Q-Day

Q-Day is the hypothetical future date on which a cryptographically relevant quantum computer (CRQC) first exists: a machine capable of running Shor's algorithm against real-world key sizes and thereby breaking RSA and elliptic curve cryptography. The date is unknown, expert estimates span decades, and its main practical significance is as a deadline for migrating to post-quantum cryptography.

What counts as cryptographically relevant

A CRQC is defined by capability, not qubit count: it must factor a 2048-bit RSA modulus or compute a 256-bit elliptic curve discrete logarithm in useful time. Current published estimates put that at fewer than 1 million physical qubits running fault-tolerantly for several days (Gidney 2025), while the largest machines as of early 2026 hold on the order of 1000 physical qubits with error rates far above what sustained algorithms require (quantum computer, logical qubit). Q-Day therefore depends on progress in error correction and scaling, both of which are advancing but neither of which has a predictable schedule.

Expert estimates

The most systematic public estimates come from the Global Risk Institute's annual Quantum Threat Timeline reports, led by Michele Mosca and Marco Piani, which survey several dozen leading quantum computing researchers on the likelihood of a CRQC over various horizons (Global Risk Institute 2024). The consistent pattern across recent editions: most experts consider a CRQC within 5 years unlikely, opinion around the 10 year mark is divided but skews toward unlikely, and a clear majority judge a CRQC more likely than not on a horizon of roughly 15 to 30 years.

Individual estimates illustrate the uncertainty. Mosca wrote in 2015 that he estimated a 1 in 7 chance of breaking RSA-2048 by 2026 and a 1 in 2 chance by 2031 (Mosca 2015). The 2026 estimate did not materialize; whether the 2031 one will is unknown. Survey answers are expert opinion, not measurement, and respondents self-select from a field with an interest in the technology succeeding. The honest summary is that Q-Day could plausibly fall anywhere from the 2030s to never, with the probability mass of informed opinion concentrated in the 2030s and 2040s.

Mosca's inequality

Mosca's theorem, also written as the inequality x + y > z, reframes the question so the exact date matters less (Mosca 2015). Let x be the time your data must remain secret (shelf life), y the time your systems need to migrate, and z the time until a CRQC exists. If x + y > z, protection has already failed: data encrypted during the migration window will still need secrecy when the machine arrives.

A concrete reading: an organization whose data must stay confidential for 10 years and whose migration takes 5 years is already too late if a CRQC appears within 15 years, a horizon most surveyed experts consider more likely than not. Recorded traffic makes this concrete today through harvest now, decrypt later collection.

Why lead time matters more than the date

Cryptographic migrations are measured in decades. The transitions away from DES, SHA-1, and 1024-bit RSA each took 10 to 20 years across the full ecosystem of protocols, certificate authorities, embedded devices, and firmware. Public key infrastructure moves slowest of all.

Governments have therefore set migration deadlines that deliberately do not depend on predicting Q-Day. Draft NIST guidance proposes deprecating quantum-vulnerable algorithms after 2030 and disallowing them after 2035 (NIST IR 8547). The NSA's CNSA 2.0 timeline requires national security systems to transition by 2033 (NSA CNSA 2.0). These dates function as engineering schedules: if the migration is complete before any plausible Q-Day, the actual date becomes irrelevant.

The asymmetry of outcomes drives the policy. Migrating early to standards such as ML-KEM and ML-DSA costs engineering effort; migrating late risks retroactive exposure of everything recorded in the interim. Hybrid deployments make the early move safe even if specific post-quantum schemes later fall.

Frequently asked questions

Has Q-Day already happened?

No. As of early 2026 the largest quantum computers hold on the order of 1000 physical qubits, orders of magnitude short of the roughly one million noisy qubits current estimates require to break RSA-2048.

Will Q-Day be publicly announced?

Not necessarily. A state actor reaching the capability first would have strong incentives to conceal it, which is one more argument for migrating well before any public demonstration.

Sources

  1. Cybersecurity in an era with quantum computers: will we be ready? (IACR ePrint, 2015)
  2. Quantum Threat Timeline Report 2024 (Global Risk Institute, 2024)
  3. NIST IR 8547 (Initial Public Draft), Transition to Post-Quantum Cryptography Standards (NIST, 2024)
  4. Post-Quantum Cybersecurity Resources (CNSA 2.0) (NSA, 2022)
  5. How to factor 2048 bit RSA integers with less than a million noisy qubits (arXiv, 2025)
Cite this entry
"Q-Day." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/q-day@misc{pqwiki-q-day, title = {Q-Day}, howpublished = {\url{https://postquantum.wiki/q-day}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }