The CRQC Timeline: When Quantum Computers Become a Real Threat

The news cycle treats quantum computing as either an existential emergency arriving next year or a distant curiosity with no current relevance. Both framings are wrong. What follows is an evidence-based answer to a precise question: when will a quantum computer become capable of breaking the encryption that protects internet communications, and what does that timeline mean for decisions you need to make now?

The key term is CRQC: a cryptographically relevant quantum computer. Not a quantum computer in general. IBM and Google have had quantum computers for years. A CRQC specifically refers to a machine that is large enough and reliable enough to run Shor's algorithm against RSA-2048, ECDH, and ECDSA at the key sizes currently in use. That machine does not exist today. The honest assessment of when it might exist is the subject of this article.

What a CRQC is, and what current devices are not

The gap between "a quantum computer" and "a cryptographically relevant quantum computer" is not a small one. It is measured in orders of magnitude.

Running Shor's algorithm against RSA-2048 requires fault-tolerant quantum computation. The circuit for factoring a 2048-bit RSA key contains millions of quantum operations, and each one must execute without the errors accumulating into a wrong answer. Gidney and Ekerå, writing in the journal Quantum in 2021, estimated that breaking RSA-2048 would require approximately 20 million physical qubits operating for around eight hours. That figure uses optimised circuit designs. It is not a worst-case estimate.

IBM's current processors and Google's Willow chip (announced December 2024) operate in the NISQ regime: Noisy Intermediate-Scale Quantum devices, with qubit counts in the hundreds and error rates too high for the sustained fault-tolerant computation that Shor's algorithm requires. The physical-to-logical qubit ratio under the surface code (the leading error correction approach) runs roughly 1,000:1 at currently achievable error rates. Four thousand error-corrected logical qubits for Shor's algorithm therefore implies roughly four million physical qubits. Current best hardware sits at 105 to 1,000-plus physical qubits. The distance is not bridgeable by the next hardware generation.

There is one counterintuitive point worth making clearly: elliptic curve cryptography is more vulnerable than RSA at equivalent security levels, not less. The resource cost of running Shor's algorithm against a 256-bit elliptic curve key (P-256, the TLS default) is lower than against RSA-2048. At NISQ-era hardware neither is attackable. At fault-tolerant scale, ECC falls first. Roetteler et al. at ASIACRYPT 2017 estimated breaking P-256 requires approximately 2,330 logical qubits. [ASSUMED: verify the exact 2,330 logical qubit figure against the Roetteler et al. 2017 paper (doi:10.1007/978-3-319-70697-9_9) before publication; the figure as cited is drawn from that paper's resource estimates and should be confirmed against the specific table or section it appears in.] For context on what Shor's algorithm does to both RSA and ECC across the protocol stack, see our article on why RSA and ECC will not survive a quantum computer.

What the expert probability estimates actually say

The most systematic public effort to answer the timing question is the Global Risk Institute's Quantum Threat Timeline Report. The 2024 edition, by Mosca and Piani, surveyed quantum computing experts on the probability of a CRQC at various time horizons. The results position approximately 50% probability in the 2033 to 2035 range. [ASSUMED, verify exact probability percentages against the published GRI 2024 report before publication; the report uses survey distributions and the specific figures should be extracted from the relevant percentile tables.]

These estimates come with a structural caveat. The respondents are quantum computing experts: physicists and engineers who work on quantum hardware. Expert surveys about unprecedented technical milestones have a known optimism bias in fast-moving fields. The appropriate use of the GRI figures is as a risk-framing tool: they represent the considered view of people closest to the engineering, not a prediction. An organisation that plans around a 2033 to 2035 window is not overclaiming. One that treats the threat as a 20-year irrelevance is ignoring both the evidence and the planning mathematics.

The US government's public planning assumptions align with this range. NSA CNSA 2.0 (September 2022) mandated full retirement of RSA and ECC from US National Security Systems by 2033. That is the completion deadline, not the start date. The planning assumption embedded in the mandate is that a CRQC could be operational during the transition period, requiring migration to be finished before 2033. Governments do not set hard compliance deadlines a decade in advance without a reason.

NIST IR 8547 (November 2024) provides the second anchor. It formally deprecates RSA, ECDH, ECDSA, DSA, and finite-field Diffie-Hellman in new deployments by 2030 and frames full legacy retirement by 2035. The 2030 date is not a Q-Day estimate. It is the point at which deploying a new system using RSA-2048 falls outside the NIST-recommended baseline. The dates are different for a reason: 2030 is the last point at which new systems should be built on algorithms we know are being retired; 2033 to 2035 is the window where the threat itself materialises. The full transition calendar and its implications for cryptographic asset owners are set out in our analysis of the NIST IR 8547 transition timeline.

Why the timeline matters even if Q-Day is in 2035

The framing of "Q-Day is a decade away, so there is no urgency now" fails on three counts.

The first is harvest-now-decrypt-later. A state-level adversary with bulk collection capability can capture encrypted sessions today and store them for later decryption: TLS traffic, VPN tunnels, classified diplomatic communications, financial transaction logs. The data is encrypted under RSA or ECDHE key exchange right now. When a CRQC arrives, Shor's algorithm breaks the key exchange retroactively, and the stored sessions become readable. The NSA has publicly acknowledged this attack vector. The NCSC's March 2025 migration guidance frames it as an active planning assumption, not a theoretical concern. For any data whose confidentiality requirement extends into the 2033 to 2035 window, the adversary collection is happening now. The clock for that data started years ago. For a breakdown of which data categories are most exposed to this threat, see our analysis of which data is most at risk from harvest-now-decrypt-later today.

The second is what Michele Mosca of the University of Waterloo calls the migration lead time argument. State it plainly: if migrating your systems takes five years, and your data needs to stay confidential for twelve years, and a CRQC arrives in ten years, you are already overdue. The binding constraint is not Q-Day timing. It is migration complexity. A large enterprise with a complex cryptographic estate (embedded devices, proprietary protocols, multi-tier PKI hierarchies, HSMs with multi-year firmware refresh cycles) may face a migration programme of five to seven years for its highest-priority systems alone. Organisations that begin planning when Q-Day probability exceeds 80% will begin too late. Mosca formalised this inequality in an IEEE Security and Privacy paper in 2018; the logic has not changed since.

The third is that waiting for certainty is itself a risk decision. At a roughly 50% probability of a CRQC by 2034 or 2035 (per the GRI 2024 median range, subject to verification), an organisation that defers migration until the probability is "high enough" is taking a probabilistic position on the security of its long-lived data. That is a board-level decision, not a technical default.

The NIST standards: the waiting period ended in 2024

For several years, the legitimate answer to "why have you not started PQC migration?" was "we are waiting for the standards to be finalised." That answer expired on 13 August 2024.

NIST published four final post-quantum cryptographic standards in August and October 2024, completing an eight-year evaluation process that drew submissions and analysis from cryptographic research teams across the world. The published standards are: FIPS 203 (ML-KEM, the key encapsulation mechanism replacing RSA and ECDH), FIPS 204 (ML-DSA, the primary digital signature algorithm replacing ECDSA and RSA signatures), FIPS 205 (SLH-DSA, a stateless hash-based signature scheme for high-assurance long-lived signing contexts), and FIPS 206 (FN-DSA, for constrained environments requiring compact signatures).

ML-KEM and ML-DSA are based on the hardness of the Module Learning With Errors (MLWE) problem, a lattice problem that has been under cryptographic scrutiny for more than 25 years. Lattice cryptography has a substantial published security analysis and no known efficient algorithm, classical or quantum, for solving it. The 2016 to 2024 NIST evaluation process involved public submission, open analysis rounds, and third-party cryptanalysis at the level of the global academic research community. These are not new, unvetted algorithms. They are the result of the most rigorous public algorithm standardisation process ever conducted for post-quantum cryptography.

Recent hardware milestones: what they mean and what they do not

Google's Willow chip, announced in December 2024, achieved a genuine engineering milestone: below-threshold error correction. This means the physical error rate in the system was low enough that adding more qubits to the error correction code reduced errors rather than compounding them. That is the correct direction. It confirms that fault-tolerant quantum computing is an engineering problem being solved, not an insurmountable physical barrier.

It does not mean a CRQC is imminent. Willow demonstrated this milestone at 105 physical qubits. The Gidney-Ekerå resource estimates for breaking RSA-2048 require roughly 20 million. Below-threshold error correction at 105 qubits is a necessary precondition for scaling toward fault tolerance. The distance between the precondition and the destination remains very large by any measure of quantum engineering progress. The progress is real. The gap is also real.

IBM's roadmap targets fault-tolerant quantum computation as a multi-decade programme. The quantum computing research community broadly agrees that the remaining engineering challenges are non-trivial: reliable qubit connectivity at scale, error rates sustained below threshold across millions of qubits, inter-qubit communication architecture at fault-tolerant scale. None of this diminishes the Willow result. It contextualises it against the Gidney-Ekerå baseline that still defines what a CRQC actually requires.

What this means for your organisation: the practical framing

The actionable conclusion is simple. Plan for 2033, not for the announcement.

An announcement that a CRQC has been successfully built would arrive, at best, with months of lead time in intelligence community briefings to governments. Commercially, the announcement would likely post-date the capability. An organisation that begins its cryptographic inventory on the day a CRQC is confirmed publicly has already lost the window for protecting its most sensitive data. That data is already in adversary storage.

The threat is asymmetric between symmetric and asymmetric cryptography. AES-256 encryption of stored data is not the urgent problem. Grover's algorithm provides a quadratic speedup against symmetric encryption, halving effective key length: AES-256 reduces to approximately AES-128 security against Grover, which remains computationally infeasible. AES-256 is adequate for quantum-era symmetric security without any change. The urgent migration is in asymmetric cryptography: RSA and ECC key exchange and digital signatures. That is the layer that protects the keys, not the bulk data.

The migration starts with a cryptographic inventory. No organisation can migrate what it has not mapped. The NIST NCCoE SP 1800-38B migration guidance establishes the Cryptographic Bill of Materials (CBOM) as the prerequisite to every subsequent migration step. Automated discovery tooling can identify TLS endpoints, certificate hierarchies, and library versions across an estate in weeks. Finding the complex cases is the point of the inventory: embedded devices with multi-year refresh cycles, HSMs whose firmware does not yet support ML-KEM, proprietary protocols with no available post-quantum migration path. Those are the items that will determine whether your programme completes before 2033.

Sources

Steven Vaile is Director at Quantum Security Defence. View on LinkedIn | View Team | QSecDef Events