Cryptography Explained
RSA vs ECC vs Post-Quantum: What Your TLS Certificates Reveal About Quantum Risk
Why RSA and ECC TLS certificates are both quantum-vulnerable, how NIST PQC standards (ML-KEM/ML-DSA/SLH-DSA) compare, and how to read your own.
RSA vs ECC vs Post Quantum: What Your TLS Certificates Reveal About Quantum Risk Almost every public TLS certificate on the internet today is keyed and signed with one of two algorithms: RSA or ECC. Both are battle tested over decades — and both are broken by Shor's algorithm once a cryptographically relevant quantum computer (CRQC) exists. The Global Risk Institute's 2025 expert survey puts the median CRQC estimate around 2029–2032, with roughly a 34% probability by 2030. That makes the algorithm names buried in your certificates a direct readout of your quantum exposure. This post explains what RSA and ECC are, why bigger keys don't save them, what the NIST post quantum standards replace them with, and how to read the hybrid post quantum TLS already shipping in your browser. The practical takeaway: the first move in any migration is knowing which algorithms your certificates use — something an external scan reveals in minutes. RSA: the workhorse of public key crypto RSA (Rivest–Shamir–Adleman) is the algorithm most people picture when they think "encryption." Its security rests on a simple fact: multiplying two large prime numbers is easy, but factoring the resulting product back into those primes is hard for a classical computer. A 2048 bit RSA key would take a conventional machine far longer than the age of the universe to factor by brute force. RSA authenticates servers (the signature on a TLS certificate) and historically exchanged session keys. It's everywhere — web servers, email, code signing, VPNs, document signatures. When you see a certificate with a 2048 bit or 4096 bit key, that's RSA. The catch: factoring is only hard for classical computers. Shor's algorithm, designed to run on a quantum computer, solves integer factorization in polynomial time. A sufficiently large CRQC doesn't grind through RSA — it sidesteps the hard problem entirely. ECC: smaller keys, same fatal weakness Elliptic Curve Cryptography (ECC) does the same jobs as RSA — key exchange and signatures — but uses the mathematics of elliptic curves instead of prime factorization. Its security rests on the elliptic curve discrete logarithm problem, which is even harder per bit than factoring. That efficiency is why ECC won so much ground: a 256 bit ECC key (curves like P 256 or Curve25519) offers security roughly comparable to a 3072 bit RSA key, with smaller certificates and faster handshakes. Modern certificates increasingly use ECDSA signatures and X25519 key exchange for this reason. Here's the part that trips people up: ECC is not a quantum safe upgrade over RSA. Shor's algorithm solves the discrete logarithm problem just as efficiently as it solves factoring, so a CRQC breaks ECC and RSA alike. Choosing elliptic curves over RSA is a performance decision, not a quantum readiness one. Why "just use a bigger key" doesn't work The instinct to answer a cryptographic threat by doubling the key size is reasonable — it's worked before. Against quantum attacks on RSA and ECC, it doesn't. Shor's algorithm scales polynomially with key size, not exponentially. Classical attackers face exponential cost as keys grow, which is what makes 2048 bit RSA safe today; a quantum attacker running Shor's does not. Doubling an RSA key from 2048 to 4096 bits, or moving from a 256 bit to a 521 bit curve, makes the quantum attack modestly more expensive — but does not move the problem out of reach. There is no key size at which RSA or ECC becomes quantum resistant. The math itself i