Why the same technology protecting your private chats is also the invisible backbone of trust in banking, and what happens if it cracks
How “Q Day” could shift from a distant sci-fi threat to a real financial security challenge through concepts like “harvest now, decrypt later”
The quiet preparations already underway, from post-quantum standards to banks' phased crypto overhaul, to future-proof India’s financial infrastructure
Imagine being told that your private messages may no longer be private - that someone else could be reading conversations you assumed were secure. The feeling is unsettling, even anxiety-inducing. In today's digital world, where most communication happens over app-based chats that claim to be end-to-end encrypted, this anxiety is not far-fetched. The tech companies behind these platforms are routinely questioned on whether their encryption promises truly hold up.
Now place that same discomfort in the world of finance. Here too, people and businesses trust systems to keep sensitive information safe - information about money, strategy, and future plans.
3 February 2026
Get the latest issue of Outlook Business
In the financial world, cryptography is what allows banks to authenticate users, validate transactions, and verify that systems are who they claim to be. If that breaks, attackers don't just read data - they can forge identities and manipulate entire systems.
Breaking Encryption
Cryptography is, at its core, the science of keeping secrets. It protects information by using mathematical techniques to secure communication, ensure privacy, and verify authenticity in the digital world. Every time a user logs into a banking app, makes an online payment, or even sends an email, cryptographic protocols are working silently in the background - scrambling data into an unreadable format so that even if it is intercepted in transit, it remains meaningless to anyone other than the intended recipient.
An encryption algorithm achieves this through a defined set of steps that transform readable data, known as plaintext, into an encoded form called ciphertext. This ciphertext can only be decoded back into its original form by someone who possesses the correct decryption key. Techniques like RSA, one of the most widely deployed encryption standards in the world, are a subset of this broader cryptographic framework. What makes RSA, and encryption systems like it, so secure is the sheer size of the keys they use.
A standard RSA key is 2,048 bits long, which means the number of possible key combinations is astronomically large - far greater than the number of atoms in the observable universe. Trying to break this encryption by guessing every possible key combination, like trying every possible combination on a padlock, is theoretically possible, but the number of possibilities is so vast that no existing processor, or even network of processors, can work through them in any practical timeframe.
With today's computing power, brute-forcing an RSA key would take multiple lifetimes, said Anirudh Batra, Threat Intelligence Researcher, CloudSEK. "But in a quantum world, algorithms like Shor's algorithm provide a way to break RSA much more efficiently."
This is because Shor's algorithm does not attempt to brute-force the key. It takes a fundamentally different approach. RSA works by multiplying two very large prime numbers together to produce an even larger number, which is made public as part of the encryption key. The security of the system rests on a simple assumption: that nobody can work backwards from that large number to figure out which two primes were used to create it.
Shor's algorithm is specifically designed to do exactly that, and a sufficiently powerful quantum computer could run it fast enough to derive those two primes, reconstruct the private key, and break the encryption. "While the method exists in theory, breaking it would require an enormous amount of processing capacity, far beyond what current CPUs and GPUs can realistically achieve," Batra adds.
However, the situation could change drastically with the arrival of the next revolution in computing: quantum computing. Quantum computing refers to a fundamentally different approach to computation that leverages the principles of quantum mechanics, such as superposition and entanglement, to process information in ways that classical computers cannot, enabling certain complex calculations to be performed exponentially faster.
That means the current safeguard against decryption, the sheer time required for brute-force cracking, will no longer hold true in a quantum computing world. All our secrets could be laid bare, including passwords, personal chats, financial data, and national security information.
Is Our Financial Infrastructure Ready?
If encryption comes under threat in the world of financial transactions, it would be nothing short of a doomsday scenario for cybersecurity. This whole phenomenon, dubbed "Q Day"- sounding like something out of a Hollywood movie - is a future cybersecurity threat that directly imperils the encryption systems used across the world.
Q Day, or Quantum Day, is a term used in technology and cybersecurity circles to describe the future moment when quantum computers become powerful enough to break today's widely used encryption systems. Cybersecurity experts caution that this would not be a single-day event but rather a phase that would unfold once any entity anywhere in the world successfully develops this capability.
Right now, RSA is the most commonly used encryption algorithm across segments including financial services and banking. It stands for Rivest–Shamir–Adleman, named after the three MIT researchers who introduced RSA public-key encryption in 1977. But cyber experts say that in a post-quantum world, cracking RSA encryption would be trivially easy.
"In a scenario where quantum computers can sustain qubits long enough and at a scale sufficient to break RSA encryption, any actor with access to such machines could potentially compromise today's secure communications," explains Batra.
He also points to a concerning concept widely known as "harvest now, decrypt later." The idea is this: if a nation-state, for instance, is collecting encrypted data today, it may not be able to read it because current encryption holds. But once quantum capabilities mature, that same stored data could become vulnerable, since much of it passes through central servers and relies on cryptographic protections like RSA.
Huzefa Motiwala, Senior Director, Technical Solutions, India and SAARC, Palo Alto Networks, argues that since cryptography is deeply embedded across financial infrastructure, transitioning away from vulnerable systems will take years. Waiting until the risk is visible may already be too late.
"Encryption underpins routine activities like digital banking, payments, identity verification, and access to government services. If that foundation weakens, the risk isn't just data theft, it's the possibility of forged transactions, compromised identities, and systems that can no longer prove what or who is legitimate," Motiwala adds.
A recent report by citi bank 19-34% hints at a probability of widespread breaking of quantum computer-led public-key encryption by 2034, increasing to 60-82% by 2044.
Getting Ready for Q Day
For all the futuristic connotations of Q Day, the real question for financial institutions is far more immediate: are banks already taking steps to ensure that quantum disruption does not arrive as a sudden shock?
Unlike consumer messaging platforms, where encryption is largely about privacy, banking encryption underpins something more fundamental - trust.
This is why cybersecurity leaders argue that the transition to quantum-safe systems cannot wait until quantum computers actually reach the threshold of breaking RSA. The shift, they say, must begin much earlier, because upgrading cryptography across large banking infrastructure is a slow, multi-year process.
Many institutions are already working in this space, including SEBI, RBI, and the Data Security Council of India (DSCI) under NASSCOM. At a national level, the Government of India has launched the National Quantum Mission, which aims to build an ecosystem for quantum technologies and strengthen research and innovation in the field.
Cyber experts say such regulatory alignment will be crucial, because quantum-safe transitions cannot be tackled in isolation. Banks, payment networks, regulators, and technology providers will all need coordinated migration pathways - especially in a country where digital financial infrastructure operates at massive scale.
So how can systems prepare? Experts suggest that the only real defence lies not in cosmetic fixes like changing passwords after the fact, but in rebuilding cryptography from the ground up.
"There is no other way… you have to literally start looking at it from the ground up," Batra says. "The way that you store data, the way that you have password hashing and all of that - everything becomes obsolete."
Several key strategies are being adopted worldwide to address the future threat.
The first is the shift toward post-quantum encryption algorithms, such as lattice-based cryptography, which Batra points to as one of the evolving approaches designed to remain secure even in a quantum world. Lattice-based cryptography, in its simplest terms, relies on solving extremely complex puzzles within a multi-dimensional grid called a "lattice," rather than on problems like factoring large numbers (as RSA does) - something believed to be very hard for both classical and quantum machines to crack.
In August 2024, the US National Institute of Standards and Technology (NIST) finalised its first set of post-quantum cryptographic standards, giving institutions formally approved algorithms they can begin adopting.
The second approach is strengthening symmetric encryption. Batra notes that symmetric systems are still relatively resilient, and one practical way to make them even harder to crack is by increasing key sizes. "All we need to do is double the key length, and it still becomes a little secure," he explains.
Third is the adoption of hybrid cryptography - running classical and post-quantum encryption algorithms simultaneously during the transition period. If one layer is compromised, the other still provides protection. Rather than requiring a hard overnight switch from old systems to new, hybrid approaches allow institutions to layer quantum-safe algorithms on top of existing ones, providing a practical bridge while the broader migration plays out. NIST has recommended this approach as a transitional strategy.
Fourth, and further out on the horizon, is Quantum Key Distribution, or QKD. Unlike the other approaches, which use mathematical complexity to secure data, QKD uses the principles of quantum physics itself. In a QKD system, encryption keys are transmitted using quantum particles, and any attempt to intercept the key disturbs its quantum state - making eavesdropping detectable by design. India's National Quantum Mission, which is already focused on building the country's quantum ecosystem, includes QKD as one of its key areas of development.
Finally, and perhaps most importantly, experts stress the need to start the transition early, because replacing global standards like TLS cannot happen overnight. "Making that shift from TLS to a different algorithm is going to take a huge amount of time… that has to be decided in advance," Batra says. "If someone is able to harvest that information today, it might become a problem tomorrow. So you have to start encrypting information… today," he warns.
Motiwala of Palo Alto Networks argues that what organisations will need going forward is a far more deliberate approach to cryptographic security than ever before."Securing systems in a post-quantum era will be about knowing where cryptography actually lives across complex environments, understanding which data truly needs long-term protection, and designing systems so encryption can be upgraded without breaking core operations," Motiwala says.
This concept, often referred to as crypto-agility, is emerging as one of the most important strategic priorities in post-quantum security planning. "That kind of crypto-agility, combined with phased migration and continuous assessment, is what allows institutions to reduce risk steadily over time, rather than reacting in crisis mode," Motiwala adds.
For consumers, this work will remain largely invisible. Customers will not see banks updating encryption protocols or mapping cryptographic inventories. But experts argue that this behind-the-scenes preparation is precisely what will determine whether digital financial services remain trustworthy in a world where quantum breakthroughs may eventually reshape the fundamentals of cybersecurity.
Q Day may still sound like a distant concept, but for banks, the preparation is already a race against time - not because quantum computers are breaking RSA tomorrow, but because the financial sector cannot afford to be late in upgrading the cryptographic foundation it relies on.
HDFC Bank's Quantum Strategy
HDFC Bank, India's largest lender by market capitalisation, acknowledges Q Day as a credible long-term challenge and says it is already putting structured measures in place.
Sameer Ratolikar, Group Head and Chief Information Security Officer at HDFC Bank, told outlook business that the bank has developed what it calls a "Post-Quantum Cryptography (PQC) Three-Pillar Framework," which will be rolled out in phases.
To begin with, Ratolikar explains, the bank has carried out what is known as a Crypto BOM, or Bill of Materials - essentially an inventory exercise to identify the cryptographic systems currently in use and determine which of them may be vulnerable to future post-quantum attacks.
"The bank has carried out the Crypto BOM to discover the ciphers which are susceptible to PQC attacks and upgrade them to the latest PQC-supported ciphers," Ratolikar says.
One example of the newer standards being explored is ML-KEM, or Module-Lattice-Based Key-Encapsulation Mechanism, a post-quantum cryptographic approach considered more resilient against quantum-enabled threats.
Ratolikar emphasises that preparing for a quantum-day scenario is not a single switch that can be flipped overnight. Instead, it requires a structured, phased approach, because cryptography is deeply embedded across every layer of banking operations - from data centres to ATMs to customer-facing applications.
"It requires a three-phase approach," he says.
The first phase focuses on in-line devices in data centres - the core infrastructure where encryption is deployed at the network level. These systems must be upgraded first, ensuring that the foundational environment is aligned with stronger, quantum-safe ciphers.
The second phase expands outward, assessing what Ratolikar calls "north-south connectivity" - the links between branches, ATMs, and data centres. This layer is critical, he says, because it represents the real-world operational backbone of banking connectivity.
Only in the final phase does the focus shift to applications and APIs, where encryption supports everything from mobile banking to digital payments.
"The last phase is important and requires significant time and attention to offer a seamless customer experience," Ratolikar notes, underscoring that security upgrades cannot come at the cost of disrupting consumer services.
