The question at the center of every post-quantum security discussion is deceptively simple: when? When will a quantum computer actually be powerful enough to break RSA-2048 — the encryption standard protecting most of the internet? The answer is less certain than most people would like, but better-grounded than most headlines suggest. The timeline is not "decades away." It is measured in years — and nearly every major revision has moved it closer.
What breaking RSA-2048 actually requires
A quantum computer capable of breaking RSA-2048 using Shor's algorithm needs to execute billions of error-corrected quantum gate operations on logical qubits — qubits that are protected against the noise and errors inherent in physical quantum hardware. This requires two things in practice: raw qubit count and quality.
Physical qubits are unreliable. Any interaction with the environment causes errors. Fault-tolerant computation encodes each logical qubit across many physical qubits — using redundancy to detect and correct errors before they propagate. The ratio of physical to logical qubits depends on hardware error rates, but is typically in the range of hundreds to thousands to one with current technology. This overhead is why the physical qubit requirement for breaking RSA is so much larger than the logical computation actually demands.
How the estimate has changed — the Gidney papers
The most significant shift in Q-Day timelines has come not from hardware progress, but from algorithmic improvement — specifically, from improvements to how Shor's algorithm can be implemented in practice.
In 2019, Google researcher Craig Gidney published the then-definitive resource estimate: breaking RSA-2048 would require approximately 20 million physical qubits running for about 8 hours. That number became the canonical reference for why Q-Day was considered far away — building a 20-million-qubit fault-tolerant machine seemed implausible within any near-term timeframe.
In May 2025, Gidney published a revised paper with the same co-author. The new estimate: RSA-2048 could be broken with fewer than one million physical qubits — a 20-fold reduction in resource requirements. The improvement came from more efficient circuit designs for modular exponentiation (the core quantum computation in Shor's algorithm) and better error correction schemes. In early 2026, the AQTI research group published further optimizations suggesting requirements below 500,000 physical qubits may be feasible.
The direction matters as much as the numbers: since 2016, every major resource estimate has revised the qubit requirement downward, not upward. There is no published work suggesting the threshold is harder to reach than previously thought.
Where quantum hardware stands today
Current state-of-the-art quantum processors include Google's 105-qubit Willow chip (December 2024), IBM's Flamingo-class systems approaching 1,000 physical qubits, and China's 180-qubit Wukong-180 (2025). None of these machines are remotely close to the million-qubit threshold — and raw qubit count is not the only metric that matters. Error rates, connectivity, gate fidelity, and coherence times all affect whether a machine can execute the long circuits required for Shor's algorithm.
But the trajectory is clear. The leading edge of quantum hardware has scaled from 5 qubits in 2016 to 53 in 2019, 105 in 2024, and into the hundreds by 2025–2026. If that pace continues, million-qubit machines are within reach this decade. Whether hardware quality improves fast enough to match is the central uncertainty — quantum error correction overhead means that the logical qubit count that matters may scale differently from raw physical qubit count.
What every expert actually predicts
| Date | Source | Basis |
|---|---|---|
| 2029 | Google Security | Internal planning deadline; Gidney 2025 resource estimate; hardware roadmap |
| 2030 | NSA / NIST | CNSA 2.0 migration deadline — implicitly treats 2030 as meaningful threat horizon |
| 2033 | AQTI JVG (median) | Probabilistic estimate from JVG algorithm paper, March 2026 |
| 2035 | Global Risk Institute | 50% cumulative probability estimate; Quantum Threat Timeline Report 2025 |
The spread between 2029 and 2035 reflects genuine scientific uncertainty — different teams making different assumptions about qubit quality improvement rates, error correction overhead, and algorithmic efficiency gains. But the uncertainty cuts in both directions: a breakthrough in any area could move the date earlier. An unexpected engineering barrier could push it later. No expert is currently arguing for "after 2040."
Why the timeline keeps moving earlier
Three forces have driven the consistent downward revision of Q-Day estimates since 2016:
Algorithmic improvements. Better circuit designs for the modular arithmetic at the core of Shor's algorithm have dramatically reduced the gate count required. This is math, not hardware — it reduces requirements on any machine, past or future.
Error correction advances. The ratio of physical to logical qubits is improving as hardware quality improves. Google's Willow chip in 2024 was the first to demonstrate that adding more physical qubits to a system actually reduced the logical error rate — crossing the threshold that fault-tolerant computation requires. As error rates drop, the overhead multiplier shrinks.
Hardware diversity. Microsoft's topological qubit approach, neutral atom systems, and photonic computing each represent alternative hardware paths that could achieve low error rates at scale through different means. Multiple concurrent paths reduce the risk that any single engineering challenge stalls progress.
What this means for data at risk now
The timeline question is often framed as "when does the threat begin?" But for organizations handling sensitive data, the threat has already started — through harvest now, decrypt later attacks. State actors are believed to be collecting encrypted network traffic today to decrypt it retroactively once a capable quantum computer exists. Data encrypted today under RSA or ECC that needs to remain confidential for five or more years is already exposed to this risk, regardless of when the machine is actually built.
The practical implication: migration to post-quantum cryptography needs to complete before RSA-2048 falls — not after. A migration that takes three years to complete must begin by 2026 to finish before Google's 2029 planning deadline. The NSA set its 2030 CNSA 2.0 deadline specifically because it knew the migration would require most of the decade to execute across all national security systems. Organizations outside government have no reason to assume more time.