Security Position Statement: Update on Quantum Computing and EMV Chip Cryptography

EMV-SWG-NP36r10a-pub EMVCo SWG Position Paper Update on Quantum Computing and EMV® Chip Cryptography 21st January 2026 for sharing with Associates This is the second of three position papers authored by the EMVCo Security Working Group (SWG) on the threat posed by quantum computing to the cryptography used for EMV chip. The first paper focused on arguing and demonstrating AES-128 is quantum resistant as well as being effectively uneconomic to ever attack by classical brute force. This second paper aims to rationalise some aspects of the quantum computer threat. Quantum computers are not effortlessly all powerful, like Hogwarts magic they do have to respect rules: economic, engineering, and physical, which are discussed in this paper. Furthermore, a Cryptographically Relevant Quantum Computer (CRQC) will not suddenly appear fully formed and functional without intermediate milestones being achieved. This paper refines previous EMVCo candidate milestones to act as triggers (“canaries in the mine”) for replacing EMV RSA/ECC digital signature protocols with quantum resistant protocols. An example of such a trigger would be the first successful full execution of Shor’s algorithm to factor a 5-bit number such as 21 - it would be premature in the context of EMVCo residual risk management for the commercial world to contemplate a sunset date for 2048-bit RSA before this milestone is achieved. Governments and commerce have, by their differing natures, different attitudes to residual risk. It therefore should be no surprise that in the different contexts rational analysis will lead to divergent conclusions. Given the challenges identified in this paper, there is a possibility that a CRQC will not be achieved for decades, or, as the NSA has opined1, may never happen. However the flip side is that there is a possibility that a CRQC will be achieved, which has to be considered. The third EMVCo paper will therefore layout the EMVCo quantum threat mitigation plan should the triggers indicate a quantum threat will materialise. The current paper is divided into five sections. It begins with an Introduction, it then provides an assessment of the timeline and challenges for achieving a CRQC, it then discusses quantum resistant public key algorithms and concludes with some final remarks and references. 1 https://www.theregister.com/2021/09/01/nsa_quantum_computing_faq/ EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 1 of 12 EMV-SWG-NP36r10a-pub 1 Introduction The overall mission of the EMVCo Security Working Group (SWG) is to ensure EMV payment protocols with their associated cryptographic tools are fit for purpose and will remain so in the light of known and anticipated attacks. Shor’s quantum algorithm, if ever implemented at scale, threatens to significantly reduce the cost of successful attacks on RSA/ECC. Today’s EMV contact and contactless cards rely on RSA for digital signatures in offline transactions. C-8, EMVCo’s most recent contactless specification, relies on ECC for ephemeral symmetric session key establishment. Consequently, the SWG, in line with its mission, has been building a structured analysis (vulnerability, threat, risk) assessing the impact of quantum computer technology on EMV chip. The eventual intention is to identify cost effective security mitigations whose implementation timeline is commensurate with the quantum threat being realised. These mitigations will be the subject of a subsequent paper. The current paper focuses on the external inputs to this EMV chip quantum mitigation design process namely: 1. The development timeline to CRQCs capable of breaking RSA20482/ECC256. 2. Motivation for, development of and adoption of standardised quantum resistant public key algorithms. 3. Public policy as regards RSA/ECC lifetimes. The document assumes a basic familiarity with the technology associated with quantum computers. A note on references and links This document concludes with a list of references which are linked to in the body of the text with []. Wherever possible the link in the body of the text is supplemented by a hyperlink direct to the website for accessing the reference material without having to navigate to the References section at the end of this document. The hyperlinks are indicated either as blue text or by a blue ↗ symbol. 2 CRQC timeline In its previous position paper, the EMVCo SWG introduced the idea of ‘canaries in the mine’ that would act as alarms for the quantum computer threat. If a CRQC is ever to be built then selfevidently certain milestones must be achieved as prerequisites en route. EMVCo has chosen certain indicators that would provide at least a 10-year countdown to a CRQC being available. This timescale is the minimum time for EMV terminal infrastructure to implement mitigations. It is believed that EMV cards can be appropriately adapted on a slightly shorter cycle. Challenges facing the development of CRQCs include finding the best qubit technology, reducing physical error rates, designing efficient and fast error correction schemes, achieving reliable communications, extending coherence time, scaling to thousands of physical qubits. Ethan Barmes of QIZ Security has suggested that quantum breakthroughs, which in our language would be canary alarms, are placed in a “stack”: 2 Although the maximum RSA key length supported by EMV chip is 1984 bits, this key length provides comparable security strength to the more popular length of 2048 bits. EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 2 of 12 EMV-SWG-NP36r10a-pub Level 3 Magic state production canaries Level 2 Error correction canaries Level 1 Qubits: gate accuracy and speed, T1 T2 performance Level 0 Sufficient funding and appropriate classical resources A CRQC is built from coherent technology that is performant in all three layers 1, 2 and 3. As of today no quantum technology is simultaneously performant at all 3 levels. So-called magic states occupy the top of the stack and are the defining criterion which differentiates between classical computers and quantum computers, in the sense that magic states cannot be efficiently simulated by a classical computer and it is these states that are the source of quantum advantage. Assuming superconducting transmon qubits, the revised list of early warning alarms or ‘canaries’ are: Canary The public quantum computer economy making a profit per annum3 over $1 billion Suitably performant supercomputer operating at the petaflops range performing real time high data rate/high density data capture A fault-tolerant logical qubit lasting for over an hour (see 2.3) A fault-tolerant two logical qubit gate 1,000 entangled physical qubits (every qubit is entangled with another qubit) Two entangled fault-tolerant logical qubits True Shor proof of concept e.g. factorization of small numbers such as 21 (without feeding in the period), see [8]↗ and [12] ↗ and Gidney blog Magic state distillation demonstrated successfully Robust quantum communication using room temperature flying qubits at scale in parallel Level 0 0 2 2 1 2 1, 2, 3 3 1 3 Based upon net profit published on NASDAQ of all companies selling quantum computer services EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 3 of 12 EMV-SWG-NP36r10a-pub The canaries are selected so as to give sufficient time to take preventative action. Any triggered canary would prompt a reassessment of EMVCo’s quantum readiness timeline. For trapped ion and neutral atom qubits the main canary is to dramatically reduce the clock speed. The following sections explain the relevance of some of these canaries. 2.1 Economics It is clear despite billions of dollars of investment more billions will be needed to achieve a CRQC. It is not clear as of mid-2025 that current operational quantum computers have solved any commercially relevant problem that cannot be solved more economically using classical computers. John Preskill, a regular speaker at the annual Q2B conference, opined in his December 2024 talk [19] ↗ that Noisy Intermediate Scale Quantum (NISQ) computers – engineering pre-cursors to CRQCs and representing today’s state of the art – are unlikely to bring commercial benefit since classical computers outperform NISQ computers as regards real-life problems. Furthermore, he uses the phrase “elephant in the room” to describe the absence of any quantum algorithms that are commercially useful even in the context of large-scale fault tolerant quantum computers. Quantum computing investment has originated as risk capital as opposed to recycled earnings. This is because although many of the quantum computer start-ups have been operating for some years now, as a rule they are not making profits, which is emblematic of start-ups. However, for there to be an inflection point these companies will need to demonstrate quantum advantage for commercial computing tasks. Herein lies the problem: despite 30 years of research, no quantum algorithm delivering advantage over classical computing has been unequivocally identified for commercial use – it is still R&D. Undoubtedly quantum computers can solve quantum mechanics problems beyond the reach of classical computers, but no business model for this ability has been instantiated. If these start-ups fail to deliver quantum advantage, and losses continue, there will be an impact on the willingness of investors to provide further risk capital. Without continuing injection of funds R&D will slow and probably fall below the critical mass required to achieve a CRQC. In summary, commercial exploitation of quantum computers is, like its associated hardware (discussed below), at the R&D stage. There is no doubt that quantum computers will solve problems appropriate to physics and chemistry that are beyond classical computers and it is foreseen this ability will inform material science. However, there is no clear quantum algorithm known to the SWG that will in practice consistently outperform classical computers for other problems. For further reading into the state of building quantum computers we recommend the following [2]↗, [19]↗, [20]↗, [22]↗ and [23]↗. 2.1.1 Cost of a 900,000-qubit quantum computer Gidney [18] estimates that 900,000 physical qubits would be needed to factorise RSA-2048 with Shor’s algorithm (see also 2.3.3). Rigetti [17] offered a 9-qubit quantum computer for just under a $1m, implying a cost of about $100,000 per qubit however the per qubit cost of a 1,000-qubit machine will be more to reflect the increased engineering difficulties of manufacture. It is likely that 900,000 qubits will not exist as one monolithic quantum computer but instead would be modular. Currently the largest self-contained such module is the Google Willow configuration [14]. However, we cannot calculate the cost of 9,000 such units since Google has released no capital cost information. Nonetheless extrapolating the Rigetti data naively, 900,000 qubits would cost $90 billion. This is within reach of nation states but probably not commercial entities but this, we would argue, is the minimum cost. EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 4 of 12 EMV-SWG-NP36r10a-pub Consequently, through the combination of engineering difficulty, billions of risk spend still required and potential investor fatigue, the advent of CRQCs is by no means a certainty within many decades. 2.2 Qubit technologies Qubits have to possess suitably long-lived stable quantum properties and be controllable. Consequently, qubits have to be nano-scale small, so atomic or sub-atomic. Furthermore, they have to be operated at liquid helium or colder temperatures. Even at these extremes the quantum states of qubits are continuously being disturbed by the rest of the universe. This means that these devices cannot maintain state for very long (currently as befits the Noisy Intermediate Scale era about 60 millionths of a second for transmon qubits). Therefore, there is a need for surface codes and similar techniques based on classical computer conducted error processing to overcome the decohering noise from the rest of the universe. Quantum computing development is very much early stage R&D. The key evidence point for this assertion is that as of yet no consensus has formed as to the “best” qubit technology. There are many qubit technologies being developed in small noisy scale contexts, each with a mixture of desirable and undesirable features – all qubit technologies present compromises in desirable properties, stability versus speed, very cold operating temperature versus just cold operating temperature, etc. There is no clear single dominating technology. Informed by the German government BSI ratings [2], the SWG ranks the qubit technologies for delivering a CRQC as: 1. Transmon qubits - fastest gate times 2. Ion based qubits - stable but slow gate times 3. Neutral atom - silicon based, slow but faster than trapped ions 4. Cat qubits - very early days 5. Photon based qubits - very early days 6. Anyon/topological based qubits - brand new, the most immature qubit technology. Transmon qubits are the most favoured as discussed below but it is unlikely that a consensus on the optimal technology will be found within the next ten years. This fragmented approach dilutes the impact of investment and reduces cross-use learning, inevitably penalising speed of progress. Transmon qubits as under development by IBM [11], Google [14], Rigetti [17] and others, support fast gate speeds (logic step execution time) but suffer from poorer error rates compared to the other qubit technologies representing the most mature of the qubit technologies. It is worth calling out the status of competitors to transmon qubits. For example cat qubits remain mostly theoretical at this point while the “topological” qubit as championed by Microsoft [16] has moved from the theoretical to a single instance. There are no publicly accessible superconducting quantum computers that use cat qubits or topological qubits today. EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 5 of 12 EMV-SWG-NP36r10a-pub 2.3 General observations on Quantum computing technology 2.3.1 Recent notable transmon qubit developments in error correction Google announced the results of its experiments in implementing surface code error correction to stabilise transmon qubit performance [15]↗. The idea is to bind/coordinate multiple physical qubits to act as what is known as a “logical qubit”. This is no more than the instantiation of redundancy in a quantum computing context to reduce errors, but should also enable quantum processing. The key result is that Google managed to stabilise the collective behaviour of tens of physical qubits in such a way that the collection maintained a coherent state for a duration of 1 second that could be interpreted as a single stable logical qubit - but no processing was performed. This achievement demonstrates surface codes, a necessary technology for fault tolerance, do indeed stabilise inherently prone-to-noise physical qubits. Although a big step towards proof of concept for durable error correction, this does not signal that a 10-year timeframe to a CRQC alarm has been triggered. Every microsecond the associated supercomputer polls so-called ancilla qubits and stores the resulting measurement. At the end of the calculation these measurements are used in postprocessing to perform error correction to determine the final result. Error correction strategies can use different mathematical models. So-called surface codes have to date been the most researched but other more recent techniques such as colour codes promise greater resource efficiency. Google’s very impressive analysis on errors has shown possible evidence of cosmic ray induced disruption to transmon qubit-based calculations. Anecdotally, humans are hit by a muon arising from cosmic rays every few seconds or so – muon strikes are common. Cosmic ray derived muons vary in the amount of energy they carry, and Google noted their 105-qubit setup would on average be destabilised once an hour. They offer no definitive explanation for this phenomenon. These events are plausibly consistent with periodic high energy cosmic ray strikes. Quantum error code technology does not correct for correlated errors such as cosmic ray induced errors. The only way to effectively shield against high energy cosmic rays is by going deep underground. The muon target cross section of a 900,000-qubit quantum computer must increase the chances that in any lengthy computation without mitigation, high energy cosmic ray strikes may destroy calculation coherence, thus nullifying the exercise. 2.3.2 Qubit Numbers Between 2019 and 2024 Google managed to grow 53 qubits to 72 qubits to 105 qubits presumably within the same dilution fridge, they now face a technological dislocation in order to grow qubit numbers. As regards qubit numbers in quantum computers where performance is public, there are three reasonable data points and they illuminate transmon based qubit number growth; the two historic Google data points already mentioned and one projected data point form a five-year doubling trend: • 2019: 53 qubits (Google). • 2024: 105 qubits (Google). • 2029: 200 qubits (see the IBM forecast [11]). EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 6 of 12 EMV-SWG-NP36r10a-pub There has been no progress at all on the EMVCo SWG alarms which essentially track the number of physical qubits directly or indirectly. There has been selectivity in choosing these numbers: there have been public claims of 1000+qubit machines, but no evidence has been made available regarding their performance and these have therefore been disregarded in our analysis. Crudely, and ignoring quality of qubit improvement by simply focusing on numbers, then an exponential growth model applied to the above three bullets indicates that physical qubit numbers are doubling every 5 years. On this basis it will be 12 doublings from a base of 200 qubits, or 60 years from 2029 to achieve Gidney’s 2025 estimate of 900,000 physical qubits currently understood to be required to break RSA 2048 (219.78 /27.64 = 212 ) The number of successive successful logic gates (circuit depth) also appears to be tracking this doubling every 5 years’ trend – in 2019 Google achieved 30 millionths of a second worth of logic gates in its quantum supremacy project and in 2024 it could achieve 60 millionths of a second. 2.3.3 Quantum computers and Shor’s algorithm It is clear today’s quantum computers have very limited circuit width (number of qubits) and circuit depth (maximum number of sequential error free logic steps). The consequence of this is that no true full Proof of Concept demonstration of Shor’s algorithm has been attempted, never mind achieved. Careful reading of all the academic papers regarding toy Shor based quantum factorisations show “shortcuts” have been required in order to achieve any results given the limited performance of today’s quantum computers. It seems premature for the commercial world to consider a sunset date for 2048-bit RSA when no quantum computer has demonstrated Shor’s algorithm fully by attacking the 5-bit number 214 see ([8] ↗ and [12] ↗). The most authoritative quantum resource estimate for a CRQC capable of breaking RSA-2048 is that of Gidney 2025 How to factor 2048 bit RSA integers with less than a million noisy qubits [18]. In brief he estimates 900,000 noisy physical qubits will be required and the calculation must be kept error free for about 100 hours (compared to the previous requirement of 20 million physical qubits error free but for only 8 hours). It is worth contrasting this paper with a 1993 paper by M Wiener Efficient DES Key Search [21]. This paper presented a VLSI transistor circuit that would cost $1m dollars and would find a DES key in 3.5 hours. This paper triggered the migration from single length DES. A derivative of his design was realised by the Electronic Frontier Foundation in their Deep Crack engine which found DES keys in 4.5 days and cost $250,000, underlining the imperative to migrate from DES. Cost and feasibility of quantum computers are important inputs into the decision regarding speed or indeed necessity of commercial world migrating to post quantum digital signature algorithms: 1. It may be that building such a machine is feasible, but its cost is in the trillions of dollars. Or alternatively, 2. Maybe it is impossible to knit together 900,000 physical qubits to operate in a reliable coordinated fashion. 4 Why haven't quantum computers factored 21 yet? EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 7 of 12 EMV-SWG-NP36r10a-pub 2.4 Engineering 2.4.1 Some engineering considerations for CRQCs In the instance of the Google Willow quantum computer of 105 qubits [14] ↗, the operating temperature is 20mK - Absolute Zero to a first approximation. The required refrigeration technology necessitates a large capital expenditure and large electricity running costs as well as imposing engineering constraints. It seems that no single dilution fridge will be big enough to house 900,000 physical qubits, the current threshold to break RSA-2048, along with associated control wires. Qubit control is mediated by electromagnetic waves of frequencies which require physical waveguides; integrating with these qubit structures must cause some engineering difficulties and complications. On the face of it, dilution fridges which achieve these temperatures could house thousands of transmon qubits (Parker and Vermeer [7]), but once the associated high quality low cross-talk control and readout circuits are added to each qubit, capacity decreases markedly. For instance the current Google 20mK environment seems to be ‘maxed out’ at around 105 qubits5. The constraint arises from the existing “umbilical cord” linking the qubits at 20mK to the outside world (at 300K) being unable to service more qubits. It is volume considerations of dilution fridges that restrict the size of the umbilical cord. No-one has a definitive engineering answer today as regards ‘stitching’ together remote quantum computer modules, which seems unavoidable to achieve a CRQC with an effective critical mass of 900,000 transmon qubits: for instance flying qubits have been demonstrated to enable “teleportation” but not at better than kHz speeds or in sustained massively parallel operation. This will be a crucial technology on the road to a CRQC and must be considered to be in its infancy. 2.4.2 The Quantum Layout Problem, In-flight and Post-processing Error Correction. The phrase quantum computer has to be interpreted as a collective; it is a classical supercomputer attached to qubits (“analogue” devices) which are passive and are driven by microwave/laser pulse sequences, the timing and targets of these pulses are choreographed by the supercomputer. The classical computer manipulates something called the quantum state vector which is the source of quantum calculation ‘magic’. Additionally, the supercomputer performs real-time and post processing error correction. These features have led many commentators to observe quantum computer performance will be constrained by the supercomputer capabilities that drive the qubits. A quantum algorithm is then ‘simply’ a sequence of microwave/laser pulses - each pulse characterised by duration, frequency and identified qubit target – a choreography if you will. Prior to any execution a supercomputer has to calculate, at some cost, this choreography - more formally known as the Quantum Layout. There is an extra complication in that in some qubit technologies each qubit has its own individual activity thresholds and hence before the qubits can be commissioned each qubit has to be characterised. Such non-uniform qubits require individually tailored pulses during algorithm execution. This increases complexity because when ‘laying-out’ an algorithm the supercomputer will need to allocate logic steps to individual qubits and then calculate the tailored pulses required for each particular qubit. The use of ‘flying qubits’ then further constrains and hence complicates the layout calculation. 5 “The reason google only has 105 of them on the Willow chip is not that they can't fit more - it's that they have to have wires and control capacity to tune and run them.” EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 8 of 12 EMV-SWG-NP36r10a-pub The supercomputer performs a high frequency measure and record loop which is necessary for the post-processing error correction activity. These classical computational tasks are not insubstantial: quantum layout (an NP-hard problem) will consume many super-computer hours and hence be expensive in electricity consumption during calculation setup; run-time error correction processes will necessitate huge amounts of data to be captured by the supercomputer per second in-flight and some of it will need to be processed in real time; the rest of the data will be post processed. Run-time electricity consumption is also substantial. It is an open question how big and performant a classical supercomputer will have to be in order to drive a 900,000-qubit quantum computer capable of breaking RSA-2048. 2.5 Summary of CRQC Timeline Hurdles The CRQC timeline hurdles discussed in this section are critical in determining the cost and feasibility of CRQC technology. In summary: 1. Classical communications/processing bandwidth, on the order of petaflops will be required 2. Solving the layout problem efficiently 3. Error correction performance/ need or not for radiation hardening 4. Energy management: energy in vs energy out (cooling) 5. Control wiring interconnect complexity and density 6. Bandwidth, fidelity and reliability of remote ‘flying qubit’ technology 7. Availability of sufficient exotic resources e.g. Helium 3 for transmon CRQC designs 8. Overall fabrication complexity 3 Government and Commerce In Transition to Post-quantum Cryptography Standards [1] NIST is proposing that US government agencies stop using RSA and ECC by 2035. Similar timelines are proposed by the EU [9] and UK [10]. This is made possible by the publication of new quantum resistant algorithms that provide key establishment and digital signature security services. Clearly this decision has been taken on the basis of a risk analysis of US government information assets. From public statements the prime immediate motivation is to reduce, as soon as possible, US government exposure to the threat of Harvest Now Decrypt Later (HNDL) to communications where the secrecy of the underlying symmetric encryption key depends on RSA or ECC. Regardless of any assessment of the time to arrival of a CRQC, the sooner key management secrecy is based on a quantum resistant Key Encapsulation Mechanism (KEM) the sooner data dependent on TLS type protocols will be protected from quantum decryption attack in the future. The cost of this migration is the same whether conducted now or in 20 years. The best ‘return on investment’ is achieved by doing the ML-KEM migration (the quantum resistant symmetric key establishment) soonest and it could be argued this is the thinking of the US government. On the other hand, if a CRQC is never realised the US government infrastructure will have implemented best in class protocols that are generally more resilient than existing RSA/ECC protocols - which although not best in class remain entirely fit for purpose in a classical attack paradigm. For commercial organisations who are not the target of government surveillance but have data assets attractive to criminals, HNDL is not the criminal weapon of choice. The SWG is not aware of any evidence that criminals have collected historic commercial data protected by DES/RSA-512/RSA- EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 9 of 12 EMV-SWG-NP36r10a-pub 768/RSA-1024 and broken this historically collected data to obtain criminal advantage. It is clear today that zero-day vulnerabilities or simply ‘out and out’ bribery provides better criminal returns than HNDL. In particular one ‘zero-day vulnerability’ enables many entities to be simultaneously compromised, making cost per compromised entity low and the data begins flowing immediately without any expensive decryption step. On the other hand, HNDL has a latency of many years, incurs costs of intercepted data curation and storage which are not negligible and are upfront, compounded by very poor “signal to noise” ratio. There is a cost of decryption and ‘a priori’ the criminal has no knowledge of whether the decryption will be useful or not. In short, the capital costs and running costs of a CRQC are both insufficiently profitable to criminal enterprises as well as beyond them in pure cost. Quantum computers are hand built bespoke complicated physics experiments; there will be no Moore’s Law effect - the cost of building a large hadron collider does not halve every 2 years. It is a reasonable hypothesis that building a CRQC, if it is ever feasible, will cost on the order of a trillion dollars [23] ↗ regardless of whether it becomes feasible in 10 years, 20 years or 30 years’ time. Consequently, quantum based HNDL attacks will be the preserve of the very wealthiest nation states only, and furthermore on the basis of today’s knowledge, leaders of these states must be prepared to devote a significant proportion of GDP to enable such attacks. That said, HNDL risk in a commercial context is not worth assessing since remediation is ‘relatively easy’ by hardening TLS key agreement to be quantum resistant - crypto agility in action: browsers such as Firefox, Google Chrome support a version of TLS 1.3 that includes a quantum resistant key establishment process and when coupled with Cloudflare or Google servers provide HNDL protection as of today. OpenSSL 3.5 offers a quantum resistant key exchange mechanism. Adoption of these could be no more onerous than normal BAU patch initiatives6. In short, there is a rising tide lifting the security of many users without any need for explicit action on their parts as regards the open internet and the HNDL threat real or just perceived. In contrast to such quantum resistant key agreement and encryption, TLS crypto agility does not extend sufficiently to enable quantum resistant digital signature to be introduced without major, expensive and disruptive dislocation. 4 Final Remarks 4.1 Investment challenges It is probable that investment levels will reduce over time if return on investment (ROI) is not realised. Despite the R&D billions spent so far, many more R&D billions will be required to achieve CRQC level technology. If we compare this with previous disruptive technologies, e.g. transistors which produced ROI almost immediately, the investment gap to create a CRQC coupled with investor disillusion could well lead to a quantum winter. Shor’s algorithm justifies the claim quantum computers are exponentially better than classical computers, but Shor’s algorithm offers no commercial opportunities. So far, other quantum algorithms that might be commercially applicable are not demonstrably better than classical technologies and, on the evidence seen by the SWG, appear to be inferior. It must be noted that Shor’s algorithm has not yet been demonstrated fully even for the 5-bit number 21, therefore the RSA/ECC cryptography used by EMV chip appears good until at least 2040. 6 The OpenSSL 3.5 KEM protocol has a “client hello” larger than 1 kilobyte which slightly complicates patching. EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 10 of 12 EMV-SWG-NP36r10a-pub 4.2 Technology challenges As regards quantum computing technology, the current status of Noisy Intermediate Small Quantum computers (NISQs - such as Google Willow, the projected 200 qubit IBM machine etc.) coupled with the identified rate of progress as regards NISQ technology indicates large scale fault tolerant CRQCs are at least two decades away. It also has to be recognised there is a possibility that a CRQC will not happen for many decades. The current technology status has to be labelled early-stage R&D as regards CRQCs. A broad analysis of the general risks and a survey of expert opinions can be found in the reports of the Global Risk Institute (e.g. [3] ↗, [4] ↗, [5] ↗ and [6] ↗). 4.3 Relevance to EMV Thanks to NIST’s initiative started back in 2016, quantum resistant public key standards and protocols are now available and being deployed. Open internet suppliers are already offering Harvest Now Decrypt Later protection in their TLS 1.3 implementations (which as penetration increases will bolster EMV 3DS). OpenSSL 3.5 now supports a hybrid ECC and ML-KEM key establishment protocol. It is simpler to integrate these new protocols into a BAU patch process than argue HNDL is not a problem for many commercial contexts. As previously noted, EMV 3DS and SRC will benefit in due course from these developments. The CRQC timeline analysis above shows there is no immediate threat to RSA/ECC digital signatures as used by the EMV chip specifications. As of today’s evidence, it appears we are decades away from these signatures being broken. Furthermore although Harvest Now Decrypt Later has driven a requirement in some industries and governments to deploy quantum resistant cryptography already, this does not apply to EMV chip transactions, as chip authentication does not require long-term data confidentiality. EMV chip at its core relies on symmetric cryptography for online authorisations and for transaction evidence – the quantum threat does not affect the core. On the other hand, EMV chip relies on RSA/ECC based digital signatures for offline only transactions, which make up less than one percent of transactions in most countries around the world. For the small proportion of EMV chip transactions performed offline, EMVCo is planning mitigations that could be applied to meet the quantum threat in good time should they ever be needed - these will be the subject of a third paper on the quantum threat. References [1] National Institute of Standards and Technology. NIST IR 8547, November 2024. Transition to Post-quantum Cryptography Standards [2] BSI - Federal Office for Information Security, August 2025. BSI - Status of quantum computer development - Studie: Entwicklungsstand Quantencomputer Version 2.2 [3] V. Gheorghiu, M. Mosca. Global Risk Institute, February 2018. GRI Quantum Risk Assessment Report – Part 3: A Resource Estimation Framework for Quantum Attacks Against Cryptographic Functions - Improvements - Global Risk Institute [4] M. Mosca, M. Piani. Global Risk Institute, December 2024. Quantum Threat Timeline Report 2024 - Global Risk Institute [5] Global Risk Institute, November 2025. Quantum Briefing Note: Update on Recent Developments in Quantum Research and Commercialization - Global Risk Institute [6] Global Risk Institute, August 2025 Quantum Briefing Note: Update on Recent Announcements Related to Breaking RSA-2048 - Global Risk Institute EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 11 of 12 EMV-SWG-NP36r10a-pub [7] E. Parker, M. Vermeer. Homeland Security Operational Analysis Center. Estimating the Energy Requirements to Operate a Cryptanalytically Relevant Quantum Computer (rand.org) [8] J. Smolin, G. Smith, A. Vargo. Pretending to factor large numbers on a quantum computer [9] European Commission, June 2025. A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography | Shaping Europe’s digital future [10] UK National Cyber Security Centre, August 2024. Next steps in preparing for post-quantum cryptography - NCSC.GOV.UK [11] IBM Technology Roadmaps. Quantum Roadmap [12] IBM Quantum Computing Blog. "15" was factored on quantum hardware twenty years ago [13] ETSI, Jan 2025. TR 103 967 - V1.1.1 - Cyber Security (CYBER); Quantum-Safe Cryptography (QSC); Impact of Quantum Computing on Symmetric Cryptography [14] Google Quantum AI [15] Google paper in Nature, Dec 2024: Quantum error correction below the surface code threshold | Nature [16] Microsoft Quantum | Homepage [17] Quantum Computing | Rigetti Computing [18] C. Gidney, Google Quantum AI, June 2025. How to factor 2048 bit RSA integers with less than a million noisy qubits [19] J. Preskill, Q2B Conference 2024, Caltech. December 2024. Beyond NISQ: The Megaquop Machine [20] J. Preskill, Q2B Conference 2025, Caltech. December 2025. Quantum computing in the second quantum century | Quantum Frontiers [21] M. Wiener, Carlton University, 1994. TR-244: Efficient DES Key Search - School of Computer Science [22] Sam Jaques, University of Waterloo. Quantum Landscape 2023 (Update 2025) [23] Sam Jaques, University of Waterloo. Paper for EMVCo, 2025: The Cost of Factoring a 2048-bit Integer Some further reading blogs: [24] Scott Aaronson, Shtetl-Optimized: Search results for quantum [25] The quantum computer hype. I just realized the quantum computer… | by Jurjen Bos | Medium [26] Douglas Natleson blog nanoscale views: Search results for more qubits end of document EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo. Copyright © 2026 EMVCo, LLC. All rights reserved. Page 12 of 12