Skip to content

Cryptographic Vulnerability Window

This MicroSim visualizes the "vulnerability window" — the potential gap between when quantum computers might break current cryptographic systems (such as RSA-2048) and when post-quantum cryptography (PQC) is fully deployed across critical infrastructure. It also highlights the "Harvest Now, Decrypt Later" attack window, during which adversaries can collect encrypted data today and decrypt it once quantum capability arrives.

Vulnerability Window MicroSim

View Vulnerability Window MicroSim Fullscreen

Use the two sliders to explore different scenarios. The QC Threat Year slider shifts the quantum computing threat timeline — the year at which there is a 50% probability that a cryptographically relevant quantum computer exists. The PQC Deploy Speed slider controls how quickly post-quantum cryptography standards are adopted, from fast (3 years or fewer to full deployment) to slow (7+ years).

Under most plausible parameter settings, PQC deployment (green curve) completes well before the quantum threat materializes (red curve), keeping the vulnerability window closed. Only under aggressive threat assumptions combined with slow migration does a window open.

Key Takeaways

  • Defense is ahead of offense: PQC standards (NIST FIPS 203/204/205) are finalized and deployment is underway, while no quantum computer can factor numbers larger than 21.
  • The real risk is migration speed: Organizations that delay PQC adoption extend their exposure to "Harvest Now, Decrypt Later" attacks.
  • Uncertainty favors the defender: The quantum threat timeline is highly uncertain; the PQC deployment timeline is largely within our control.
  • Scenario exploration matters: By adjusting the sliders, students can discover that the window remains closed under nearly all realistic assumptions.