What can I do to prepare for Q-Day?

If you run critical infrastructure or handle sensitive long-lived data, begin a cryptographic inventory, follow NIST's post-quantum migration guidance, and start transitioning to PQC-ready systems. Most major cloud providers already offer PQC-compatible TLS options.

Has the Q-Day timeline changed recently?

Yes — significantly. In May 2025, Google researcher Craig Gidney showed RSA-2048 could be broken with under one million qubits, down from his 2019 estimate of 20 million — a 20× reduction. The AQTI's JVG algorithm (March 2026) claims even fewer resources may be needed. These breakthroughs are why Google, Cloudflare and major governments have moved migration deadlines forward to 2029–2030.

Q-Day Countdown | When Will Quantum Computers Break Encryption?

Q: Am I already at risk from quantum computers?

'Harvest now, decrypt later' attacks are already happening — state actors are collecting encrypted data today to decrypt once a capable quantum computer exists. Sensitive data with long shelf-life such as medical records, financial history, and state secrets is most at risk.

Q: What is harvest now decrypt later?

Harvest now, decrypt later is an attack strategy where adversaries intercept and store encrypted data today, planning to decrypt it once a capable quantum computer exists. This means data sent today could be exposed in 2030. Medical records, diplomatic cables, and sensitive business communications with long-term value are most at risk.

Q: Does Q-Day affect my passwords?

Not directly. Passwords protected by hashing algorithms (bcrypt, Argon2, SHA-256) are not broken by Shor's algorithm. The main threat is to public-key cryptography — RSA and ECC — which secures HTTPS connections, email, and cryptocurrency wallets. Doubling symmetric key lengths (AES-256) provides sufficient protection against Grover's algorithm.

The Race

Quantum Computing Milestones

2019

Quantum Supremacy — Sycamore

53-qubit chip completes a task in 200 s that a supercomputer would need ~10,000 years for.

2022

Surface Code Logical Qubit

First proof that adding more physical qubits reduces logical error rate — below-threshold error correction confirmed.

2023

QEC Below Threshold at Scale

72-qubit device demonstrates logical qubit with error suppression better than any single physical qubit.

2024

Willow — Exponential Error Reduction

105 qubits. Each code distance step halves error rate. Benchmark: 5 min vs. 10²⁵ years classically.

2025

First Verifiable Quantum Advantage

65-qubit subsystem of Willow produces certified random bits — impossible to fake or replicate classically.

2029 — Target

Fully Error-Corrected Computer

Google's stated goal: a useful, error-corrected quantum computer capable of tackling real-world problems.

scroll →

2021

Eagle — 127 Qubits

First chip to break the 100-qubit barrier. Heavy-hexagonal layout reduces error rates between neighbors.

2022

Osprey — 433 Qubits

Quadrupled qubit count in one generation. IBM publishes roadmap to 4,000+ qubit systems.

2023

Condor — 1,121 Qubits

World's first 1,000+ qubit chip. 50% increase in qubit density. Also ships Heron (133Q) with best-in-class gate fidelity.

2024

Flamingo — Multi-Chip Quantum Link

462-qubit chip with built-in quantum communication link — first step toward connecting multiple processors.

2026 — Target

Kookaburra — 4,158 Qubits

Three 1,386-qubit chips linked via chip-to-chip couplers — IBM's first large-scale multi-chip system.

2029 — Target

Fault-Tolerant System

IBM roadmap end-goal: fault-tolerant quantum computer with tens of thousands of logical qubits.

scroll →

2022

Topoconductor Discovered

Microsoft creates the world's first topoconductor — a material enabling topological superconductivity, previously only theoretical.

2023

Majorana Zero Modes Confirmed

Peer-reviewed evidence in Physical Review of inducing topological Majorana modes — the building block of topological qubits.

Feb 2025

Majorana 1 — First Topological Chip

8 topological qubits on a chip designed for 1 million. Digital qubit control vastly simplifies quantum computing architecture.

~2027 — Target

Topological Qubits at Scale

Microsoft claims its approach will reach a cryptographically relevant scale "in years, not decades" — potentially leapfrogging competitors.

scroll →

2016

PQC Competition Launched

NIST calls for submissions of quantum-resistant cryptographic algorithms. 69 candidates enter from teams worldwide.

2022

NSA: Migrate Critical Systems by 2030

NSA's CNSA 2.0 directive orders U.S. national security systems to complete post-quantum migration by 2030.

2024

First PQC Standards Published

NIST finalizes CRYSTALS-Kyber, CRYSTALS-Dilithium, and SPHINCS+ — the world's first post-quantum cryptography standards.

2030 — Deadline

NSA Migration Deadline

All U.S. national security systems must complete migration to post-quantum cryptography. Most global infrastructure still at risk.

2035 — Risk Window

Global Risk Institute Q-Day Estimate

GRI's 50% probability estimate: the moment a quantum computer can crack RSA-2048 arrives by 2035.

scroll →

2021

$450M Series D

Largest quantum funding round to date. Bet: silicon photonic chips manufactured at scale using standard CMOS semiconductor fabs.

2023

GlobalFoundries Partnership

First quantum company to manufacture chips in a commercial semiconductor fab — enabling mass production of photonic qubits.

Feb 2025

Omega Photonic Processor

Silicon photonic processor unveiled — key building block toward a fault-tolerant machine with 1M+ physical qubits.

2025

$1B Raise — $7B Valuation

World's most-funded quantum startup. Backed by Microsoft, HSBC, BlackRock among others.

2027–2028 — Target

1,000,000 Physical Qubits

First commercially useful fault-tolerant quantum computer with 1M+ photonic qubits — potentially enabling Shor's algorithm against RSA.

scroll →

2021

IPO — First Pure-Play Quantum Stock

IonQ lists on NYSE — the first publicly traded company focused solely on quantum computing.

2023

Forte — 35 Algorithmic Qubits

Trapped-ion system reaches 35 #AQ — one of the highest-quality qubit metrics in the industry.

2024

Real-World Quantum Speedup

Engineering firm Ansys uses IonQ to accelerate fluid dynamics analysis for medical devices — 12% speedup over classical computing.

2028 — Target

Cryptographically Relevant QC

IonQ roadmap targets a CRQC capable of running Shor's algorithm on RSA-2048 — requires ~4,000 logical qubits.

2030 — Target

2M Physical / 80K Logical Qubits

Long-term: a trapped-ion system with 2 million physical qubits and 80,000 logical qubits for broad quantum advantage.

scroll →

2021

First Fully Error-Corrected Logical Qubit

Demonstrates a fully error-corrected logical qubit using the Steane code — a world first in quantum error correction.

2022

H1 — World Record Quantum Volume

H1 processor sets a world record quantum volume score — a holistic measure of overall system capability.

2024

H2 — 56 Trapped-Ion Qubits

H2 ships with best-in-class two-qubit gate fidelity (>99.9%). Partners with Microsoft on logical qubit research.

2025

12 Logical Qubits — 800× Error Reduction

With Microsoft: runs 12 logical qubits on H2 with error rates 800× better than physical qubits — largest logical qubit demo to date.

Late 2020s — Target

Small Fault-Tolerant Machine

Roadmap: tens of logical qubits fully fault-tolerant — sufficient for early quantum advantage in chemistry and materials science.

scroll →

Breaking Research

China's Origin Wukong-180: A 180-Qubit Quantum Leap and What It Means for Q-Day

China's Origin Quantum has launched its fourth-generation 180-qubit superconducting quantum computer — built entirely on domestic technology. Here's what it signals for the global Q-Day race.

Research

Microsoft's Majorana 1: The Topological Qubit That Could Accelerate Q-Day

Microsoft's topological qubit architecture could dramatically reduce the physical qubit overhead needed to break RSA — and reshape the Q-Day timeline in the process.

Cryptocurrency

Ethereum's Quantum Escape Plan: Protecting 100 Million Wallets from Q-Day

Ethereum's ECDSA signatures are vulnerable to quantum attacks. With 100 million active wallets at stake, the community is racing to design a post-quantum migration path — before it becomes urgent.

Explainer

What is Q-Day and Why Should You Care?

Q-Day refers to the moment a quantum computer becomes powerful enough to break RSA encryption — the foundation of most internet security today. Here's what that means for you.

Technology

Post-Quantum Cryptography: The Race to Protect the Internet

NIST has finalized its first post-quantum encryption standards. But how quickly will the world actually adopt them — and is it fast enough?

Research

Google's Willow Chip: A Milestone on the Road to Q-Day

Google's latest quantum processor raises the stakes. We break down what the Willow breakthrough actually means for the Q-Day timeline.

Standards & Policy

NIST Selects HQC: A Backup Shield Against Quantum Attacks

In March 2025, NIST chose HQC as a fifth post-quantum algorithm — a fallback built on entirely different mathematics, in case the primary standard ever falls.

Threat Intelligence

Harvest Now, Decrypt Later: The Silent Attack Already Happening

State actors are already collecting your encrypted data today — planning to decrypt it once quantum computers arrive. This attack doesn't need Q-Day to begin.

Cryptocurrency

Could a Quantum Computer Steal Your Bitcoin in 9 Minutes?

Google's quantum research puts a number on the threat: a capable quantum computer could derive a Bitcoin private key in roughly 9 minutes. Bitcoin's block time is 10.

Policy & Standards

NSA's CNSA 2.0: The Military's Deadline for a Quantum-Safe World

The NSA has set January 2027 as the first hard deadline for quantum-safe encryption across US national security systems. Here's what the full timeline looks like.

Analysis

Why Q-Day Could Be Worse Than Y2K

Y2K cost $300 billion and was fixed in time. Q-Day threatens to break encryption across the entire internet — and unlike Y2K, the damage can be retroactive.

Industry

Cloudflare's 2029 Deadline: How the Internet Is Preparing for Q-Day

Cloudflare targets full post-quantum security by 2029. Here's what that migration actually looks like — and what it means for the rest of the internet.

Breaking Research

Three Papers in Three Months: Why Q-Day May Now Be 2029, Not 2035

Between May 2025 and March 2026, three papers slashed the qubit estimate to break RSA by a factor of 20. Q-Day just got a lot closer.

Timeline

Q-Day Timeline: The Complete History of Expert Predictions

How did the Q-Day timeline shift from "decades away" to 2029? A complete history of expert estimates from 2016 to 2026 — and what changed in each critical year.

Finance

Q-Day and Banking: How the Financial Sector Is Preparing for Quantum Risk

Banks, SWIFT, and central banks face acute exposure from Q-Day. Here's what major financial institutions are doing — and what is still at stake.

Action

How to Prepare for Q-Day: A Practical Guide for Organizations

Six concrete steps every organization should take before Q-Day: cryptographic inventory, data classification, NIST standards, hybrid encryption, and supply chain assessment.

Reference

Q-Day Glossary: 25 Essential Terms Explained

From Shor's algorithm to ML-KEM and crypto-agility: 25 key terms from quantum computing and post-quantum cryptography, clearly defined.

What is Q-Day?

Q-Day is the predicted moment when a quantum computer becomes powerful enough to break RSA encryption — the system protecting most internet traffic, banking, and communications today. When it arrives, any data encrypted with current standards can be decrypted retroactively.

When will it happen?

Estimates vary: Google's internal security team targets 2029, NIST and the NSA are planning for 2030 as a critical migration deadline, and the Global Risk Institute puts a 50% probability on 2035. The timeline depends heavily on progress in qubit quality and error correction.

Am I already at risk?

"Harvest now, decrypt later" attacks are already happening — state actors are collecting encrypted data today to decrypt once a capable quantum computer exists. Sensitive data with long shelf-life (medical records, financial history, state secrets) is most at risk.

What is post-quantum cryptography?

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to be secure against quantum attacks. In 2024, NIST published the world's first PQC standards — CRYSTALS-Kyber and CRYSTALS-Dilithium — to replace vulnerable RSA and ECC encryption.

What can I do?

If you run critical infrastructure or handle sensitive long-lived data: begin a cryptographic inventory, follow NIST's migration guidance, and start transitioning to PQC-ready systems. Most major cloud providers are already offering PQC-compatible TLS options.

Will Bitcoin and crypto survive Q-Day?

Most cryptocurrencies use elliptic curve cryptography (ECC) for wallets — which is vulnerable to quantum attacks. Bitcoin's ECDSA signatures could be broken by a sufficiently large quantum computer. The crypto community is actively discussing post-quantum migration paths.

Has the timeline changed recently?

Yes — significantly. In May 2025, Google researcher Craig Gidney published a paper showing RSA-2048 could be broken with under one million qubits, down from his own 2019 estimate of 20 million. That's a 20× reduction in required resources. The AQTI's JVG algorithm (March 2026) claims even fewer qubits may be needed. These papers are why Google, Cloudflare and major governments have all moved their migration deadlines forward to 2029–2030.

Does Q-Day affect my passwords?

Not directly. Passwords are typically protected by hashing algorithms (bcrypt, Argon2, SHA-256) which are not broken by Shor's algorithm. The main threat is to public-key cryptography — RSA and ECC — which secures your connection to websites (HTTPS), your email, and your cryptocurrency wallets. Grover's algorithm could weaken symmetric encryption, but doubling key lengths (e.g. AES-256 instead of AES-128) provides sufficient protection.

What is "harvest now, decrypt later"?

It's an attack strategy where adversaries — typically nation-state intelligence agencies — intercept and store encrypted data today, even though they can't read it yet. Once a capable quantum computer exists, they retroactively decrypt everything they've collected. This means data you send today could be exposed in 2030. Medical records, diplomatic cables, and business communications with long-term sensitivity are most at risk.

2016

NIST

PQC Competition Launched

NIST calls for quantum-resistant cryptography submissions. 69 candidates enter from teams worldwide.

2019

Google

Sycamore — Quantum Supremacy

53-qubit chip solves a task in 200 s that would take a classical supercomputer ~10,000 years.

2021

IBM

Eagle — 127 Qubits

First chip to break the 100-qubit barrier. IBM announces a fault-tolerant QC target by 2029.

2021

Quantinuum

First Error-Corrected Logical Qubit

Fully error-corrected logical qubit demonstrated using the Steane code — a world first.

2022

Google

Surface Code Below Threshold

Proven: adding physical qubits to a logical qubit reduces errors. A foundational QEC milestone.

2022

NSA

CNSA 2.0 — Migrate by 2030

NSA orders U.S. national security systems to complete post-quantum migration by 2030.

2023

IBM

Condor — 1,121 Qubits

World's first 1,000+ qubit chip. Also ships Heron (133Q) with best-in-class gate fidelity.

2023

Harvard / QuEra

48 Logical Qubits

First logical quantum processor using neutral atoms — 48 logical qubits at 99.5% gate fidelity.

2023

Microsoft

Majorana Zero Modes Confirmed

Peer-reviewed evidence of Majorana modes — the building block of Microsoft's topological qubit.

2024

Google

Willow — Exponential Error Reduction

105 qubits. Each code distance step halves error rate. 5 min vs. 10²⁵ years classically.

2024

NIST

First PQC Standards Published

CRYSTALS-Kyber, Dilithium, SPHINCS+ — the world's first post-quantum cryptography standards.

Feb 2025

Microsoft

Majorana 1 — Topological Chip

8 topological qubits on a chip built for 1 million. A new state of matter applied to quantum computing.

2025

Google

Verifiable Quantum Advantage

First quantum result impossible to replicate classically — certified random bit generation on Willow.

2025

PsiQuantum

$1B Raise + Omega Processor

World's most-funded quantum startup ($7B valuation). Photonic chip targeting 1M+ qubits by 2028.

Projected

2026

IBM · Target

Kookaburra — 4,158 Qubits

Three 1,386-qubit chips linked via quantum communication — IBM's first large-scale multi-chip system.

2028

IonQ · Target

Cryptographically Relevant QC

A machine capable of running Shor's algorithm on RSA-2048 — requires ~4,000 logical qubits.

2029

Google · IBM · Target

Fault-Tolerant Computers

Both companies target 2029 for fully error-corrected, commercially useful quantum computers.

2030

NSA · Deadline

PQC Migration Deadline

All U.S. national security systems must have completed post-quantum cryptography migration.

2035

GRI · Estimate

Q-Day Probability Peak

Global Risk Institute's 50% probability estimate: a quantum computer capable of breaking RSA-2048.

scroll →

We are already having the wrong conversation in cryptography if we argue about whether we have one, three, or five years before quantum computers will break today's security algorithms. We must always be ahead of the curve — especially in the era of 'Store now, decrypt later'.

Johann Polecsak Co-Founder & CTO — QANplatform

In three to five years' time, we will have that moment where from a cryptographic standpoint we have to adapt to quantum, for sure.

Sundar Pichai CEO — Google · Bloomberg, Feb 2025

Preparing for a post-quantum world will be a complex change programme that makes fixing the Millennium Bug look easy.

Ollie Whitehouse Chief Technology Officer — NCSC, UK National Cyber Security Centre

The averaged expert estimate of the probability of a cryptographically relevant quantum computer emerging within the next 10 years is now between 28% and 49% — the highest in this report's history.

Michele Mosca Co-founder, evolutionQ — Professor, University of Waterloo · Quantum Threat Timeline Report 2025

Q-Day could come as soon as 2025. The question is not if, but when — and most organisations are dangerously unprepared.

Tilo Kunz Executive VP — Quantum Defen5e · US Defense Information Systems Agency briefing

Elliptic curves are going to die. There is about a 20% chance that quantum computers capable of breaking today's cryptography arrive before 2030 — and that is not a risk Ethereum can afford to ignore.

Vitalik Buterin Co-founder — Ethereum · Devconnect, Buenos Aires, Nov 2025

It's a really serious threat, and I think the modern crypto community doesn't fully understand just how serious it is. My forecast is a matter of years — not decades.

Dmitry Gerasimov CEO — Demlabs · Founder, Cellframe Network · post-quantum blockchain infrastructure

When a suitably powerful quantum computer becomes available, conventional digital signature schemes will be broken — and all existing ledgers will be susceptible to attack. I built QRL because this is not a theoretical problem.

Peter Waterland Founder & Lead Developer — Quantum Resistant Ledger (QRL)

Q-Day

How is this countdown determined?

Get in touch

Keep Q-Day ticking