QUANTUM · EXPLAINER · REFERENCE · Published May 30

What is quantum computing — the mental model, what it actually does, and when it starts to matter.

Quantum computing is not a faster classical computer. It is a different machine, good at a narrow set of problems where superposition and entanglement let you explore many candidate solutions in correlated ways no classical machine can match. This piece is the operator's-level explainer: the model, the qubit, the algorithms that matter (Shor, Grover, quantum simulation), the problems quantum is genuinely good at, the problems it is not, the crypto threat, the q-day estimate as of mid-2026, and what to do with the information.

4 algorithm families that matter
2 cryptosystems quantum breaks (RSA, ECC)
~2030s plausible q-day window
TL;DR 30-second version · free
  1. 01 Quantum is not a faster general-purpose computer. It is good at four narrow things: factoring (Shor's algorithm, which breaks RSA + ECC), unstructured search (Grover, modest speedup), quantum simulation (chemistry, materials, drug discovery), and certain optimization problems. Everything outside those families runs at classical speed or worse on quantum hardware. The idea that 'quantum will replace classical computing' is wrong; the idea that 'quantum will dominate specific workloads' is right.
  2. 02 A qubit is not a smaller bit. It is a unit that holds a probability distribution over 0 and 1 (superposition), and that distribution can be correlated with other qubits in ways classical bits cannot (entanglement). With n qubits, you encode 2^n amplitudes simultaneously. The trick is not 'all answers at once' — it is interference patterns that constructively amplify the right answer when you measure. The algorithm design is the art of arranging that interference.
  3. 03 The cryptographic threat is real and time-bound. A sufficiently large fault-tolerant quantum computer breaks RSA-2048 and elliptic-curve crypto via Shor's algorithm. Public roadmaps point to fault-tolerant systems in the late 2020s to mid-2030s; Harvard's May 2026 review argues the timeline is faster than publicly stated. The harvest-now-decrypt-later threat means data encrypted today is at risk if its sensitivity outlives the migration window. NIST standards (FIPS 203/204/205) are final; migration is the work.
DEEP ANALYSIS · free while in beta
READING AS
FOR YOU

You do not need to learn quantum programming to do your job. You do need to understand what quantum threatens (asymmetric crypto: RSA, DH, ECC; symmetric crypto only quadratically) and what the NIST standards are (FIPS 203/204/205). The migration work will land on infrastructure, platform, security, and SRE teams within 2-3 years. Start now by reading NIST FIPS 203 at the spec level and following one major TLS library's PQC announcements (OpenSSL, BoringSSL, rustls).

FOR YOU

This is your problem and your call to make. Build the crypto inventory this year. Pick the lowest-friction PQC pilot (hybrid TLS on one internal service). Build the migration roadmap with a 2027-2030 horizon. Brief the board on q-day risk and harvest-now-decrypt-later threat model. Most peers are not doing this yet; the ones who do will look prescient when the timeline accelerates.

FOR YOU

The quantum thesis splits into three: (1) hardware vendors — high-risk, long-horizon, winner-take-most by modality; (2) software + middleware (compilers, error suppression, dev platforms) — earlier monetization, less binary; (3) post-quantum crypto vendors (HSMs, crypto-discovery, managed migration) — clearer revenue model, faster ramp, less speculative. The application layer (quantum chemistry, drug discovery) is real but slow.

FOR YOU

Quantum is not in your 2026-2028 product roadmap unless your product is quantum. The cryptographic threat is in your 2026-2028 compliance + customer-trust roadmap. Get PQC posture into your security collateral now — large enterprise customers will start asking in 2026, government customers already are. The cost of being early is small; the cost of being late is a procurement-killer.

FOR YOU

The mental model: quantum is not a faster general-purpose computer, it is a different machine good at four specific problem families. The cryptography you use every day — the lock icon in your browser — depends on math problems quantum can solve quickly. That is fixable with new algorithms (NIST has them). The fix takes a long time and most organizations are behind on it. Beyond crypto, quantum is genuinely revolutionary for chemistry and materials science. Almost everything else is at least somewhat overhyped.

Six core ideas to internalize. Each is short and load-bearing — the rest of the piece builds on these.

Concept

A qubit is a probability amplitude, not a bit

Qubits hold complex-valued probability amplitudes over |0⟩ and |1⟩. With n qubits you have 2^n amplitudes in superposition. Measurement collapses to a single classical outcome — the algorithm design is arranging interference so the right outcome is most likely.

foundation
Concept

Entanglement is the resource

Entangled qubits cannot be described independently — measuring one tells you about the other instantly, regardless of distance. Entanglement is what quantum computing exploits that classical computing cannot.

foundation
Algo

Shor's algorithm breaks RSA + ECC

Factoring large integers (RSA) and discrete log (ECC) become polynomial-time on a sufficient quantum computer. This is the cryptographic threat. Everything else in PKI that depends on those primitives is in scope.

crypto
Algo

Grover's algorithm: quadratic search speedup

Unstructured search goes from O(N) to O(√N). For symmetric crypto (AES), this halves effective key length — AES-128 becomes ~AES-64 strength. The mitigation is straightforward: double the key size. AES-256 stays safe.

crypto
Algo

Quantum simulation — the genuine application win

Simulating quantum systems (molecules, materials, chemistry) is exponentially expensive classically and polynomial on a quantum computer. This is where Q-CTRL + IBM reported a 3,000x speedup in materials discovery for the energy sector on the IBM Quantum Platform (May 6, 2026), reducing a 100+ hour classical simulation to roughly two minutes — a credible workload-level advantage claim in a real R&D problem.

application
Hardware

Four physical modalities competing

Superconducting (IBM, Google), neutral atoms (QuEra, Atom Computing, Pasqal), trapped ions (IonQ, Quantinuum), topological qubits (Microsoft). Each has different qubit counts, coherence times, gate fidelities, error rates. No consensus winner yet.

hardware

The shortest accurate description of quantum computing: it is a machine that prepares a superposition of candidate solutions, evolves them through unitary operations (the algorithm), and measures the result in a way that the constructive interference of correct solutions amplifies the probability of getting the right answer. Everything else — qubit modalities, error correction, decoherence — is engineering. The model below contrasts what classical and quantum machines actually do.

BEFORE
How classical computing works
  • Bits hold either 0 or 1 — one definite value at a time
  • n bits hold exactly one of 2^n possible states
  • Operations transform a single state to a single state
  • Parallelism is achieved by replicating hardware (cores, GPUs)
  • Search through possibilities is exhaustive — O(N) average for unstructured search
  • Cryptography rests on problems that are hard to solve in polynomial time on this machine model
AFTER
How quantum computing works
  • Qubits hold complex amplitudes over |0⟩ and |1⟩ — a probability distribution, not a value
  • n qubits encode 2^n amplitudes simultaneously (superposition)
  • Operations (unitary gates) transform the entire amplitude distribution at once
  • Entanglement lets multi-qubit operations create correlations classical bits cannot represent
  • Measurement collapses to one outcome — algorithm design arranges interference so the right outcome dominates
  • Cryptography that rests on problems quantum makes polynomial-time (factoring, discrete log) becomes broken

The right question is not 'is quantum faster.' It is 'is your problem in one of the four families quantum is good at — Shor-shaped, Grover-shaped, simulation-shaped, or optimization-shaped (with caveats).' If yes, quantum will eventually dominate that workload. If no, you are in classical-computing territory for the foreseeable future. Most workloads are classical territory; the few that are not are very important.

DEEP READ 4 sections · cited primary sources · technical review pending

01 The qubit, properly explained

A classical bit is a switch — it is in state 0 or state 1 at any moment. A qubit is a vector in a 2-dimensional complex Hilbert space, written as α|0⟩ + β|1⟩, where α and β are complex numbers (probability amplitudes) and |α|² + |β|² = 1. The probability of measuring 0 is |α|², the probability of measuring 1 is |β|². Before measurement, the qubit is in neither state — it is in a superposition described by α and β. After measurement, it collapses to 0 or 1 and the superposition is destroyed.

What makes this powerful is what happens with multiple qubits. With n classical bits, you have 2^n possible states but only one of them is realized at any moment. With n qubits, you have 2^n complex amplitudes simultaneously — the system holds a full probability distribution over all 2^n classical states. A 50-qubit system has ~10¹⁵ amplitudes; a 300-qubit system has more amplitudes than atoms in the observable universe.

The misleading framing is 'quantum tries all answers at once.' What actually happens: quantum operations transform the whole amplitude distribution in correlated ways, and clever algorithms arrange the dynamics so that constructive interference amplifies the amplitude of the correct answer while destructive interference suppresses the wrong ones. When you measure, you most likely get the right answer. The art of quantum algorithm design is engineering those interference patterns.

  • Bit vs qubit Bit: 0 or 1. Qubit: α|0⟩ + β|1⟩ with complex amplitudes. n bits: 1 state of 2^n. n qubits: amplitudes over all 2^n.
  • What measurement does Collapses superposition to one classical outcome with probability |α|² or |β|². You cannot directly read the amplitudes — you can only sample from the distribution they define.

02 Entanglement — the resource that makes quantum quantum

Take two qubits. If they are not entangled, the state of the pair can be described as the product of two independent qubit states: (α|0⟩ + β|1⟩) ⊗ (γ|0⟩ + δ|1⟩). Four amplitudes total. If they are entangled, the joint state cannot be factored into two independent qubit states — there is correlation built into the very definition of the system. The Bell state (|00⟩ + |11⟩)/√2 is the simplest example: measuring one qubit guarantees the other will measure the same way, even though neither has a definite value before measurement.

Entanglement is not a 'spooky communication channel' — you cannot use it to send signals faster than light. But it is the resource that lets quantum algorithms achieve computational advantages classical machines cannot reach. Without entanglement, a quantum computer is just a probabilistic classical computer; with entanglement, it can compute things classical machines provably cannot.

Practical implication for buyers and engineers: entanglement is fragile. Maintaining it requires extraordinary isolation from environment noise (cryogenic temperatures for superconducting qubits, ultra-high vacuum for ion traps, laser-stable cavities for neutral atoms). Most engineering effort in quantum computing today is about extending coherence time — how long entanglement survives before noise destroys it.

03 Shor, Grover, simulation — what quantum is genuinely good at

Shor's algorithm (Peter Shor, 1994) factors integers and solves the discrete logarithm problem in polynomial time on a quantum computer. Classically, the best known algorithms are sub-exponential — RSA-2048 takes ~10²⁰ operations to factor classically; Shor's would do it in ~10⁸ operations on a sufficient quantum computer. This is the cryptographic threat. Every public-key cryptosystem based on factoring or discrete log (RSA, DH, ECC) is broken by Shor at sufficient scale.

Grover's algorithm (Lov Grover, 1996) searches an unstructured database of N items in O(√N) time vs O(N) classically. For symmetric crypto (AES, SHA-2/3) this halves the effective security level — AES-128 becomes ~64-bit strength against quantum, which is in attack range. The mitigation is easy: double the key length. AES-256 stays at ~128-bit quantum strength. SHA-512 stays strong. This is why NIST's recommended path is to bump symmetric key sizes (cheap) and replace asymmetric cryptography entirely (expensive).

Quantum simulation — simulating quantum mechanical systems — is the application area with the clearest commercial advantage. Simulating molecules, materials, chemical reactions, and condensed-matter physics is exponentially expensive classically; quantum computers do it polynomially because they are themselves quantum systems. May 6, 2026's Q-CTRL + IBM result on materials discovery for the energy sector, run on the IBM Quantum Platform with Q-CTRL's performance-management software, delivered a 3,000x speedup over classical methods — reducing a simulation that took over 100 hours classically down to roughly two minutes.

Outside these families, quantum computers do not provide useful speedup for most workloads. Optimization problems sometimes get modest speedups via quantum annealing or QAOA, but the picture is workload-specific and often not a clear win. Machine learning on quantum computers (QML) is an active research area but no production wins yet. The wide-area claim of 'quantum will revolutionize everything' is marketing; the narrow claim of 'quantum will dominate these four problem families' is the technical truth.

  • Shor Polynomial-time factoring + discrete log → breaks RSA, DH, ECC at sufficient scale. The cryptographic threat.
  • Grover Quadratic search speedup → halves symmetric key strength. Mitigation: double key length. AES-256 stays safe.
  • Simulation Polynomial simulation of quantum systems → chemistry, materials, drug discovery. The clearest commercial application area.
  • Optimization Mixed results. Quantum annealing + QAOA give workload-specific speedups, often modest. Not a guaranteed win.

04 Q-day — when does this break my cryptography

A cryptographically-relevant quantum computer (CRQC) is one large enough to run Shor's algorithm against RSA-2048 in a useful amount of time. This requires millions of physical qubits with sufficient error correction to expose thousands of logical qubits — orders of magnitude beyond today's hardware. As of mid-2026, the public roadmaps point to fault-tolerant quantum computing in the late 2020s to mid-2030s, with CRQC scale beyond that.

Harvard's May 4, 2026 research review argues these timelines are faster than the public roadmaps state. Error-correction thresholds are being crossed earlier than planned across multiple modalities (superconducting, neutral atom, ion trap); the gap between logical-qubit demonstrations and CRQC scale is narrowing faster than consensus estimates. The honest summary as of mid-2026: q-day is plausibly in the 2030s, possibly earlier, almost certainly within most enterprise data sensitivity horizons.

The harvest-now-decrypt-later threat means you do not need to wait until q-day to be at risk. Any data encrypted today with RSA or ECC — TLS-encrypted traffic, end-to-end encrypted messaging, signed financial records — could be captured by an adversary, stored, and decrypted when sufficient quantum hardware exists. If your data has a >5-year confidentiality requirement, your migration timeline already passed.

  • Q-day estimate (mid-2026) 2030s plausible, possibly earlier. Faster than 2024 consensus per Harvard May 2026 review.
  • Mosca's framework If data lifetime + migration time > time to CRQC, you are at risk now. Most enterprises fail this inequality.
  • Harvest-now-decrypt-later Adversaries are collecting encrypted traffic today for future decryption. This is an active threat model, not speculation.
PRIMARY SOURCE NIST Post-Quantum Cryptography

Six places where the quantum story is more nuanced or more urgent than the headlines suggest. Severity reflects how much operational impact the misunderstanding creates.

  1. misunderstanding-speedup MEDIUM

    Conflating 'quantum advantage' on benchmarks with practical utility

    Random circuit sampling demonstrations (Google's Willow result, IBM's earlier supremacy claim) are computationally meaningful but practically useless. They demonstrate a quantum computer can sample from a distribution classical computers struggle to sample from — they do not show quantum solving any useful problem. Vendor marketing routinely blurs this line, leading buyers to assume practical quantum applications are imminent when they are not. The May 6, 2026 Q-CTRL + IBM materials-discovery result is different — that is a real workload — but it does not mean every workload is quantum-accelerable.

    DO When evaluating a 'quantum advantage' claim, ask: is the benchmark an application or a sampling task? Sampling tasks are marketing; application benchmarks (chemistry, materials, optimization with a real loss function) are signal.
  2. overconfident-qday-skepticism HIGH

    Treating 'q-day is far away' as a reason to defer PQC migration

    The 'q-day is 20 years away' framing — repeated as recently as 2023 in mainstream cybersecurity media — has been steadily eroded by 2025-2026 hardware progress. Harvard's May 2026 review argues the public roadmaps understate progress. Even if q-day lands in 2035, harvest-now-decrypt-later means today's TLS traffic with 5-10 year sensitivity is in scope now. Treating PQC migration as a 2030 problem leaves you exposed to a 2026-2030 attack window for any captured ciphertext.

    DO Reframe the question from 'when is q-day' to 'what is our data sensitivity horizon and our migration time.' Mosca's framework is the right tool: if (data lifetime + migration time) > (time to CRQC), you are exposed now.
  3. pqc-as-software-patch HIGH

    Treating post-quantum cryptography migration as a software patch

    Post-quantum cryptography is not a TLS library update. It is a fundamental architectural rework of every cryptographic dependency in the enterprise: every TLS certificate, SSH key, VPN tunnel, HSM key, signed software artifact, signed firmware blob, blockchain wallet, secure boot chain, and embedded device. For large enterprises this is thousands of systems with different vendors, different upgrade paths, and different operational risk profiles. The 'just enable PQC' framing badly understates the engineering work.

    DO Start crypto inventory now — it gates everything else. The boring discovery work (what crypto, where, who owns it, what depends on it) is the long pole.
  4. symmetric-crypto-false-alarm MEDIUM

    Panicking about symmetric crypto (AES, hashes) being broken

    Quantum is not a general crypto-killer. Symmetric ciphers (AES, ChaCha20) and hash functions (SHA-256, SHA-3) lose only quadratic speedup from Grover's algorithm — effective security is halved, not eliminated. AES-128 → ~64-bit quantum strength (problematic, in attack range). AES-256 → ~128-bit quantum strength (safe for the foreseeable future). SHA-256 → ~128-bit collision resistance (still robust). The migration here is straightforward: bump key sizes. The hard work is asymmetric crypto (Shor), not symmetric crypto (Grover).

    DO Move AES-128 to AES-256, SHA-256 to SHA-384 or SHA-512 where it is cheap. Spend the real budget on asymmetric replacement (ML-KEM, ML-DSA, SLH-DSA).
  5. application-overpromise MEDIUM

    Buying quantum-application claims for problems quantum is not good at

    Vendor pitches sometimes claim quantum acceleration for problems outside the four families (Shor / Grover / simulation / optimization). Quantum machine learning, quantum AI, 'quantum-enhanced X' for X that is classical-shaped — most of these claims are speculative at best, marketing at worst. The honest application footprint as of 2026 is narrow: cryptanalysis (Shor), chemistry/materials/drug-discovery simulation, certain optimization problems with quantum-friendly structure, and search (Grover) where the modest quadratic speedup justifies the hardware cost.

    DO When a vendor pitches quantum for your domain, ask which of the four algorithm families it maps to. If the answer is hand-wavy ('hybrid quantum-classical'), the speedup is probably not real.
  6. ignoring-quantum-as-developer MEDIUM

    Engineers treating quantum as "not my problem"

    Quantum is genuinely not your runtime in 2026 — you will not be writing quantum code in your day job for years. But the cryptographic threat is your problem now: every system that depends on RSA, DH, or ECC needs a PQC migration path. Engineers in security, infrastructure, and platform roles need a working understanding of what quantum is, what it threatens, what the NIST standards are, and what hybrid migration looks like. The "I will learn it when it matters" stance leaves you behind when the migration project lands on your sprint.

    DO Read NIST FIPS 203 (ML-KEM) at the spec level once. You do not need to implement it — but knowing what it is buys you the ability to evaluate vendor claims and design choices when the work arrives.

Three things worth doing this year regardless of where you sit relative to quantum.

  1. 1

    Start a crypto inventory if you have not already

    List every place your systems use asymmetric cryptography: TLS certificates and their chains, SSH host + user keys, VPN tunnel auth, HSMs and their key inventories, signing certificates for code and firmware, document signing, email signing (S/MIME, PGP), blockchain wallets if relevant. For each, note: algorithm, key size, owner, criticality, replacement difficulty. This is the boring part nobody wants to do. It gates everything later. Tools that help: ssh-keyscan, OpenSSL audit scripts, vendor APIs for HSM inventory, CA management consoles for certificate inventory.

  2. 2

    Pick one system and pilot a hybrid TLS migration

    Hybrid TLS — classical key exchange (X25519) combined with post-quantum (ML-KEM-768) — is the lowest-risk first step. Major browsers and TLS libraries (Cloudflare, Google Chrome, OpenSSL 3.x, BoringSSL) support hybrid X25519+Kyber. Pick one internal service, enable hybrid TLS, validate it does not break legacy clients, measure handshake latency impact (typically minimal — ML-KEM is fast). This is the rehearsal for the larger migration; the value is operational learning, not security improvement (which is hybrid-safe regardless).

  3. 3

    Make sure your boards and customers know the timeline

    The PQC conversation is no longer a niche security topic. NSS deadline January 2027. Corporate cyber insurers asking about PQC posture in 2026 renewals. Large enterprise customers asking vendors about PQC roadmaps in 2026 procurement. If your board does not have a PQC briefing on the 2026 calendar, schedule it. If your customers are not seeing PQC in your security collateral, add it. The companies that handled cloud transition gracefully are the ones who started the conversation before they had to.

Six developments to track over the next 12-24 months — each will change the timeline or the operational picture.

IBM Anderon fab milestones

Anderon is the first US pure-play quantum chip foundry, backed by CHIPS Act + IBM capital. Hitting fabrication milestones on schedule pulls forward IBM's fault-tolerance roadmap. Slipping milestones extends it. Track quarterly updates.

Neutral-atom modality progress

QuEra, Atom Computing, Pasqal are demonstrating qubit counts in the thousands with promising error rates. If neutral atoms hit fault tolerance before superconducting, the hardware landscape shifts substantially. Watch QuEra and Atom Computing announcements through 2026-2027.

Microsoft topological qubit progress

Topological qubits theoretically have intrinsic error resistance — fewer physical qubits needed per logical qubit. Microsoft's February 2025 Majorana-1 announcement was the first credible signal in a decade. Whether topological scales to useful systems will be a major story 2026-2030.

Q-CTRL-style error suppression in software

Runtime error suppression (Q-CTRL's approach with IBM, plus academic work) extends what current hardware can do without waiting for fault tolerance. The May 2026 materials-discovery 3,000x result suggests there is meaningful room for software-only progress on top of existing hardware.

NSA / DOD PQC compliance enforcement

CNSA 2.0 deadlines start January 2027 for new NSS acquisitions. How aggressively NSA enforces these, and whether large defense primes (Lockheed, RTX, Northrop) hit the deadlines, sets the tone for commercial enterprise migration timelines.

A real Shor demonstration on >2-digit numbers

Shor's algorithm has been demonstrated on tiny numbers (15 = 3×5) for years. The first credible demonstration on a non-trivial number — even 4-5 digit — would be a watershed moment for q-day timing. Watch for this from any of IBM, Google, IonQ, Quantinuum.