AI & Computing

Cryptographically Relevant Quantum Computer

A quantum computer capable of running Shor's algorithm at sufficient scale to break RSA-2048 or equivalent elliptic-curve encryption — not a lab demonstration on toy key sizes, but a system that renders current public-key cryptography practically insecure.

Cumulative probability Probability density
Median year
2035
P10 – P90 range
2030 – 2050
Probability ever occurs
85%
Last reviewed
June 2026
YES

A quantum computer can crack the public-key encryption underpinning internet security, financial systems, and state secrets. The internet's trust layer requires emergency replacement — a transition most organisations will not have completed in time.

NO

Quantum hardware progress stalls below the threshold needed for cryptographic relevance. Error correction overheads remain too high, qubit coherence times too short, or required qubit counts too large for any system built within this window. Post-quantum cryptography migration proceeds as a precaution, not a response.

Where things stand

Quantum computing has made genuine progress — but current hardware is far from cryptographically relevant. Breaking RSA-2048 using Shor’s algorithm is estimated to require roughly 4,000 logical qubits, which in turn requires millions of physical qubits once error-correction overheads are factored in. As of mid-2026, the best publicly known systems operate with hundreds to low thousands of physical qubits, with error rates far too high to sustain the deep circuits cryptographic attacks demand.

Key milestones and players:

  • IBM: roadmap targeting error-corrected “utility-scale” systems through the late 2020s; physical qubit counts now exceed 1,000 but logical qubit demonstrations remain limited
  • Google: claimed narrow quantum supremacy in 2019 for a specific sampling task; published advances in error correction in 2023–2024 using their Willow chip, showing error rates fall as qubits are added — an important sign the approach scales
  • Microsoft: announced a topological qubit approach in early 2025, claiming a new path to lower error rates; independent verification is ongoing
  • State programs: China and the United States both run classified quantum programs; public disclosures significantly lag presumed capability

The US National Security Agency and NIST have both stated publicly that a CRQC should be assumed possible within the coming decades. NIST finalised its first set of post-quantum cryptographic standards in 2024 — an acknowledgement that migration must begin now, regardless of exact timelines.

The “harvest now, decrypt later” threat is already live: adversaries can capture encrypted traffic today and decrypt it once a CRQC exists. This means the practical security deadline for sensitive long-lived data is already past.

The reference year of 2035 reflects a central estimate consistent with expert surveys and government planning horizons. The optimistic 2030 bound reflects the possibility that classified programs or an unexpected hardware breakthrough compresses the timeline. The 2050 bound captures the real possibility that physical engineering challenges — coherence times, interconnects, cryogenic scaling — prove harder than theoretical estimates suggest.

Sources