The most striking thing about the Q-Day timeline is not the uncertainty — it is the direction. Nearly every major revision has moved the estimated date forward, not back. What experts considered a distant theoretical concern in 2016 has steadily contracted into a concrete engineering deadline. Understanding how that shift happened, and who drove it, is essential context for anyone trying to assess the actual risk.
2016–2019: A distant theoretical concern
When NIST launched its post-quantum cryptography competition in 2016, the working assumption among most security professionals was that a cryptographically relevant quantum computer (CRQC) — one capable of running Shor's algorithm against RSA-2048 — was at least 20 to 30 years away. The physical qubit counts required were estimated in the tens of millions, and error correction remained largely theoretical. Most organizations treated Q-Day as a planning problem for the next generation of security teams.
In 2019, Google's demonstration of quantum supremacy with the 53-qubit Sycamore processor marked the field's first major milestone. The chip completed a specific computation in 200 seconds that Google claimed would take a classical supercomputer approximately 10,000 years. The result was contested — IBM argued the classical estimate was overstated — but the signal was clear: quantum hardware was advancing faster than most had expected.
2022–2023: The timeline starts compressing
In 2022, two things happened that shifted expert consensus. First, the NSA published its CNSA 2.0 directive, ordering all U.S. national security systems to complete migration to post-quantum cryptography by 2030. This was not a speculative planning exercise — it was a binding directive, which implied that the U.S. intelligence community had assessed a meaningful probability of a CRQC within roughly eight years.
Second, Google demonstrated below-threshold error correction at scale: adding more physical qubits to a system actually reduced the logical error rate, which was the crucial prerequisite for fault-tolerant computation. The gap between the machines that existed and the machines needed was still enormous — but the engineering path was now demonstrably real.
2024: NIST finalizes standards; Google ships Willow
In August 2024, NIST published the world's first post-quantum cryptography standards — CRYSTALS-Kyber (now ML-KEM) for key encapsulation and CRYSTALS-Dilithium (now ML-DSA) for digital signatures. The finalization of these standards after an eight-year competition was a landmark, but it also marked the beginning of a new race: how quickly could global infrastructure actually adopt them?
In December 2024, Google unveiled the Willow chip — a 105-qubit processor that demonstrated exponential error reduction as qubit count scaled. Google described Willow as the first chip to cross "below threshold" at a scale meaningful for future fault-tolerant systems. The benchmark was striking: a computation that would take the fastest classical supercomputer 1025 years, completed in five minutes.
2025: The breakthrough that changed the arithmetic
The most consequential revision to the Q-Day timeline came in May 2025, when Google researcher Craig Gidney published an updated resource estimate for breaking RSA-2048. His 2019 estimate had put the requirement at approximately 20 million physical qubits. The 2025 paper revised that figure to fewer than one million — a 20-fold reduction driven by improved algorithms and more efficient error correction schemes.
This single paper had an outsized effect on institutional planning horizons. If the hardware requirement was 20 times lower than previously thought, the date at which available quantum hardware could plausibly meet the threshold moved correspondingly closer. Google's internal security team publicly updated its planning deadline to 2029 — a date it now treats as a migration requirement, not a distant scenario.
Later in 2025, NIST selected HQC as a fifth post-quantum algorithm, providing a backup standard built on entirely different mathematical foundations — a hedge against the possibility that the primary lattice-based algorithms might later be found vulnerable.
2026: The AQTI JVG paper
In March 2026, the Advanced Quantum Technologies Initiative published what became known as the JVG algorithm paper. The team claimed an approach that could reduce the qubit count needed to break RSA-2048 even further than Gidney's 2025 estimate, with the most optimistic scenario placing the requirement below 500,000 physical qubits. Independent verification of the full claim was still ongoing as of April 2026, but the paper prompted Cloudflare, Google, and several European governments to accelerate their migration timelines.
At the same time, Microsoft's Majorana 1 chip — unveiled in February 2025 — continued to generate interest as a potentially faster path to large-scale fault tolerance through topological qubits. If Microsoft's approach scales as designed, it could compress the timeline independently of the superconducting qubit approaches dominating Google and IBM's roadmaps.
Current expert estimates (April 2026)
| Estimate | Source | Basis |
|---|---|---|
| 2029 | Google Security | Internal planning deadline; Gidney 2025 resource estimate |
| 2030 | NSA / NIST | CNSA 2.0 migration deadline for all U.S. national security systems |
| 2033 | AQTI JVG (median) | Probabilistic estimate from JVG algorithm paper, March 2026 |
| 2035 | Global Risk Institute | 50% probability estimate from Quantum Threat Timeline Report 2025 |
Why the uncertainty range matters
The spread between 2029 and 2035 reflects genuine scientific uncertainty — different teams using different assumptions about qubit quality, error correction overhead, and algorithmic improvements. But the uncertainty cuts in both directions: a breakthrough in any of these areas could move the date earlier, while an unexpected engineering barrier could push it later.
For organizations planning cryptographic migrations, this range has a specific implication: a migration that takes three to five years to complete — which is typical for large-scale infrastructure transitions — needs to begin now to be finished before even the most conservative estimate. The NSA set its 2030 deadline precisely because it knew the migration would take most of the decade to execute.
What the timeline means for data at risk today
The timeline is not only relevant to future encryption. Because of harvest now, decrypt later attacks — in which adversaries collect encrypted data today to decrypt once a quantum computer exists — data transmitted right now is potentially at risk. Encrypted communications with a secrecy requirement of more than a few years should be considered exposed to Q-Day risk regardless of when Q-Day itself arrives.