“Q‑Day”: When Will Quantum Computers Break Encryption?

By Dr. Robert Buccigrossi, TCG CTO

Sensitive Data in the 2030s Requires Action Now

Based on publicly available data and expert consensus, the timeline for “Q‑Day” (the day a quantum computer can break today’s standard public-key encryption) is estimated to be in the early-to-mid 2030s. While this is not an immediate threat, it’s not a distant one either. The primary risk is the “harvest now, decrypt later” strategy, where adversaries are likely already recording encrypted data today to decrypt once a capable quantum computer is built.

Therefore, organizations should begin a measured transition to post-quantum cryptography (PQC) now. Following guidance from the U.S. National Institute of Standards and Technology (NIST), the goal should be to complete this migration before 2035 to ensure sensitive data remains secure. Let’s break down the facts supporting this conclusion.

The Quantum Threat: A Tale of Two Algorithms

Quantum decryption is based on two specific, well-understood algorithms.

  • Shor’s Algorithm  for Public-Key Encryption: Developed in 1994, Shor’s algorithm can factor large numbers and solve discrete logarithm problems exponentially faster than any known classical computer. This poses an existential threat to all widely used asymmetric (public-key) encryption, including RSA and Elliptic Curve Cryptography (ECC), which form the backbone of secure internet communication (TLS/SSL), financial transactions, and digital signatures.
  • Grover’s Algorithm for Symmetric Encryption: Grover’s algorithm provides a quadratic speedup for searching unstructured data, which can be applied to brute-forcing symmetric encryption keys. It doesn’t “break” the algorithm but effectively halves its security strength. For example, it reduces AES-128’s security to a 64-bit level and AES-256’s to a 128-bit level. This threat is manageable; simply doubling the key length (i.e., using AES-256) makes the algorithm secure against quantum attacks for the foreseeable future.

The Cost of Entry: Qubits Required to Break Encryption Standards

Breaking modern encryption requires a large, error-corrected quantum computer. It is crucial to distinguish between noisy physical qubits and stable, error-corrected logical qubits. Current estimates for breaking the top encryption standards are:

  • RSA-2048: To break this common standard, a quantum computer would need thousands of logical qubits. Recent research from Google suggests this could require approximately 1 million physical qubits running for about a week. Other analyses, focusing on algorithmic improvements, suggest the task might be possible with as few as 1,730 logical qubits.
  • Elliptic Curve Cryptography (ECC-256): ECC is also vulnerable to Shor’s algorithm and may be an earlier target than RSA. Breaking a 256-bit ECC key is estimated to require around 1,500 logical qubits. An analysis published in “AVS Quantum Science” estimates it would take 13 million physical qubits to break it within 24 hours. Because it requires fewer logical qubits than comparably secure RSA keys, ECC would be the first domino to fall.
  • AES-256: Symmetric encryption is a different story. AES-256 is considered quantum-resistant becausechat of the immense resources needed to attack it with Grover’s algorithm. Breaking it would require an estimated 6,600 logical qubits and a number of operations so large (2128) that it is physically impractical. Using 256-bit keys for symmetric encryption is the recommended defense.

The State of the Race: Progress and Projections

Quantum computing is currently in the “Noisy Intermediate-Scale Quantum” (NISQ) era, with machines of a few hundred physical qubits that are prone to errors. The gap between today’s hardware and a cryptographically relevant quantum computer remains vast.

Current Leaders and Their Trajectory:

  • IBM: IBM unveiled a processor with over 1,000 qubits in late 2023, but has since shifted its focus from raw qubit count to quality and error correction. Their roadmap now centers on building modular systems that link multiple error-corrected processors together, a necessary step toward building a useful machine.
  • Google: In 2023, Google announced a major breakthrough in quantum error correction, demonstrating a logical qubit that was more stable than the individual physical qubits it was made from. This is a critical proof-of-concept, but scaling this to the thousands of logical qubits needed for decryption remains a decade-long challenge.
  • Nation-States and Corporations: The race to build a quantum computer is a global one, with heavy investment from the US, China, and the EU, as well as major tech companies. The first machine capable of breaking encryption will almost certainly emerge from one of these well-funded state or corporate labs. However, no publicly known entity is close to the finish line.

The reality is that we are currently at the stage of building processors with hundreds of noisy physical qubits, while the task of breaking RSA requires thousands of stable logical qubits—a system likely composed of millions of physical qubits.

Prepare, Don’t Panic

The evidence points to a consistent and actionable conclusion. A cryptographically relevant quantum computer is not an imminent threat, but it is on the horizon.

  • The Threat Timeline: The most credible expert estimates, such as the Global Risk Institute’s Quantum Threat Timeline, suggest a significant probability that RSA-2048 will be breakable by the mid-2030s.
  • The Vulnerabilities:
    • High Risk: RSA and ECC are fundamentally broken by Shor’s algorithm. These must be replaced.
    • Low Risk: AES remains secure. The best practice is to use 256-bit keys to ensure a robust security margin against Grover’s algorithm.
  • The Solution: The path forward is a proactive migration to the new suite of post-quantum cryptographic standards finalized by NIST. The transition away from vulnerable algorithms is a multi-year process that must begin now to protect data with long-term sensitivity.

Major technology companies are not waiting. Apple has already deployed a PQC protocol in iMessage, and Google and Cloudflare have been testing post-quantum algorithms in their services. Their actions underscore the seriousness of the threat and the feasibility of the solution. We are in a race between those building a quantum computer and those upgrading our cryptographic infrastructure. As of today, we still have time to win.