The Q-Day threat spans quantum physics, cryptography, and information security policy. The vocabulary can be dense. This glossary defines the 25 terms that appear most frequently in expert discussion of the quantum cryptography threat — organized from foundational concepts to practical migration terms.
The Quantum Threat
Q-Day
The predicted moment when a quantum computer becomes powerful enough to break RSA encryption — the public-key cryptographic system protecting most internet traffic, banking, and secure communications today. Once Q-Day arrives, any data previously encrypted with classical public-key cryptography can potentially be decrypted. Expert estimates range from 2029 (Google's internal planning date) to 2035 (Global Risk Institute median).
Cryptographically Relevant Quantum Computer (CRQC)
A quantum computer with sufficient qubit count, qubit quality, and error correction to run Shor's algorithm against real-world encryption key sizes (e.g., RSA-2048 or ECC-256). Current quantum computers are far from CRQC status — they lack the error-corrected logical qubits needed. The question Q-Day researchers are tracking is when that gap will close.
Shor's Algorithm
A quantum algorithm discovered by mathematician Peter Shor in 1994. Given a large number, it can find its prime factors exponentially faster than any known classical algorithm. Since RSA encryption's security is based on the difficulty of factoring large numbers, Shor's algorithm running on a CRQC would render RSA — and by extension, most of today's public-key cryptography — insecure. Shor's algorithm also breaks elliptic curve cryptography (ECC).
Grover's Algorithm
A quantum algorithm that speeds up the search through an unsorted database, providing a quadratic speedup over classical brute-force search. Unlike Shor's, Grover's algorithm does not completely break symmetric encryption — it effectively halves the security level. AES-256 is considered secure against Grover's algorithm; AES-128 is not recommended for long-term security in a post-quantum world.
Harvest Now, Decrypt Later (HNDL)
An attack strategy in which adversaries intercept and store encrypted data today, with the intention of decrypting it once a CRQC becomes available. Since encrypted data can be stored indefinitely, this attack means Q-Day is already a present-tense problem for any data with a long-term secrecy requirement. See Harvest Now, Decrypt Later: The Silent Attack Already Happening.
Cryptographic Foundations
RSA
The most widely used public-key cryptography system, named for its inventors Rivest, Shamir, and Adleman. RSA's security relies on the difficulty of factoring the product of two large prime numbers. RSA-2048 (2048-bit keys) is the current standard for most applications and is the primary target of Shor's algorithm. RSA is used in TLS certificates, email signing, code signing, and many other security-critical applications.
Elliptic Curve Cryptography (ECC)
An alternative public-key system based on the mathematics of elliptic curves over finite fields. ECC achieves equivalent security to RSA with much shorter key lengths (e.g., 256-bit ECC is roughly equivalent to 3072-bit RSA). However, ECC is also vulnerable to Shor's algorithm — a CRQC could break ECC as efficiently as RSA. Bitcoin and most other cryptocurrencies rely on ECDSA, a specific ECC signature scheme.
ECDSA
Elliptic Curve Digital Signature Algorithm. The signature scheme used by Bitcoin, Ethereum, and most modern web certificates. ECDSA keys are exposed to quantum attack if the public key is ever revealed — which happens whenever a Bitcoin address makes a transaction. See Bitcoin & the Quantum Threat.
TLS (Transport Layer Security)
The cryptographic protocol that secures most internet communications — the "S" in HTTPS. TLS uses public-key cryptography (RSA or ECC) to establish a session key, then uses symmetric encryption (AES) for the actual data. The public-key handshake at the start of every TLS connection is the component vulnerable to Q-Day. TLS 1.3 with post-quantum key encapsulation is the target standard for quantum-safe web encryption.
Quantum Hardware
Qubit
The basic unit of quantum information, analogous to a classical bit but capable of existing in a superposition of 0 and 1 simultaneously until measured. Current quantum computers have between tens and thousands of physical qubits. Running Shor's algorithm against RSA-2048 requires millions of error-corrected logical qubits, making the distinction between physical and logical qubits critical.
Logical Qubit
An error-corrected qubit built from multiple physical qubits. Because physical qubits are error-prone, quantum error correction uses redundancy — encoding one logical qubit in many physical qubits — to produce a stable, reliable computation unit. The ratio of physical to logical qubits required depends on the error rates of the physical hardware; current estimates for running Shor's algorithm range from hundreds to thousands of physical qubits per logical qubit.
Quantum Error Correction (QEC)
Techniques for detecting and correcting errors in quantum computations without measuring (and thus collapsing) the quantum state directly. QEC is the central engineering challenge of fault-tolerant quantum computing. Google's 2022 demonstration of below-threshold error correction — where adding more physical qubits to a system actually reduces the logical error rate — was a milestone that confirmed the path to useful fault-tolerant computation is physically realizable.
Fault-Tolerant Quantum Computer
A quantum computer that uses error correction to sustain reliable computation over arbitrarily long circuits. Fault-tolerant systems are required to run Shor's algorithm at the scale needed to break RSA-2048. Current machines are noisy intermediate-scale quantum (NISQ) devices — they have qubits but cannot yet sustain the long error-corrected computations that cryptographically relevant attacks would require. Building a fault-tolerant machine is the primary engineering objective driving the major quantum hardware companies.
Quantum Supremacy / Quantum Advantage
Quantum supremacy (also called quantum advantage) refers to a quantum computer performing a specific computation that a classical computer cannot match in practical time. Google's 2019 Sycamore result and 2024 Willow demonstrations are examples. Importantly, quantum supremacy on a benchmark task does not mean quantum computers can yet break encryption — it is a hardware milestone on the path, not the destination.
Post-Quantum Cryptography
Post-Quantum Cryptography (PQC)
Cryptographic algorithms designed to be secure against both classical and quantum computers. Unlike quantum key distribution (which uses quantum physics itself for security), PQC relies on classical mathematical problems that are believed to be hard even for quantum computers. The four main mathematical families used in PQC are: lattice-based cryptography, hash-based cryptography, code-based cryptography, and isogeny-based cryptography. See Post-Quantum Cryptography: The Race to Protect the Internet.
ML-KEM (CRYSTALS-Kyber)
Module Lattice Key Encapsulation Mechanism. The primary NIST post-quantum standard for key exchange and key encapsulation. Designed to replace RSA and Diffie-Hellman key exchange in TLS and other protocols. Based on the hardness of the Module Learning With Errors (MLWE) problem — a lattice-based mathematical problem with no known efficient quantum algorithm. Standardized by NIST in August 2024 as FIPS 203.
ML-DSA (CRYSTALS-Dilithium)
Module Lattice Digital Signature Algorithm. The primary NIST post-quantum standard for digital signatures. Designed to replace RSA-PSS and ECDSA in certificates, code signing, and authentication protocols. Also based on module lattice problems. Standardized as FIPS 204. Along with ML-KEM, ML-DSA forms the core of the NIST PQC standard suite.
SLH-DSA (SPHINCS+)
Stateless Hash-Based Digital Signature Algorithm. A post-quantum signature scheme based on hash functions rather than lattice mathematics. Because it uses different underlying mathematics than ML-DSA, it provides a hedge against potential future vulnerabilities in lattice-based schemes. Standardized as FIPS 205. Recommended for high-assurance contexts such as certificate authority root keys.
HQC
Hamming Quasi-Cyclic. Selected by NIST in March 2025 as a fifth post-quantum algorithm — specifically as a backup key encapsulation mechanism to ML-KEM. HQC is based on error-correcting code mathematics, not lattices, providing a mathematically independent alternative if lattice-based cryptography is ever weakened. See NIST Selects HQC: A Backup Shield Against Quantum Attacks.
Hybrid Encryption
A cryptographic approach that combines classical and post-quantum algorithms simultaneously. A hybrid TLS handshake, for example, uses both X25519 (classical ECC) and ML-KEM (post-quantum) for key exchange, combining their outputs so the connection is secure as long as either algorithm is unbroken. Hybrid mode provides a transition path: it protects against Q-Day while maintaining compatibility with existing infrastructure and providing a fallback if post-quantum algorithms have undiscovered weaknesses.
Policy and Migration
CNSA 2.0
Commercial National Security Algorithm Suite 2.0. The NSA's directive, published in 2022, mandating that all U.S. national security systems migrate from classical public-key cryptography to post-quantum algorithms by 2030. CNSA 2.0 specifies ML-KEM and ML-DSA as the required algorithms and prohibits the use of RSA and ECC for new systems after defined transition dates. See NSA CNSA 2.0 Explained.
Cryptographic Inventory
A comprehensive catalogue of all cryptographic assets in an organization — including certificates, keys, protocols, algorithms, and the systems that use them. The cryptographic inventory is the essential first step of any PQC migration program. Without knowing what cryptographic assets exist, organizations cannot prioritize or plan their migration. Most organizations discover their cryptographic surface is significantly larger than expected when they conduct a formal inventory.
Crypto-Agility
The ability of a system or application to rapidly switch between cryptographic algorithms without requiring fundamental redesign. Crypto-agile systems treat the choice of algorithm as a configuration parameter rather than a hard-coded constant, making it possible to migrate to new standards without architectural overhauls. Building crypto-agility into new systems today is a best practice that will reduce the cost of future migrations — both for PQC and for any subsequent algorithm transitions.
Key Encapsulation Mechanism (KEM)
A type of cryptographic scheme used to securely establish a shared secret key between two parties. In post-quantum cryptography, KEMs (like ML-KEM) replace RSA and Diffie-Hellman for key exchange in protocols like TLS. A KEM consists of three operations: key generation, encapsulation (wrapping a shared secret with the recipient's public key), and decapsulation (recovering the shared secret with the private key).
X.509 Certificate
The standard format for public-key certificates used in TLS, code signing, and email authentication. X.509 certificates contain a public key and information about its owner, signed by a certificate authority. Migrating to post-quantum cryptography requires updating the X.509 certificate ecosystem — including certificate authorities, browser trust stores, and the billions of certificates in active use worldwide. The industry is currently working on standards for hybrid X.509 certificates that contain both classical and post-quantum keys.