Leaps in quantum computing leaps may put DPI like Aadhaar and DigiLocker at risk if we don’t act quickly

Quantum machines are no faster at ordinary tasks—the laptop on your desk will probably outperform them at writing documents or running spreadsheets. What they are good at is a narrow class of mathematical problems, including some of those that underpin much of modern cryptography.

Most digital systems are secured by one of two algorithms—RSA and ECC.

The Rivest, Shamir and Adleman (RSA) algorithm operates on the assumption that it is computationally infeasible to factor the product of two very large primes. This is used to protect email, enterprise systems and the digital certificates that secure public key infrastructure.

Elliptic-curve cryptography (ECC) makes a similar bet on the discrete logarithm problem of elliptic curves. ECC is a lighter, faster alternative used where computational resources are constrained—such as mobile messaging apps, cryptocurrency wallets and authentication protocols.

In 1994, the mathematician Peter Shor developed an algorithm that solves both these problems using a quantum computer. He showed that breaking the cryptographic protections we rely on would take only one thing—a quantum computer.

That said, despite decades of efforts to build one, it remains a notoriously challenging problem. The hardware required to build such a computer that will work reliably without decoherence simply does not exist.

And then, in the last week of March 2026, Google Quantum AI demonstrated Shor’s algorithm running on 256-bit elliptic-curve cryptography with fewer than 1,200 logical qubits—a roughly twentyfold reduction from earlier estimates.

The same week, Caltech researchers showed how a fault-tolerant quantum computer can run Shor’s algorithm using 10,000 physical qubits rather than the millions previously believed necessary.

While neither result means we have built an actual working quantum computer, taken together, they indicate that the runway to doing so has dramatically shortened.

For India, which has built more of its public life on cryptographic trust than almost any other country, the recalibration needed will probably be more urgent than anywhere else. Every Aadhaar authentication and UPI transaction relies on 2048-bit RSA encryption. DigiLocker documents derive their legitimacy from public key infrastructure.

Account Aggregator consents are cryptographically signed, and non-repudiation—the legal assurance that a person cannot later deny what they authorized—rests entirely on those signatures being unforgeable. Quantum computing puts at risk all this foundational digital infrastructure.

There are two primary concerns that arise.

The first concerns digital authentication. Our entire trust infrastructure relies on the assumption that a cryptographic signature guarantees that the person who authorized a given action is who they say they are.

This presumption is about to be shattered.

The actions we perform today without thinking—paying a merchant via UPI, pulling documents from DigiLocker, porting information through the Account Aggregator framework—all rest on the same mathematical floor. That floor is about to give way.

The second and probably more serious concern is confidentiality. For decades, we have trusted these cryptographic algorithms to keep our information secure—encrypting private messages and other sensitive data in the belief that no one will ever be able to read them.

Quantum computers running Shor’s algorithm will make quick work of all such measures, and we will need to urgently evaluate what that means for the security of our information.

In anticipation of this, bad actors have been harvesting encrypted traffic for years, hoovering up as many emails, financial transactions and classified cables as they can so that they can decrypt them once new technology lets them. The recent breakthroughs in quantum computing suggest that time is fast approaching.

The Indian government is seized of the problem. MeitY and CERT-In have issued a white paper titled Transitioning to Quantum Cyber Readiness. According to the roadmap prepared by the Task Force of the Department of Science and Technology, India’s critical information infrastructure must complete post-quantum foundations by 2027 and achieve full migration by 2029.

Migration is not as simple as pushing a software update. It will require generating new key pairs with post-quantum algorithms for every entity in the system, re-issuing certificates and upgrading every verifier and signer—all while systems keep running. We will likely need to run classic and post-quantum cryptography in parallel for long enough to catch problems that emerge at scale.

Our digital public infrastructure (DPI) is decentralized. This is the correct design, as it is grants citizens agency over their own information and explains why it has worked at the scale it has.

But it also means that the upcoming cryptographic migration cannot be accomplished by simply upgrading a central server. It will need to reach every wallet, device and endpoint on which a signature is produced or consent granted.

That kind of migration takes years—even if we start early. And we have only just started.

The author is a partner at Trilegal and the author of ‘The Third Way: India’s Revolutionary Approach to Data Governance’. His X handle is @matthan.