Q-Day: A day that has not yet arrived but already threatens the present?

Lijian Qu | Written by

Recent studies show that the number of qubits needed to break encryption is decreasing exponentially, while the capabilities of quantum computers are increasing exponentially. The time window left for us to complete the transition to quantum-resistant encryption may be shorter than expected.

On April 29, Scott Joel Aaronson, a newly elected member of the U.S. National Academy of Sciences and a theoretical computer scientist, revealed on his blog that several top quantum computing experts worldwide told him that Q-Day could arrive around 2029[1].

Q-Day refers to the predicted day when quantum computers become powerful enough to crack widely used encryption systems, shaking the trust foundations supporting banks, governments, the internet, digital identities, cloud services, and blockchain operations. This day is known as Q-Day (Quantum Day).

Aaronson warns that companies, organizations, blockchains, or standards bodies need to start transitioning immediately to quantum-resistant encryption.

Although this warning was issued from a personal blog, it is highly valuable for reference.

The Global Risk Institute in Canada released the "Quantum Threat Timeline Report 2024" in December 2024, stating that, based on expert surveys, the probability of Q-Day occurring within ten years is between 19% and 34%, and within twenty years rises to 60% to 82%. The latest "Quantum Threat Timeline Report 2025," published in March this year, shows a 28% to 49% chance of Q-Day within ten years, and a 69% to 86% chance within twenty years.

Expert survey results on the probability of Q-Day over the years by the Global Risk Institute. Source: "Quantum Threat Timeline Report 2025"

These are subjective judgments by industry experts, but are there solid related studies?

The U.S. Forrester Research released a think tank report titled "The State Of Quantum Computing, 2026" in March 2026, stating that Q-Day could arrive before 2030.

The report notes that Q-Day is approaching rapidly, driven by developments such as:

• Continuous algorithm improvements, significantly lowering the hardware threshold needed to crack encryption.

• Ongoing breakthroughs in logical qubits, with fault-tolerant quantum computers moving from theory to engineering.

• Multiple companies presenting large-scale fault-tolerant quantum computer roadmaps across different technological approaches.

(Left) Ideal quantum computing assumes perfect logical qubits; (Center) NISQ (Noisy Intermediate-Scale Quantum) computing uses physical qubits susceptible to noise/errors (red cross); (Right) Fault-tolerant quantum computing employs quantum error correction codes, distributing a logical qubit’s information across multiple physical qubits to protect against errors. Source: Wikimedia Commons

Over the past year, quantum computing has continued to evolve along these trends, with a key indicator being the decreasing number of qubits required to break classical encryption systems.

In May 2025, Google’s Quantum AI research team published a paper stating that, through algorithm and architecture improvements, cracking RSA-2048 encryption relying on online banking, email, and digital certificates could be achieved with fewer than 1 million physical qubits[2], which is one-twentieth of the estimate from 2019.

In February 2026, Australian startup Iceberg Quantum further reduced the number of physical qubits needed to crack RSA-2048 to 100k.

Peter Williston Shor, an American computer scientist born August 14, 1959, proposed in 1994 an algorithm to break public key cryptography based on integer factorization and discrete logarithms (such as RSA, Diffie-Hellman key exchange, elliptic curve cryptography), later called Shor’s algorithm. Shor’s algorithm can universally break these classical encryption algorithms because the underlying math problems can be transformed into "finding the period of a function," which Shor’s algorithm can solve easily. Source: Gemini-generated, for reference only

On March 30, 2026, two significant papers were published showing that the number of qubits needed to break RSA and elliptic curve encryption with Shor’s algorithm would be greatly reduced.

The first paper from Caltech (arXiv: 2603.28627[3]) states that using neutral atom quantum computers, only tens of thousands of qubits are needed to implement Shor’s algorithm to crack elliptic curve encryption within days. Caltech’s press release suggests that theoretically, Q-Day could be achieved before 2030.

RSA encryption and ECC (Elliptic Curve Cryptography): two core functions—establishing secure connections and verifying identities. Source: Gemini-generated, image content may not be entirely accurate, for reference only

Google’s Quantum AI team, in collaboration with researchers from the Ethereum Foundation and Stanford University, published a white paper[4] claiming that using superconducting quantum computers, fewer than 500k physical qubits and over 1,000 logical qubits could crack elliptic curve encryption within minutes. The best estimate in 2023 was around 9 million physical qubits.

While Caltech’s work requires fewer qubits, it is slower and more difficult to implement engineering-wise. Google’s approach requires more qubits but runs faster and is more mature technologically.

The publications from Caltech and Google have shaken the blockchain community[5], making them realize that the threat of quantum computers to cryptocurrencies is imminent. Ethereum developers have launched extensive post-quantum migration efforts, and some prominent figures are urging the Bitcoin community to accelerate similar work.

March 30, 2026, is considered a "milestone day in quantum computing and cryptography"[8], as blockchain expert Justin Drake commented on X.

Notably, Google revealed in a blog post that, given the importance of this research, the white paper was communicated with government agencies before release, but technical details were not disclosed to prevent malicious actors from exploiting them[10]. Google also called on other quantum research teams to adopt similar practices.

This list only covers recent work over the past year, but over the years, progress in quantum computing has far exceeded expectations.

The following chart shows the trend of the number of physical qubits needed to crack RSA-2048 versus the maximum number of qubits in quantum computers, with the former decreasing exponentially and the latter increasing exponentially.

Trend of physical qubits needed to crack RSA-2048 versus the largest quantum computer’s qubit count. Source: Claude-generated

Although building quantum computers capable of breaking classical encryption faces many engineering challenges—such as coherence time, gate fidelity, and more—the trend indicates that the previously astronomical hardware thresholds are gradually being lowered through algorithmic, architectural, and error correction improvements.

What if Q-Day arrives?

What happens if we are unprepared when Q-Day comes?

As mentioned earlier, public key systems based on RSA and elliptic curve cryptography will be the first to be compromised by quantum computers, destroying the security foundation of identity authentication and digital signatures. Browsers and websites’ "secure channels" could be attacked, and transmitted account details, orders, and transaction information could be intercepted.

The threat posed by quantum computers is not limited to the internet but extends to real life.

Attackers could use quantum computers to compromise the identity verification, key exchange, and software signing mechanisms of IoT devices, industrial control systems (ICS), embedded systems, etc., impersonate legitimate control centers, engineers, or firmware updates, and then send destructive commands, implant malicious firmware, or tamper with operational data, ultimately causing shutdowns, misoperations, equipment damage, public service disruptions, or even safety accidents.

Threats are already emerging before Q-Day

Even now, the threat of quantum computing to information security may already be happening. This threat is known as "harvest now, decrypt later" (HNDL), which involves collecting and storing encrypted data now to decrypt it in the future when quantum computers become capable.

HNDL targets data with long "half-lives," such as:

• National and military secrets: global intelligence networks, undercover agent lists, strategic resource reserves, diplomatic secrets, top leaders’ medical records, submarine patrol routes, new fighter jet blueprints, nuclear arsenal deployment plans.

• Business and intellectual property: billion-dollar R&D formulas and processes for new drugs, source code of tech giants, customer data.

• Personal lifelong privacy: genomic data, social security numbers, family medical histories.

Therefore, accelerating the migration to post-quantum security not only buys us time before Q-Day but also protects sensitive information today.

Post-quantum cryptography (PQC)

In 2024, the U.S. National Institute of Standards and Technology (NIST) released the first post-quantum encryption standards—ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205)[11], marking that global enterprises and governments now have "post-quantum blueprints," and the migration to PQC has entered the implementation phase.

Many leading U.S. tech companies are also preparing for the post-quantum era. For example, the latest versions of browsers like Google Chrome, Microsoft Edge, Mozilla Firefox[7], and network infrastructure providers like Cloudflare[12] have completed PQC algorithm deployment. However, immunity to quantum threats requires that all websites, enterprise intranets, APIs, apps, certificates, code signatures, firmware signatures, and blockchain signatures complete their PQC migration. Any un-updated link could become a future security vulnerability.

Many foreign social messaging apps have already implemented post-quantum migration. For instance, Apple launched the largest-ever encryption upgrade to iMessage in early 2024, introducing the PQ3 post-quantum cryptography protocol[19]. Signal achieved post-quantum encryption for initial chats in 2023[20] and extended it to long-term chat records by 2025[21]. Signal’s encryption protocol is also adopted by WhatsApp[22]. These social apps have established a strong barrier against HNDL.

Some Chinese companies serving domestic and international consumers have also adopted NIST standards, such as Alibaba Cloud[23] and Tencent Cloud[24].

Of course, NIST standards are not the only global options. China is also developing its own standards along different technological routes. During the 2026 National People’s Congress, deputy and cryptography expert Wang Xiaoyun mentioned that "within three years, China is expected to establish a complete national standard for post-quantum cryptography"[25]. Additionally, the U.S. National Security Agency (NSA) launched CNSA 2.0 (Commercial National Security Algorithm Suite 2.0[26]) in 2022, setting a final deadline (2025–2030) for PQC upgrades in network devices, cloud services, and operating systems. While these upgrades are primarily for defense procurement, they will eventually extend to civilian sectors.

Not all sectors are progressing smoothly; some are unlikely to be fully prepared before Q-Day:

• Data already intercepted by HNDL attackers can only be hoped to remain undecipherable if attackers lack sufficient future capability or if the data’s value diminishes over time.

• Small and medium enterprises, critical infrastructure like local water plants, regional healthcare, manufacturing, or service companies often lack the talent, funds, or technology to complete encryption asset inventories and PQC migration in time.

• Outdated physical infrastructure (e.g., IoT, industrial control systems): many devices lack the memory and CPU power to run PQC algorithms, and cannot be upgraded online via software—only manual replacements or innovative solutions are possible. With billions of such devices worldwide, the workload is enormous, and some may be missed, creating security gaps exploitable by hackers.

Even if these latter two cannot fully migrate to PQC, they can reduce risks through management measures such as physical isolation, private networks, whitelisting, and manual approval.

Conclusion

We live in cities of reinforced concrete, but also in an invisible city woven from keys, certificates, signatures, and protocols.

This city has no walls, but it has cryptography; no moat, but it has algorithms; no night watchmen, but countless silent security protocols. They are unseen but enable us to transfer money, log in, chat, drive, see a doctor, work, and live every day.

For decades, cryptography has been a quiet cornerstone supporting the prosperity of the internet era. Confronted with the threat of Q-Day, engineers, cryptographers, standards bodies, enterprises, and governments will surely turn danger into opportunity, just as they successfully addressed the Y2K crisis at the turn of the century.

One day in the future, quantum computers may indeed become powerful enough to crack today’s encryption. When that day comes, we hope they will open new doors for drug discovery, material design, climate modeling, and other fields of knowledge, rather than old security locks we failed to repair in time.