Most encryption protecting enterprise data today will break. Not because someone finds a clever exploit or patches a library incorrectly. It will break because a specific class of machine, one that does not yet exist at the required scale, will solve in hours the mathematical problem that makes RSA and elliptic-curve cryptography hard. That machine is a cryptographically relevant quantum computer, a CRQC. Q-Day is the name the security community uses for the date it first operates at that capability level.

The term is useful shorthand. It is also slightly misleading, because it implies a single, known date. It is neither. What Q-Day represents is a threshold: the point at which Shor's algorithm, running on a fault-tolerant quantum computer with sufficient qubit fidelity, can factor the large integers and solve the discrete logarithm problems that underpin asymmetric cryptography. That threshold will be crossed. The question is when, and what state your cryptographic infrastructure is in when it happens.

What Shor's Algorithm Actually Does

RSA relies on a simple asymmetry: multiplying two large prime numbers together is trivial; factoring the result back into its component primes is computationally infeasible at scale on classical hardware. The best classical algorithms for integer factorisation are sub-exponential but still take longer than the operational lifetime of any system you care about protecting. Elliptic-curve cryptography rests on an analogous hardness assumption: the discrete logarithm problem over elliptic curves.

Shor's algorithm, published by Peter Shor in 1994, solves integer factorisation in polynomial time on a quantum computer. The same algorithm applies to the discrete logarithm problem. A CRQC running Shor's could factor a 2048-bit RSA modulus in hours, not geological epochs. Bernstein and Lange's 2017 Nature survey of post-quantum cryptography sets out the mathematical argument in full, and it has not been seriously disputed since.

The hardware that matters here is not the quantum computers generating press releases today. A 2022 paper by Webber et al. in AVS Quantum Science estimated that breaking RSA-2048 would require a fault-tolerant quantum computer with approximately 317 million physical qubits and one hour of runtime, under current error correction assumptions. More aggressive approaches could reduce that figure to around 13 million physical qubits. IBM's 2023 development roadmap targets utility-scale fault-tolerant systems in the early 2030s. The gap between where the hardware is now and where it needs to be for cryptographic relevance remains significant. That gap is the only thing standing between current public-key infrastructure and systemic compromise.

The Qubit Gap: Today's Hardware vs CRQC Requirements A logarithmic bar chart comparing current quantum computer qubit counts (IBM Condor 1,121; Google Willow 105) against the CRQC threshold for breaking RSA-2048 (13 to 317 million physical qubits). The gap spans roughly four orders of magnitude. The Qubit Gap: Current Hardware vs CRQC Threshold Logarithmic scale — each gridline is 10x the previous 10² 10³ 10⁴ 10⁵ 10⁶ 10⁷ 10⁸ Google Willow 105 qubits 2024 IBM Condor 1,121 qubits 2023 IBM 2030 target ~100k qubits Projected CRQC minimum 13M qubits Required (RSA-2048) CRQC standard 317M qubits Required (RSA-2048) ~4 orders of magnitude gap
Current hardware sits at 10² to 10³ physical qubits. Breaking RSA-2048 requires an estimated 13–317 million fault-tolerant qubits. The gap is approximately four orders of magnitude. Sources: Webber et al., AVS Quantum Science (2022); IBM roadmap (2023).

What Q-Day Does Not Break

Shor's algorithm targets asymmetric cryptography. Symmetric encryption is a different problem. Grover's algorithm provides a quadratic speedup for unstructured search, which halves the effective security parameter of a symmetric key. AES-128 drops to approximately 64-bit equivalent security under Grover, which is not sufficient for long-term confidentiality. AES-256 drops to approximately 128-bit equivalent and retains adequate security margins. SHA-384 and SHA-512 similarly survive Q-Day with workable security margins. SHA-256 is marginal for data requiring long-term integrity against a CRQC adversary.

The practical implication: your AES-256 disk encryption is not the immediate problem. Your TLS handshakes, your PKI, your code-signing certificates, your VPN key exchange, your SSH host keys. Every system that uses RSA or ECC for key establishment or authentication is in scope. That is most of the infrastructure protecting most organisations.

The Standards Exist. The Migration Does Not.

NIST finalised its first post-quantum cryptographic standards in August 2024. FIPS 203 standardises ML-KEM (lattice-based key encapsulation, derived from Kyber), intended as the primary replacement for RSA and ECDH in key exchange and encryption. FIPS 204 standardises ML-DSA (lattice-based digital signatures, derived from Dilithium). FIPS 205 standardises SLH-DSA (stateless hash-based digital signatures, derived from SPHINCS+). FIPS 206 standardises FN-DSA (fast lattice-based signatures derived from FALCON), primarily targeted at firmware and code-signing scenarios.

These are not draft recommendations. They are final published standards with assigned FIPS numbers. The migration path is defined. Vendors are shipping implementations. What most organisations have not done is start.

NSA's Commercial National Security Algorithm Suite 2.0, published in September 2022, specified ML-KEM, ML-DSA, and SLH-DSA as the required algorithms for national security systems and set 2030 as the migration deadline for prioritised systems. NSM-10, the White House National Security Memorandum from May 2022, directed federal agencies to begin PQC migration immediately. The UK's NCSC issued updated guidance in 2024 aligning with NIST FIPS 203, 204, and 205, following its 2020 recommendation that enterprises begin assessing cryptographic exposure. The EU's NIS2 Directive, which entered into force in January 2023 with a member state transposition deadline of October 2024, brings cryptographic risk under the broader operational resilience obligations for in-scope organisations. ETSI's Quantum Safe Cryptography working group (TS 119 312) provides European standards alignment. Every major national and multinational standards body has now moved from watching to directing. The question is whether the organisations they govern have noticed.

Why "We Have Time" Is the Wrong Frame

The most common objection to acting now is the timeline uncertainty. If the credible range for Q-Day runs from optimistic projections of 2030 through to 2040 or beyond, why not wait until the picture sharpens?

The answer is Harvest Now, Decrypt Later, or HNDL. Also called Store Now, Decrypt Later (SNDL), the attack is straightforward: an adversary captures and stores encrypted data today, before a CRQC exists, and decrypts it when one becomes available. No cryptographic break is needed at capture time. The attacker is patient.

HNDL was documented by NSA in its 2021 quantum computing FAQ and is cited in the CISA/NSA joint advisory on PQC migration from August 2023 as an active concern. The implication for enterprise security planning is direct. If your organisation holds data with a confidentiality requirement of ten years or more, and credible Q-Day estimates run from five to fifteen years, you are already inside the risk window. The data your infrastructure encrypted last year may sit in an adversary's archive right now, waiting.

Forward secrecy, the TLS 1.3 feature that prevents retrospective decryption of past sessions using a compromised long-term key, does not protect against HNDL. TLS 1.3 with ECDHE provides forward secrecy against classical adversaries who compromise the private key after the session ends. A CRQC running Shor's algorithm breaks the ECDHE key exchange from captured public key material. The session key can be recovered. Forward secrecy's protection model assumes the attacker cannot rerun the key agreement. A CRQC removes that assumption.

I have found, in every enterprise PQC assessment I have worked on, that the HNDL argument is the one that changes the timeline conversation. Abstract hardware milestones feel distant. The possibility that classified financial models, health records, or communications are already in storage pending decryption does not.

What "Ready" Actually Requires

Security teams sometimes treat PQC migration as a software update. Replace the algorithm, redeploy, done. The reality is closer to a network infrastructure project. Before any algorithm is changed, an organisation needs a complete cryptographic inventory: every certificate, key pair, protocol, and library that uses RSA, ECC, or Diffie-Hellman, mapped against the system it protects and the data classification of that system. In every project I have worked on, that inventory alone takes six to twelve months for a mid-sized enterprise. That is before a single algorithm is migrated.

Most enterprise PQC projects also hit what I call Crypto Paralysis at the inventory stage: the project scope expands as hidden RSA dependencies surface across legacy systems, embedded devices, and third-party integrations, and the project stalls under its own weight. The organisations that avoid this are the ones that treat the inventory as its own deliverable, rather than a precursor to migration, and resource it accordingly.

QSECDEF's Q-Day timeline risk calculator lets security teams model the risk window against their specific data classification profiles, retention periods, and estimated migration timelines. It applies the Mosca inequality: if your data shelf life plus your migration time exceeds the time remaining to Q-Day, you are already behind. The calculator makes that arithmetic concrete rather than theoretical.

The Misconceptions Worth Addressing Now

Google's 2019 quantum supremacy result, published in Nature by Arute et al., did not bring forward Q-Day. The task Google's Sycamore processor completed, random circuit sampling, was designed specifically to be hard for classical computers and provides no capability relevant to cryptographic attack. Google Willow, announced in 2024, demonstrated below-threshold error correction at 105 qubits. That is meaningful engineering progress. It is not a CRQC.

Post-quantum cryptography is also not quantum communication. PQC algorithms are classical software designed to resist quantum attacks. They run on ordinary hardware with no quantum component. Quantum key distribution, which uses quantum mechanics to exchange keys, is a separate technology solving a related but distinct problem. Both are legitimate areas of work. They are not interchangeable, and conflating them produces planning errors.

Q-Day Expert Probability Distribution 2026–2050 A horizontal timeline from 2026 to 2050 showing the probability distribution of Q-Day estimates. A narrow pessimistic tail starts around 2030, with the central probability band spanning 2034 to 2042, and an optimistic tail extending to 2050 and beyond. Key regulatory deadlines are marked. Q-Day Probability Distribution: Expert Consensus Range Based on GRI Quantum Threat Timeline Report (2024), IBM roadmap, Webber et al. (2022) 2026 2030 2034 2038 2042 2046 2050 Peak: 2035–2038 Central estimate band NSA CNSA 2.0 deadline 2030 NIST IR 8547 RSA deprecated 2035 Pessimistic range Central estimate Optimistic tail Migration deadlines (dashed lines) predate the probability peak. Waiting for certainty before migrating is not a viable strategy.
Expert consensus places the Q-Day central probability band in 2034–2042. NSA's CNSA 2.0 migration deadline (2030) and NIST IR 8547 RSA deprecation date (2035) both land within or before this window. Sources: Global Risk Institute Quantum Threat Timeline Report (Mosca & Piani, 2024); IBM roadmap; NSA CNSA 2.0 (2022); NIST IR 8547 (2024).

The Practical Position

Q-Day is not a scheduled event on a known date. It is a threshold with an uncertain arrival time, a migration cost measured in years, and a data risk that runs backwards from the present. NIST has published the standards. National security agencies have set deadlines. Every day of delay is a day of continued HNDL exposure for your longest-lived sensitive data.

The organisations that handle this well will not be the ones that waited for certainty. They will be the ones that started the cryptographic inventory while the timeline was still uncertain, gave themselves the migration runway they needed, and were not still planning when the hardware arrived.

QSECDEF members receive access to practitioner-level implementation guides for ML-KEM, ML-DSA, and SLH-DSA, updated as standards evolve, alongside the cryptographic inventory methodology our security teams use in the field. If your team is at the beginning of this, the membership resources are a practical starting point.