Quantum Error Correction Explained: What It Means for the Q-Day Timeline

The reason we do not already have a cryptographically relevant quantum computer is not a puzzle about physics. The physics has been understood since the 1990s. The barrier is engineering: specifically, the engineering of quantum error correction at a scale that makes Shor's algorithm executable on RSA-2048. Google's Willow chip in December 2024 cleared one of the most important experimental hurdles on that path. Understanding what it demonstrated, and what it did not, is essential context for any Q-Day planning conversation.

This article is for security architects, CISOs, and technical leaders who want to understand why quantum error correction is the gating factor for Q-Day, without needing to work through stabiliser code mathematics. The cryptographic threat itself is explained in the companion article on Shor's algorithm and why RSA and ECC will not survive a quantum computer.

Why Quantum Computers Need Error Correction

Physical quantum bits are fragile. They interact with their surroundings through electromagnetic radiation, thermal fluctuations, and vibrations. Each interaction can corrupt the qubit's quantum state. This process, called decoherence, accumulates errors as circuits grow deeper or qubits are stored longer. A quantum computation at cryptographic scale contains millions of operations. Without correcting the errors introduced along the way, the output is noise.

Quantum error correction (QEC) addresses this by encoding the information of one logical qubit across many physical qubits. The strategy is redundancy: distribute the information so that errors affecting a subset of physical qubits can be detected and fixed without measuring, and thereby disturbing, the logical state. The mechanism is syndrome measurement. By measuring only the correlations between qubits, not their states, the system can determine which errors occurred without learning what information is stored. The foundational treatment is Nielsen and Chuang's textbook chapter on QEC; the stabiliser code formalism is due to Gottesman (1997).

The threshold theorem, proved independently by Aharonov and Ben-Or (1999) and Shor (1996), establishes the result that makes large-scale fault-tolerant quantum computing theoretically achievable. Below a critical physical error rate, adding more qubits to the error correction scheme improves performance faster than the new qubits introduce errors. Above that threshold, the reverse is true. The existence of this threshold is why "just make the machine bigger" is not a viable path unless the error rate is already below it.

Classical error-correcting codes use a structurally similar idea: encode data redundantly and correct errors using the redundancy. The quantum version is more constrained. You cannot simply copy a qubit's state to check it, because measurement disturbs quantum states. Syndrome measurement sidesteps this by measuring only parity information. The analogy to classical error correction is useful for intuition but should not be pushed too far.

The Surface Code: Why It Dominates Hardware Development

The surface code is currently the most practically favoured QEC architecture for superconducting qubit platforms, including those used by IBM and Google. Its qubits are arranged in a two-dimensional lattice. Each data qubit is surrounded by ancilla qubits that perform syndrome measurements. The surface code has two significant practical advantages: it requires only nearest-neighbour qubit interactions, which is compatible with standard 2D chip fabrication; and its error threshold is approximately 1%, meaning physical error rates below roughly 1% are sufficient to enter the below-threshold regime where more qubits help rather than hurt. The canonical reference is Fowler et al. (2012).

The cost is physical qubit overhead. At a physical error rate of approximately 0.1% per operation, a distance-d surface code requires roughly d² physical qubits per logical qubit. The distance of a surface code is the minimum number of physical errors required to cause an undetectable logical error. Higher distance means better protection and more qubits. A distance-7 surface code uses approximately 49 physical qubits per logical qubit and achieves a logical error rate of approximately 1.43 x 10⁻³ per cycle at 0.1% physical error rate.

Running Shor's algorithm on RSA-2048 requires many thousands of logical qubits, and those logical qubits need to hold their state reliably through hundreds of millions of error-correction cycles. Under current engineering assumptions, Gidney and Ekerå (2021) estimated the resource requirement at approximately 20 million physical qubits operating over eight hours. Under more optimistic assumptions about error rates and circuit optimisation, lower estimates have been published. But the Gidney-Ekerå figure remains the standard planning benchmark: 20 million noisy physical qubits, not 20 million clean logical ones.

The Willow Result: What Google Actually Demonstrated

In December 2024, Google Quantum AI published results in Nature demonstrating below-threshold quantum error correction using their 105-qubit Willow chip. The experiment used a distance-7 surface code. The key result: as the team increased the surface code distance from 3x3 to 5x5 to 7x7 qubit arrays, the logical error rate decreased exponentially. This exponential suppression is the central prediction of surface code theory, and it had not been demonstrated experimentally before. The logical qubit lifetime exceeded the best physical qubit lifetime on the chip by a factor of 2.4.

The significance is that the physics works as predicted. Below-threshold, distance-scalable error correction has been confirmed in hardware. This is not a minor calibration result. It is the experimental proof that the engineering path from current hardware to a fault-tolerant machine is theoretically sound.

What it is not: a demonstration of any cryptographic capability. A distance-7 code on 105 physical qubits produces one or two logical qubits. Breaking RSA-2048 requires approximately 4,000 logical qubits under optimistic estimates, backed by roughly 20 million physical qubits. The Willow machine sits at 105 physical qubits. The gap is roughly five orders of magnitude in physical qubit count. The Willow result is a scientific milestone confirming the theoretical basis for scaling. The distance between confirming the theory and building the machine is measured in engineering, not physics.

IBM is pursuing a different architectural path. Their Bivariate Bicycle code, a type of quantum low-density parity check (qLDPC) code described in a 2024 Nature paper (Bravyi et al., 2024), achieves 12 logical qubits from 144 physical data qubits, versus the roughly 1,452 to 2,028 physical qubits a surface code would require for the same 12 logical qubits. The qLDPC approach has better physical-to-logical qubit overhead than surface code, which matters for estimating how many physical qubits a CRQC will actually need. For the full current state of IBM and Google's roadmap progress, see quantum computing progress 2026: IBM and Google.

The Gap Between Today and a Cryptographically Relevant Machine

Three conditions must be met simultaneously for a CRQC capable of running Shor's algorithm on RSA-2048 to exist.

First, physical qubit count. Current leading systems: approximately 1,000 to 1,100 physical qubits (IBM's Condor, 1,121 qubits). Required under Gidney-Ekerå: approximately 20 million. The gap is roughly four orders of magnitude.

Second, physical error rates. Current best demonstrated rates: approximately 0.1% to 0.3% per gate operation, with significant variation by gate type and machine. The surface code threshold is approximately 1%. Willow demonstrated 0.1% physical error rates in the distance-7 experiment, which is at the edge of what the Gidney-Ekerå resource estimate assumes. The qLDPC approach has higher thresholds, which may relax this constraint.

Third, logical qubit count and circuit depth. IBM's Starling system, targeted for 2029, is planned for 200 logical qubits running 100 million gates. IBM Blue Jay, targeted for 2033, is planned for 2,000 logical qubits. The Gidney-Ekerå estimate for RSA-2048 is approximately 4,000 logical qubits under optimistic assumptions. IBM's own roadmap places a machine at the 4,000-logical-qubit capability level somewhere around or after 2033, under their current trajectory.

The Willow and IBM qLDPC results reduce uncertainty on the fundamental physics. Engineering scale-up from 100 to 20 million physical qubits, while maintaining error rates at or below 0.1% across the entire machine, with classical control systems and cryogenic infrastructure capable of operating at that scale, is the dominant remaining challenge. Engineering problems, once the underlying physics is validated, are typically faster to solve than physics problems. That observation does not make the challenge trivial. It changes the character of the uncertainty.

What QEC Progress Means for Q-Day and Your Migration Plan

The Mosca inequality provides the formal risk framework. If the time until a CRQC exists is less than the migration time plus the remaining confidentiality requirement of data already encrypted, an organisation has a problem now. The applicable Q-Day estimate for planning is the 2033-2035 range used by NIST IR 8547 (November 2024) and NSA CNSA 2.0 (September 2022). The Global Risk Institute Quantum Threat Timeline Report 2025 (Mosca and Piani, published 9 March 2026) found that 28 to 49% of surveyed quantum computing experts assigned more than 50% probability to a CRQC existing within 10 years, the highest 10-year estimate in the report's history.

Each experimental QEC result like Willow narrows the theoretical uncertainty about whether a fault-tolerant quantum computer is achievable. It does not change the engineering gap. But it does change the confidence that the engineering challenge is solvable in the 2030s rather than the 2050s. The 2033-2035 planning range is a considered estimate, not an alarm. It is also not a ceiling.

The harvest-now-decrypt-later (HNDL) threat makes Q-Day uncertainty irrelevant to the immediate action question. Data intercepted today under RSA or ECDH key exchange is stored as ciphertext. If a CRQC becomes available in 2033, data captured in 2026 becomes readable in 2033. The uncertainty in Q-Day timing is not a reason to delay. It is the argument for acting now: an organisation that waits for certainty will be in the harvest window for the full duration of its delay. For the full analysis of the CRQC timeline and the evidence base behind the 2033-2035 range, see the CRQC timeline: when quantum computers become a real threat.

For security planning, the practical implication of the Willow result is this: the theoretical barriers to Q-Day have been substantially cleared. The remaining barriers are engineering. Engineering barriers are faster to fall than physics barriers, once the theory is validated. Planning for a 2033-2035 CRQC is not overreaction. It is a proportionate response to a risk whose probability distribution is shifting in one direction.


About the Author

Steven Vaile is Director at Quantum Security Defence. He advises governments, financial institutions, and critical infrastructure operators on quantum security strategy and post-quantum cryptography migration. He is a keynote speaker at the QSECDEF World Symposium. View on LinkedIn | View Team | QSecDef Events