Quantum computers try every key at once.
Quantum algorithms manipulate amplitudes and interference. Measurement does not reveal every computed branch.
A practical guide to Q-Day, RSA-2048, Shor’s algorithm, resource estimates and the post-quantum migration already underway.
Quantum computers cannot currently break widely deployed encryption such as RSA-2048 or modern elliptic-curve cryptography. A successful attack would require a cryptographically relevant, fault-tolerant quantum computer able to run an enormous error-corrected circuit. Published resource estimates vary sharply with hardware and error-correction assumptions, so they are engineering scenarios—not arrival forecasts. There is no defensible date for Q-Day. Organisations should still migrate now: NIST has finalised its first post-quantum standards, and data collected today may remain sensitive when a capable quantum computer eventually exists.
Breaking encryption means recovering protected information or forging an authentication result without the secret key, within a useful amount of time and at an acceptable cost. The quantum risk is not uniform: different cryptographic systems rely on different mathematical problems.
RSA security relies on the difficulty of factoring a large composite integer. Elliptic-curve systems rely on discrete logarithms. A sufficiently capable fault-tolerant quantum computer running Shor’s algorithm could solve both problem classes efficiently. Symmetric ciphers and hash functions face a different, smaller class of speed-up from Grover’s algorithm.
No public experiment has factored an RSA key of practical cryptographic size. Small demonstrations establish that algorithmic components can work; they do not demonstrate a scalable attack. The decisive gap is sustained, fault-tolerant logical computation.
| Evidence level | What it establishes | What it does not establish |
|---|---|---|
| Theory | A quantum algorithm offers an asymptotic speed-up | That useful hardware exists |
| Small experiment | A component works at limited scale | A cryptographically relevant attack |
| Error-correction milestone | Logical performance improves under stated conditions | A complete, long-running fault-tolerant system |
| Resource estimate | A scenario is plausible under explicit assumptions | A delivery date |
| Cryptographic attack | A deployed key is recovered or signature forged | Not publicly demonstrated for modern key sizes |
Shor’s algorithm converts factoring into a period-finding problem. The quantum computer performs the period-finding subroutine, while classical computation handles preparation and post-processing.
Select a number related to the RSA modulus and construct a modular arithmetic problem.
Represent many possible inputs coherently across a quantum register.
Run a large reversible arithmetic circuit whose periodic structure encodes information about the factors.
Use quantum interference and a Fourier-transform procedure to make useful period information measurable.
Use the measured period and classical number theory to derive the prime factors, repeating if necessary.
There is no single stable qubit number. A 2021 peer-reviewed estimate described an eight-hour RSA-2048 factorisation scenario using roughly 20 million noisy qubits under a specific superconducting, surface-code model. A 2025 preprint reduced the scenario to fewer than one million noisy qubits with a runtime under a week by changing circuit and error-correction assumptions.
These results demonstrate the sensitivity of resource accounting to architecture and compilation. They should not be read as forecasts that a machine will arrive on a corresponding schedule.
| Requirement | Current public systems | Cryptographic attack scenario |
|---|---|---|
| Physical qubits | Hundreds to low thousands in many gate-model systems | Published estimates range from below one million to tens of millions |
| Logical computation | Early demonstrations with limited scale and duration | Thousands of reliable logical qubits plus large ancillary factories |
| Error correction | Experimental and rapidly improving | Sustained operation throughout a very deep circuit |
| Runtime | Short circuits constrained by noise | Hours or days in particular estimates |
| System scope | Processor milestones | Processor, decoder, control stack, cryogenics and classical support working together |
Public-key encryption, key exchange, digital signatures, symmetric encryption and hashing need separate treatment. Saying that quantum computing “breaks encryption” obscures these important differences.
| System | Quantum effect | Practical response |
|---|---|---|
| RSA | Shor’s algorithm can factor the public modulus | Replace with post-quantum key establishment/signatures |
| ECC / ECDH / ECDSA | Shor’s algorithm can solve the elliptic-curve discrete logarithm problem | Replace with post-quantum alternatives |
| AES-128 | Grover’s algorithm gives a quadratic brute-force speed-up in the ideal model | Use appropriate key sizes and system-level guidance |
| AES-256 | Retains a large security margin against generic Grover search | Generally regarded as a quantum-resistant symmetric choice |
| Hash functions | Generic preimage search can receive a quadratic speed-up | Use adequate output lengths and current standards |
Quantum algorithms manipulate amplitudes and interference. Measurement does not reveal every computed branch.
Qubit quality, connectivity, error correction, logical operations and total system throughput all matter.
They increase resource requirements but remain in the problem class targeted by Shor’s algorithm.
Cryptographic inventories, protocol changes, vendor dependencies and long-lived data require years of preparation.
This timeline distinguishes confirmed developments from future claims. No entry supplies a reliable Q-Day date.
Established an efficient quantum route to factoring and discrete logarithms.
A peer-reviewed surface-code study estimated 20 million noisy qubits for an eight-hour scenario.
FIPS 203, 204 and 205 standardised ML-KEM, ML-DSA and SLH-DSA.
NIST chose HQC as a backup KEM candidate; a new preprint reported a sub-million-qubit RSA-2048 scenario.
Industry roadmaps remain targets. Public evidence does not show a cryptographically relevant quantum computer.
U.S. transition guidance targets removal of quantum-vulnerable algorithms from standards on this timescale, with high-risk systems moving earlier.
The rational response is crypto-agility, not panic. Organisations can reduce present exposure without pretending to know the Q-Day date.
Map algorithms, keys, certificates, protocols, libraries, embedded systems and vendor dependencies.
Prioritise information that must remain confidential for many years.
Make algorithms and key formats replaceable without rebuilding entire systems.
Evaluate ML-KEM, ML-DSA and SLH-DSA in realistic protocols, devices and performance conditions.
Require migration plans and evidence from vendors; keep implementations aligned with current guidance.
Q-Day is an informal term for the point when a quantum computer can break cryptography that protects real systems, especially RSA and elliptic-curve public-key schemes. It has no agreed date or single technical threshold.
A sufficiently capable fault-tolerant quantum computer could threaten the elliptic-curve signatures used to authorise Bitcoin transactions. That does not mean current quantum processors can steal Bitcoin, and protocol migration options depend on which public keys are exposed and how the network coordinates changes.
Grover’s algorithm gives an ideal quadratic speed-up for generic key search, which is much less dramatic than Shor’s exponential impact on RSA and ECC. AES-256 retains a large generic security margin, though complete system design and implementation still matter.
Only conditional estimates exist. Published scenarios range from hours to days or longer, depending on the number and quality of physical qubits, error-correction code, cycle speed, connectivity, decoder performance and architecture. There is no machine today that meets those assumptions.
Yes. NIST finalised FIPS 203, FIPS 204 and FIPS 205 in August 2024. They specify ML-KEM for key establishment and ML-DSA and SLH-DSA for digital signatures. Deployment still requires implementation testing, protocol integration and operational planning.
Migration across large estates takes years, and attackers can collect encrypted data now for later decryption. Early work also exposes hidden cryptographic dependencies and improves the ability to change algorithms when standards or threats evolve.
QuantumNews compares primary standards, government migration guidance and technical resource-estimation papers. Qubit counts are reported with their architecture and runtime assumptions; preprints are labelled separately from peer-reviewed work. Company roadmap targets are not treated as completed capabilities. Current status was checked against public evidence, not confidential claims.
14 July 2026 — Initial editorial draft created with current NIST standards and RSA-2048 resource estimates.
Found an error or newer technical evidence? Contact the QuantumNews editorial team.