Kyber vs. RSA-2048

You’ve probably heard that “quantum computers will break the internet.”

Most people nod, file it under “future problems,” and keep uploading files to Google Drive.

This article is here to ruin that comfort.

The One-Sentence Summary

RSA-2048 and all elliptic-curve cryptography (ECC) die the day a large enough quantum computer runs Shor’s algorithm.
Kyber (now officially ML-KEM) does not — and is already standardized, fast, and shipping today.

That’s it. Everything else is details.

But let’s go through those details — slowly, clearly, and without the PhD jargon.

1. How RSA Actually Works (in plain English)

RSA is built on one brutally hard math problem:

“If I multiply two huge prime numbers together, it’s basically impossible to figure out what the original two primes were.”

Example (with tiny numbers you can actually calculate):

• Alice picks two primes: 3 and 11
• Multiplies them → public key = 33
• Anyone can send her a message using 33
• Only Alice, who knows the original 3 × 11 split, can decrypt

In real life those primes are ~2,048 bits each. The public key is a giant number with over 600 digits.

Factoring that number back into its original primes with a normal computer would take longer than the age of the universe.

That’s why RSA has kept your HTTPS connections and cloud logins safe for 30+ years.

Want to see what a real RSA-2048 public key looks like? Here’s a Python script that generates one:

Run this locally (install cryptography with pip install cryptography), and you’ll see a number with over 600 digits. That’s what protects your data today.

For comparison, here’s a Kyber-768 key exchange example using the pqcrypto library (install with pip install pqcrypto):

This demonstrates Kyber’s key encapsulation mechanism — no factoring needed, just math that’s hard even for quantum computers.¹

For a high-level overview, here’s how Kyber key exchange works in pseudocode:

Unlike RSA, Kyber uses lattice math that’s immune to Shor’s algorithm.

2. Shor’s Algorithm — The Quantum Kill Shot

In 1994, Peter Shor proved that a sufficiently large quantum computer can factor these giant numbers in hours — not billions of years.

It’s not a theory. It’s a recipe. We’ve already run tiny versions of Shor’s algorithm on real quantum hardware against 15, 21, and 48-bit RSA keys.

The current record (October 2025) is a 2024 Chinese research team that factored a 22-bit RSA key with only 68 logical qubits.²

To kill RSA-2048, estimates range from 4,000 to 20,000 logical qubits depending on the exact implementation.

Google, IBM, PsiQuantum, and others are racing toward 1,000+ logical qubits by 2030–2033.

Once they cross ~10,000 logical qubits, RSA-2048 is toast.

And remember: the data you upload today can be stored and decrypted later. That’s the harvest-now-decrypt-later attack.

Danger

Your 2025 backups become readable in ~2032.

As NIST puts it: “The security of widely used public-key cryptographic systems depends on the intractability of certain mathematical problems, such as integer factorization and discrete logarithms. However, quantum computers may be able to solve these problems in polynomial time using Shor’s algorithm.”³

3. What About Grover’s Algorithm?

Grover gives only a quadratic speedup against symmetric ciphers (AES, ChaCha20, etc.).

AES-128 → effectively becomes AES-64 → still safe for decades.
AES-256 → becomes AES-128 → still absurdly safe.

So quantum computers don’t really threaten the actual file encryption (AES-GCM, XSalsa20, etc.).
They threaten the key exchange — the moment your browser and the server agree on that symmetric key.

That key exchange is still 95 % RSA or ECC today.

4. Kyber — The Lattice That Refuses to Break

Kyber (officially ML-KEM since August 2024) is built on the Learning With Errors (LWE) problem — specifically a variant called Module-LWE.

In plain English:

Imagine a giant grid of numbers with a secret pattern plus a tiny bit of random noise sprinkled on top.

• Classical computers get completely lost in the noise.
• Quantum computers (even with Shor, Grover, or anything we know) still get lost.

There is no known quantum algorithm that beats classical computers on this problem.

That’s why Kyber is considered quantum-resistant.

Note

Kyber is already shipping in production at Google, Cloudflare, and Signal — and it’s been standardized by NIST since 2022.

5. Key & Ciphertext Sizes — The Real Numbers (2025)

AlgorithmPublic KeyPrivate KeyCiphertext (for 256-bit security)Security Level

RSA-2048	3072 bits	~2048–4096 bits	~256 bytes	Dead vs quantum
X25519 (ECC)	32 bytes	32 bytes	32–64 bytes	Dead vs quantum
Kyber-512	800 bytes	1632 bytes	768 bytes	~128-bit classical, quantum-safe
Kyber-768	1184 bytes	2400 bytes	1088 bytes	~192-bit classical, quantum-safe
Kyber-1024	1568 bytes	3168 bytes	1568 bytes	~256-bit classical, quantum-safe

Yes, Kyber keys are bigger.
But in 2025, 1.5 KB is nothing. Even mobile networks laugh at that.

6. Performance: Why Kyber Is Faster (And When It Matters)

Kyber isn’t just “a little faster” than RSA-2048—it’s dramatically faster for the heavy lifting, especially on the private-key side and key generation. We’re talking orders of magnitude in some cases. But the full picture depends on what you’re measuring and where.

The Heavy Operations: Where Kyber Shines

For key generation and the “private” operations (like decrypting or deriving shared secrets), Kyber can be thousands of times faster than RSA-2048. This is huge for servers handling millions of connections or devices with limited power.

• On constrained hardware (like ARM Cortex-M4 chips in IoT devices): Kyber-768 operations take ~7-9 ms, while RSA-2048 private operations take ~450 ms. That’s about 50-60 times faster for Kyber.
• On modern desktops/servers (x86_64 or ARM64): Key generation is 3,400× to 20,500× faster. Deriving shared secrets (the “incoming” side) is 1,600× to 3,200× faster.

These savings add up when you’re doing crypto at scale—think cloud providers or embedded systems.

End-to-End Handshakes: Still Faster, But Not as Dramatic

If you measure a complete key exchange (keygen + encapsulation + decapsulation) on powerful hardware, Kyber is still faster, but the gap narrows because other factors like network latency and protocol overhead dominate.

For example, on a modern CPU:

• Kyber-512 full handshake: ~0.13 ms
• RSA-2048 full handshake: ~0.32 ms

That’s about 2.5× faster for Kyber, which is nice but not the game-changer the per-operation numbers suggest.

Real Browsers in 2025

Here are approximate benchmarks from various browser implementations (Chrome, Firefox, etc.) on modern hardware:

OperationRSA-2048Kyber-1024Winner

Key generation (client)	~100 ms	~20 ms	Kyber 5× faster
Encapsulation (server)	~90 ms	~25 ms	Kyber 3.6× faster
Decapsulation (client)	~90 ms	~25 ms	Kyber 3.6× faster
Total handshake time	~300 ms	~70 ms	Kyber 4× faster

The gap is widening as implementations get optimized with AVX-512, NEON, and WASM SIMD.⁴

Danger

Don’t get fooled by “RSA is still fast enough.” Speed isn’t the issue — quantum resistance is. RSA’s doom is inevitable.

The Trade-Off: Bigger Keys, Better Security

Kyber’s keys and ciphertexts are larger (1-2 KB vs. RSA’s ~0.5 KB), so bandwidth and memory use goes up a bit. But you get:

• Massive compute savings (cheaper servers, longer battery life)
• Quantum resistance (RSA dies, Kyber doesn’t)
• Future-proofing without breaking changes

For most apps, the benefits outweigh the costs—especially since 1.5 KB is negligible in 2025.

7. Why Cloud Providers Still Haven’t Switched (Yet)

1. Inertia — “It still works today”
2. Legacy clients that don’t support post-quantum
3. Fear of slightly larger TLS handshakes (~1–2 KB extra)
4. No immediate revenue impact

Translation: they’ll wait until the week before the first CRQC announcement, then panic-migrate and break half the internet.

“Post-quantum cryptography isn’t optional anymore. It’s essential for securing the digital infrastructure of the future.” — NIST Director Laurie Locascio, 2024

8. Why Ellipticc Shipped Kyber on Day One

Because we’re not waiting for the panic.

Every single file you upload to Ellipticc Drive is protected by:

• Kyber-768 for initial key exchange
• X25519 as hybrid fallback (for now)
• Dilithium-2 (ML-DSA65) signatures
• XChaCha20-Poly1305 file encryption

Even if a quantum computer appears tomorrow, your data remains unreadable — forever.

We didn’t ship “quantum-ready.”
We shipped quantum-immune.

TL;DR — The Brutal Truth

YearWhat Happens to RSA-2048What Happens to Kyber-768

2025–2029	Still safe (barely)	Safe
2030–2035	Probably dead → harvest-now-decrypt-later wins	Still safe
2040+	Definitely dead	Still safe (unless math itself breaks)

Final Thought

The quantum threat is not science fiction.

It’s a when, not an if.

And “when” is measured in single-digit years, not decades.

Every cloud provider still using RSA or ECC for key exchange is effectively telling nation-states:
“Please steal our users’ data now and read it later.”

We refuse to be that provider.

Note

Ellipticc Drive launched with Kyber from day one because your privacy deserves to survive the 2030s.
Sign up now to secure your files with quantum-resistant encryption.

See you on the other side.

Previous Post Why We Bet on Post-Quantum Encryption for Everyday Cloud Storage

Next Post You're at the newest post!