Is RSA quantum-safe?
RSA is broken by Shor's algorithm on a sufficiently large quantum computer, which recovers the private key directly from the public key. A bigger key does not help. Migrate to ML-KEM (FIPS 203) for key exchange and ML-DSA (FIPS 204) for signatures.
Why RSA breaks
RSA's security rests on one hard problem: factoring the product of two large primes. Recovering the private key from the public key means factoring that product, and the best classical algorithms take impractically long for a 2048-bit key.
Shor's algorithm changes the game. On a cryptographically-relevant quantum computer, it factors large integers in polynomial time. That collapses the exact problem RSA depends on — so a quantum attacker recovers your private key from the public key that you, by design, publish to the world.
Won't a bigger key save me?
No. Doubling to RSA-4096 multiplies the work for a classical attacker, but Shor's algorithm scales efficiently with key size — a few thousand bits is not a meaningful obstacle. You can't out-size your way out of a polynomial-time attack. The same applies to every algorithm whose security comes from factoring or discrete logarithms.
Where RSA hides in your stack
- TLS certificates and handshakes (RSA key transport / RSA-signed certs)
- JWT signing with
RS256/RS384/RS512 - SSH host and user keys
- Code-signing, package signing, PGP/GPG
- Libraries:
node-rsa,jsonwebtoken, Pythoncryptography/rsa, Gocrypto/rsa, the Rustrsacrate
What to migrate to
Per NIST's finalized standards (Aug 2024):
- Key transport / exchange → ML-KEM (FIPS 203), ideally as a hybrid with a classical curve during the transition.
- Signatures → ML-DSA (FIPS 204), or SLH-DSA (FIPS 205) where a conservative hash-based scheme is preferred.
Because RSA in key transport is exposed to "harvest now, decrypt later", it's a first-priority migration; RSA used only for signatures can follow.
Find every RSA call-site in a repo — at file:line, free.