What Is a Logical Qubit and Why It Changes the Q-Day Timeline Calculation

Hardware announcements in quantum computing follow a reliable pattern: a large headline number, a spectacular benchmark, and a wave of coverage about what it means for encryption. The coverage rarely explains the one piece of information that would let a security professional make a sensible risk judgement: the difference between a physical qubit and a logical qubit.

That gap is not trivial. It is, in practical terms, a factor of roughly 1,000. Understanding it is the minimum requirement for reading a quantum hardware announcement and not being misled by it.

Physical Qubits and Logical Qubits: The Distinction That Matters

A physical qubit is the basic hardware unit of a quantum processor. In superconducting systems, the dominant commercial architecture, it is a Josephson junction operating at millikelvin temperatures, exhibiting quantum mechanical behaviour within a carefully controlled electromagnetic environment. Physical qubits are fundamentally noisy: they decohere, losing their quantum state through thermal fluctuations and electromagnetic interference. Current superconducting hardware operates with two-qubit gate error rates in the range of 10-3 to 10-2, between one error per hundred and one per thousand gate operations [VERIFIED: Krantz et al., Applied Physics Reviews 6, 021318 (2019)].

A logical qubit is different in kind, not just scale. It is a fault-tolerant quantum information unit built from multiple physical qubits using a quantum error-correcting code. The purpose is to encode quantum information in a way that errors on individual physical qubits can be detected and corrected, maintaining the logical state with arbitrarily low error rate, provided the physical error rate stays below the code's threshold. The logical qubit is the computational unit that Shor's algorithm actually requires. A processor with N physical qubits does not have N logical qubits available for cryptographically relevant computation.

The surface code, currently the most practically viable quantum error-correcting code for superconducting hardware, has a fault-tolerance threshold of approximately 1% (10-2) [VERIFIED: Fowler et al., Physical Review A 86, 032324 (2012)]. IBM, Google, and other manufacturers target physical two-qubit gate error rates below 0.1% (10-3) as their operating target. That is below the surface code threshold, which means fault-tolerant operation is physically possible on current-generation hardware. Possible is not the same as achieved at the scale needed to threaten encryption.

The threshold theorem guarantees that below the code threshold, adding more physical qubits to a logical qubit improves the logical error rate exponentially. Above it, scaling makes things worse. This is why getting physical error rates below 1% is a necessary condition for the entire fault-tolerant architecture to work [VERIFIED: Dennis et al., Journal of Mathematical Physics 43, 4452 (2002)].

The 1,000:1 Overhead: How We Get from Physical to Logical

The surface code achieves its error correction by arranging physical qubits in a two-dimensional grid, with data qubits interspersed with ancilla qubits that perform syndrome measurements. The number of physical qubits required per logical qubit depends on the code distance, d: the minimum number of physical errors that would cause an undetectable logical error. The physical qubit count per logical qubit is approximately 2d2.

To run Shor's algorithm against RSA-2048 with a tolerable accumulated error rate, the required logical error rate per gate is approximately 10-10. Achieving that at a physical error rate of 10-3 requires a code distance of approximately d = 27. That gives 2d2 − 1 = 1,457 physical qubits per logical qubit [VERIFIED: Fowler et al. 2012, Table I]. Rounded to the order of magnitude used in planning: approximately 1,000 physical qubits per logical qubit.

Gidney and Ekerå (2021) calculated that factoring a 2048-bit RSA integer with an optimised surface code implementation requires approximately 20 million physical qubits, running for approximately 8 hours on a fault-tolerant quantum computer [VERIFIED: Gidney and Ekerå, Quantum 5, 433 (2021)]. This is the peer-reviewed resource estimate that NIST and NSA use in their migration planning. It is not a theoretical upper bound. It is an optimised lower-bound estimate: the minimum credible physical resource requirement assuming best-case implementation at the physical error rates that current hardware targets.

Current hardware is nowhere close. IBM Heron r2 has 156 physical qubits. Google Willow (December 2024) has 105 physical qubits. IBM Condor (2023) has 1,121 physical qubits, the highest public physical qubit count as of the time of writing. Against the 20 million qubit Gidney-Ekerå threshold, that is a factor of approximately 18,000 below the minimum requirement for cryptographic relevance. The 1,000:1 ratio makes the comparison concrete: IBM Condor's 1,121 physical qubits fall short of the approximately 1,458 required for a single d=27 logical qubit in a surface code architecture.

How to Read a Hardware Announcement Without Being Misled

The translation rule is simple. When you read a headline that says "N-qubit processor," divide N by approximately 1,000 to get a rough estimate of the logical qubit count available for fault-tolerant computation at current error rates. A 1,000-qubit processor represents approximately one logical qubit. A 10,000-qubit processor represents approximately ten. The CRQC threshold is approximately 20,000 logical qubits.

Hardware marketing measures physical qubits, quantum volume, CLOPS, and circuit fidelity benchmarks. None of those metrics directly measures cryptographic threat capability. A CISO reading these numbers needs the translation, not the headline.

The Google Willow announcement of December 2024 illustrates the confusion well. Willow solved a random circuit sampling benchmark in under five minutes that would, by Google's estimation, take a classical supercomputer 1025 years to replicate [VERIFIED: Acharya et al., Nature 634, 648–652 (2024)]. That is a genuine and important scientific result. It is not a cryptographic threat. The random circuit sampling task is specifically designed to be hard for classical simulators; it has no structural relationship to Shor's algorithm or any known cryptanalytic problem. Willow has 105 physical qubits. It is not capable of running Shor's algorithm on cryptographically relevant key sizes, nor is any currently announced system.

The more significant finding in the Willow paper is subtler: as Willow increased its code distance from d = 3 to d = 5 to d = 7, the logical error rate decreased exponentially. That is exactly what the surface code theory predicts for operation below the fault-tolerance threshold. It is the first time a commercial processor has demonstrated this behaviour at scale. It confirms that the surface code architecture works in practice. It does not compress the timeline to CRQC capability. It validates the engineering direction.

Q-Day: The 2033-2035 Range and Why It Exists

Q-Day is the informal term for the first moment at which a cryptographically relevant quantum computer (CRQC) exists, capable of running Shor's algorithm against RSA-2048 or ECDSA P-256 within hours to days. The Gidney-Ekerå 20 million physical qubit estimate is the technical anchor. Translating to logical qubits: at 1,000:1 overhead, that is approximately 20,000 logical qubits operating with the specific gate sequence and magic state distillation required for Shor's algorithm.

The 2033-2035 window used in QSECDEF's risk planning is a probabilistic estimate derived from published scaling trajectories, error rate improvement trends, and the remaining engineering challenges. NIST IR 8547 (November 2024) provides the authoritative policy anchor: RSA and ECC are designated for deprecation before 2030 and disallowance after 2035 [VERIFIED: NIST IR 8547, Transitioning the Use of Cryptographic Algorithms and Key Lengths, November 2024]. The disallowance date of 2035 represents NIST's judgement that 2033-2035 is the credible earliest threat window. That is not a prediction. It is a risk planning horizon calibrated to give organisations enough runway to complete migration before the threat materialises.

The Mosca inequality translates the horizon into a decision rule. If a system must be protected for X more years, and migration takes Y years, and the probability of a CRQC within X + Y years is non-negligible, migration should begin now. A system that must remain protected until 2040 (X = 14 years from 2026) and whose migration takes 5 years (Y = 5) should be in active migration no later than 2031, on the assumption that the 2033-2035 window is credible. For data already collected and stored under HNDL (harvest-now-decrypt-later) attack methodology, the threat date is today, not 2033. Adversaries do not need a CRQC to harvest ciphertext. They need one only to decrypt it.

For a deeper analysis of error correction dynamics and their relationship to the Q-Day estimate, see the dedicated error correction Q-Day analysis.

Apply the Mosca inequality to your own data exposure using the QSECDEF Quantum Threat Assessment tool.

What It Would Take to Reach 20 Million Physical Qubits

Reaching 20 million physical qubits is not a single engineering problem. It is at least five independent ones, and progress on any one of them does not guarantee progress on the others.

Physical qubit count is four orders of magnitude from the current best hardware to the CRQC threshold. That scaling must be achieved while holding physical error rates at or below 10-3 per two-qubit gate. Maintaining error rates as the system scales is harder than achieving them on small processors: crosstalk between qubits, fabrication uniformity, and electromagnetic isolation become more difficult to control at scale [VERIFIED: Fowler et al. 2012 resource analysis; Martinis and Megrant on control electronics scaling challenges].

Classical control electronics for 20 million qubits require 20 million independent control channels. Current cryogenic electronics do not scale to this density at dilution refrigerator temperatures. Connectivity and routing in a surface code architecture require nearest-neighbour high-fidelity gates; maintaining that topology at 20 million qubit scale is an unsolved engineering problem.

Then there is magic state distillation. Shor's algorithm requires T gates, which cannot be implemented fault-tolerantly in the surface code without a resource-intensive subroutine that consumes physical qubits as ancilla. The Gidney-Ekerå 20 million qubit estimate includes the physical qubits allocated to magic state distillation factories, which represent a substantial fraction of the total budget [VERIFIED: Gidney and Ekerå 2021; Bravyi and Kitaev, Physical Review A 71, 022316 (2005)]. Any improvement in distillation efficiency reduces the total physical qubit requirement and potentially compresses the Q-Day timeline. This is an active research area and the primary source of downside uncertainty in the 2033-2035 estimate.

None of these challenges is a fundamental physical barrier. Each is an engineering problem of enormous difficulty. The distinction matters for planning: Q-Day is not physically impossible. It is engineeringly hard on a multi-year timeline.

What the 2024-2025 Advances Actually Mean for the Timeline

Google Willow's December 2024 result is worth being precise about. It demonstrated below-threshold fault-tolerant operation: the logical error rate decreased exponentially as code distance increased, through d = 3, 5, and 7 surface code implementations. That is the proof-of-principle that the surface code architecture operates as the theory predicts, on real hardware, below the threshold. It does not mean Willow can be scaled to 20 million qubits, or that the other four engineering problems have been solved [VERIFIED: Acharya et al. 2024, Table 1 and supplementary data].

Microsoft's topological qubit announcement of February 2025 claimed a fundamentally different approach: Majorana-based qubits with inherently lower error rates than superconducting alternatives. If the claimed performance characteristics are validated and reproduced at scale, topological qubits could achieve fault-tolerant operation with a lower physical-to-logical overhead than the 1,000:1 surface code reference. The claims remained under independent peer review at the time of writing [ASSUMED: verify current peer review status as of June 2026 before publication; this is a temporally anchored claim]. An approach that reduces the overhead ratio from 1,000:1 to, say, 100:1 would compress the physical qubit requirement for a CRQC by an order of magnitude and accelerate the credible Q-Day window.

The hardware roadmaps for 2026-2030 project further progress on physical qubit count and error rates. IBM's published roadmap targets fault-tolerant operation of logical qubits within a commercially usable quantum system by the late 2020s. For the hardware roadmap context, see the fault-tolerance roadmaps analysis.

The correct interpretation of all recent progress is: the engineering path is confirmed viable. The timeline remains 2033-2035 as the earliest credible window for the CRQC threat. The correct response to uncertainty about whether it will be 2033 or 2038 is to migrate before 2033 regardless. The organisations that begin in 2026 will finish in time. The ones that wait for certainty about the exact date will not.

Sources

  • Gidney, C. and Ekerå, M., "How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits," Quantum 5, 433 (2021). doi:10.22331/q-2021-04-15-433
  • Fowler, A.G. et al., "Surface codes: Towards practical large-scale quantum computation," Physical Review A 86, 032324 (2012). doi:10.1103/PhysRevA.86.032324
  • Acharya, R. et al. (Google), "Quantum error correction below the surface code threshold," Nature 634, 648–652 (2024). doi:10.1038/s41586-024-08219-8
  • Dennis, E. et al., "Topological quantum memory," Journal of Mathematical Physics 43, 4452 (2002). doi:10.1063/1.1499754
  • Krantz, P. et al., "A Quantum Engineer's Guide to Superconducting Qubits," Applied Physics Reviews 6, 021318 (2019). doi:10.1063/1.5089550
  • Bravyi, S. and Kitaev, A., "Universal quantum computation with ideal Clifford gates and noisy ancillas," Physical Review A 71, 022316 (2005). doi:10.1103/PhysRevA.71.022316
  • NIST IR 8547. doi:10.6028/NIST.IR.8547 (November 2024)
  • Mosca, M., "Cybersecurity in an era of quantum computing," IEEE position paper (2015). uwaterloo.ca/~mmosca