Q-Day Moves Closer as Qubit Thresholds Plummet
Three recent papers have slashed the qubit count needed to break RSA and ECC, accelerating the quantum threat timeline and urgency of PQC migration.
The quantum threat timeline just compressed. Over the past three months, three separate research papers have each reduced the estimated number of qubits needed to crack widely used encryption by an order of magnitude or more. What used to look like a distant, theoretical risk now has the security community recalculating how much time remains before Q-Day, the point at which a quantum computer can break today’s public-key cryptography in practice.
If your organization is still treating post-quantum cryptography (PQC) migration as something to worry about later, these papers should change that.
From 20 million qubits to under 100,000
The decline in estimated qubit requirements has been dramatic. In 2019, Google Quantum AI researcher Craig Gidney estimated that breaking RSA-2048 would require roughly 20 million physical qubits. In May 2025, Gidney published an updated analysis showing that figure had dropped below one million, a 20x reduction achieved entirely through algorithmic improvements rather than hardware advances. His approach used techniques including approximate residue arithmetic, yoked surface codes for denser qubit storage, and magic state cultivation for more efficient fault-tolerant gates.
Then in February 2026, Sydney-based startup Iceberg Quantum introduced their Pinnacle architecture using quantum low-density parity-check (QLDPC) codes. Their paper pushed the RSA-2048 requirement below 100,000 physical qubits, another order-of-magnitude drop. This approach has caveats: it requires qubit connectivity beyond nearest-neighbor arrangements and has only been validated through simulation. But partner companies project systems at this scale within three to five years.
The trajectory is hard to ignore. Qubit requirements for factoring RSA-2048 have fallen from hundreds of millions in 2012, to 20 million in 2019, to under one million in 2025, to under 100,000 in 2026.
Elliptic curve cryptography is also in trouble
The third paper, published by Google Quantum AI in March 2026, focused on elliptic curve cryptography (ECC), the algorithm protecting virtually every major cryptocurrency and most digital signatures in use today. The researchers showed that breaking 256-bit ECC would require fewer than 500,000 physical qubits and could be completed in minutes rather than days.
One claim stands out: under idealized conditions, a primed quantum computer could derive a private key before a Bitcoin transaction confirms with roughly 41% probability. Google took the unusual step of releasing zero-knowledge cryptographic proofs to verify their resource estimates without exposing actual attack circuits. That kind of responsible disclosure itself says something about how seriously the team views the findings.
Google sets a 2029 migration deadline
In response to these accelerating timelines, Google has publicly committed to completing its own PQC migration by 2029. The company is prioritizing authentication services and digital signature systems and has already begun rolling out quantum-resistant protections across its product ecosystem.
Android 17 will adopt ML-DSA (the Module-Lattice-Based Digital Signature Algorithm standardized as FIPS 204) for Android Verified Boot, protecting device integrity verification with quantum-resistant signatures. Google Play is moving to generate quantum-safe ML-DSA signing keys for new applications, with existing apps able to opt in regardless of their target API level.
Google VP of Security Engineering Heather Adkins and Senior Staff Cryptology Engineer Sophie Schmieg have framed it as leading by example with an ambitious timeline to push industry-wide adoption.
Why your organization can’t afford to wait
Despite the urgency, readiness across the industry is low. According to the Trusted Computing Group, 91% of businesses still lack a formal roadmap for migrating to quantum-safe algorithms. Canada has set federal PQC migration plan deadlines for April 2026, with critical system prioritization by 2031 and full migration by 2035. In the U.S., NIST’s three finalized PQC standards (FIPS 203, 204, and 205) provide the foundation, but adoption is lagging.
The harvest-now, decrypt-later threat makes this particularly pressing. Adversaries are already capturing encrypted traffic today with the expectation of decrypting it once quantum computers mature. If your organization handles data with long confidentiality requirements (healthcare records, financial data, government communications, intellectual property) the window for getting ahead of this is shrinking.
What to do now
The algorithmic advances in these papers are not hardware breakthroughs. They are mathematical insights that permanently lower the bar. Each new paper builds on the last, and there is no reason to expect this trend will stop. Organizations should begin by inventorying their cryptographic dependencies, prioritizing systems that handle long-lived secrets, and building a concrete migration roadmap aligned with the NIST PQC standards.
Q-Day keeps getting closer. The question was never really “if,” and “when” is looking more and more like this decade.