87 for high-security environments. - **Hybrid Mode**: During transition, implement hybrid cryptography combining RSA-2048 with ML-KEM (e.g., TLS 1.3 with X25519+ML-KEM-768). This protects against quantum attacks while maintaining backward compatibility. Major technology providers including Google Chrome 124+, Cloudflare, AWS KMS, and Signal have already deployed hybrid PQC implementations. **Industries at Risk:** Financial services institutions face acute risk because they rely on RSA for securing online banking, payment processing (TLS), and regulatory compliance (SOX, PCI-DSS). A quantum computer capable of breaking RSA could decrypt historical transaction logs, forge digital signatures on financial instruments, and compromise customer account data captured via HNDL attacks. Healthcare organizations must protect patient records for 50+ years under HIPAA retention requirements. Medical records encrypted today with RSA-2048 will be vulnerable long before their required confidentiality expires. Electronic health record (EHR) systems, telemedicine platforms, and medical device communications all depend on RSA. Government and defense agencies handling classified information face nation-state adversaries who are aggressively pursuing quantum computing capabilities. The NSA's CNSA 2.0 directive mandates that national security systems transition away from RSA by 2030, with full replacement by 2035. Diplomatic cables, intelligence communications, and weapons systems encrypted with RSA are priority targets for HNDL attacks. **Timeline to Obsolescence:** - **2024-2025**: Adversaries are actively harvesting encrypted traffic (confirmed by NSA, CISA advisories). Data encrypted with RSA-2048 today is at risk. - **2029**: Global Risk Institute estimates 5-14% probability that a CRQC capable of breaking RSA-2048 will exist. - **2030**: NSA CNSA 2.0 requires deprecation of RSA for key establishment in national security systems. NIST IR 8547 recommends commercial sector deprecation. - **2033**: Global Risk Institute estimates 50% probability of CRQC emergence. - **2035**: NIST IR 8547 disallows RSA for federal systems. RSA-2048 considered cryptographically obsolete. Organizations should begin PQC migration immediately, prioritizing systems with long data confidentiality requirements (10+ years) and high-value targets for nation-state adversaries.

Migration Guidance