Is RSA-2048 Quantum Safe?
No. RSA-2048 is not quantum safe. A cryptographically relevant quantum computer (CRQC) running Shor's algorithm would break RSA-2048 in hours.
Key Takeaway: RSA-2048 is NOT quantum safe. Replace RSA key exchange with ML-KEM (FIPS 203). Replace RSA signatures with ML-DSA (FIPS 204) or SLH-DSA (FIPS 205). Use hybrid mode (RSA + ML-KEM) during transition.
- Modality
- Encryption
- Key size
- 2048 bits
- Vulnerability
- Shor's algorithm — polynomial-time integer factorization on quantum hardware.
- NIST status
- NIST IR 8547 recommends deprecation of RSA for key establishment by 2030 and disallowing after 2035.
- Replaced by
- ML-KEM (FIPS 203) for key exchange, ML-DSA (FIPS 204) for signatures
- Deprecation
- Deprecated by 2030, disallowed after 2035 (NIST IR 8547)
Technical Analysis
RSA-2048 is NOT quantum safe.
How RSA-2048 Works
RSA (Rivest-Shamir-Adleman) is an asymmetric encryption algorithm invented in 1977 that revolutionized public-key cryptography. It relies on a mathematical trapdoor function based on the product of two large prime numbers. In RSA-2048, the modulus (n) is 2048 bits long — the product of two secret 1024-bit prime numbers (p and q). The public key contains n and an encryption exponent e (typically 65537), while the private key contains the decryption exponent d, which is calculated using p and q. Encryption is performed by raising the message to the power e modulo n, while decryption requires raising the ciphertext to the power d modulo n.
The security of RSA depends entirely on the computational difficulty of factoring n back into its prime components p and q. With classical computers, factoring a 2048-bit number using the best-known algorithms (General Number Field Sieve) would require millions of years of computation on current hardware. This classical hardness has made RSA the backbone of internet security for decades — it protects TLS/SSL connections, secures email via S/MIME and PGP, authenticates software updates, and underpins certificate authorities.
Quantum Vulnerability Explained
Shor's algorithm, developed by mathematician Peter Shor in 1994, fundamentally breaks RSA's security model. Unlike classical factoring algorithms that scale exponentially with key size, Shor's algorithm solves integer factorization in polynomial time using quantum computers. Specifically, a quantum computer with approximately 4,000-10,000 stable logical qubits could factor a 2048-bit RSA modulus in a matter of hours, not millions of years.
The attack works by transforming the factoring problem into a period-finding problem, which quantum computers can solve exponentially faster using quantum Fourier transforms. Current quantum computers (as of 2025-2026) have reached hundreds of physical qubits, but lack the error correction needed to create thousands of logical qubits. However, adversaries are already executing "harvest now, decrypt later" (HNDL) attacks — capturing encrypted traffic today with the expectation of decrypting it once quantum computers mature.
Migration Path
Organizations must replace RSA-2048 with post-quantum cryptographic standards before cryptographically relevant quantum computers (CRQCs) emerge. NIST has standardized three replacement algorithms:
- ML-KEM (FIPS 203): Module-Lattice-Based Key Encapsulation Mechanism replaces RSA for key exchange. Deploy ML-KEM-768 for 192-bit security or ML-KEM-1024 for 256-bit security.
- ML-DSA (FIPS 204): Module-Lattice-Based Digital Signature Algorithm replaces RSA for digital signatures. Use ML-DSA-65 for general applications or ML-DSA-87 for high-security environments.
- Hybrid Mode: During transition, implement hybrid cryptography combining RSA-2048 with ML-KEM (e.g., TLS 1.3 with X25519+ML-KEM-768). This protects against quantum attacks while maintaining backward compatibility.
Major technology providers including Google Chrome 124+, Cloudflare, AWS KMS, and Signal have already deployed hybrid PQC implementations.
Industries at Risk
Financial services institutions face acute risk because they rely on RSA for securing online banking, payment processing (TLS), and regulatory compliance (SOX, PCI-DSS). A quantum computer capable of breaking RSA could decrypt historical transaction logs, forge digital signatures on financial instruments, and compromise customer account data captured via HNDL attacks.
Healthcare organizations must protect patient records for 50+ years under HIPAA retention requirements. Medical records encrypted today with RSA-2048 will be vulnerable long before their required confidentiality expires. Electronic health record (EHR) systems, telemedicine platforms, and medical device communications all depend on RSA.
Government and defense agencies handling classified information face nation-state adversaries who are aggressively pursuing quantum computing capabilities. NSA CNSA 2.0 planning expects CNSA 2.0 support in new products and services starting in 2027 unless a program stipulation or waiver applies, replacement pressure for non-supporting equipment by December 31, 2030 where required, and a December 31, 2031 mandate for affected systems unless an exception applies. NIST IR 8547 (initial public draft) describes 2035 as a broader disallowance planning anchor. Diplomatic cables, intelligence communications, and weapons systems encrypted with RSA are priority targets for HNDL attacks.
Timeline to Obsolescence
- 2025-2026: Adversaries are actively harvesting encrypted traffic (confirmed by NSA, CISA advisories). Data encrypted with RSA-2048 today is at risk.
- 2029: Treat as a readiness/control date for completing funded migration plans before external CRQC timing becomes operational risk.
- 2030: NSA CNSA 2.0 replacement pressure applies to equipment that does not support CNSA 2.0 where required. NIST IR 8547 recommends commercial sector deprecation.
- 2031: CNSA 2.0 mandated for affected systems unless a program-specific exception applies.
- 2033: Treat as an external scenario planning marker, not a present-day break claim.
- 2035: NIST IR 8547 (initial public draft) describes disallowing RSA for federal systems. RSA-2048 considered cryptographically obsolete.
Organizations should begin PQC migration immediately, prioritizing systems with long data confidentiality requirements (10+ years) and high-value targets for nation-state adversaries.
At a glance
| Full Name | RSA with 2048-bit keys |
| Category | encryption |
| Key Size | 2048 bits |
| Quantum Vulnerability | Shor's algorithm — polynomial-time integer factorization on quantum hardware. |
| NIST Status | NIST IR 8547 recommends deprecation of RSA for key establishment by 2030 and disallowing after 2035. |
| Deprecation Timeline | Deprecated by 2030, disallowed after 2035 (NIST IR 8547) |
| Replaced By | ML-KEM (FIPS 203) for key exchange, ML-DSA (FIPS 204) for signatures |
Migration Guidance
Replace RSA key exchange with ML-KEM (FIPS 203). Replace RSA signatures with ML-DSA (FIPS 204) or SLH-DSA (FIPS 205). Use hybrid mode (RSA + ML-KEM) during transition.
How Qtonic Quantum Can Help
Don’t Know Where RSA-2048 Lives in Your Stack?
QScout discovers instances of RSA-2048 across your infrastructure in 7 days — designed to minimize operational disruption. 72-hour time to first findings.