When will quantum computers threaten your cryptographic systems?

Scenario analysis grounded in published hardware benchmarks and resource estimates. Not a prediction. A decision-support tool.

Every CISO planning a PQC migration needs to estimate Z in the X+Y vs Z timing test: when will a cryptographically relevant quantum computer arrive? This tool puts the published data in one place so you can see what the researchers and hardware vendors actually report.

Based on published data as of April 2026 Complementary to GRI expert surveys No account required

Data transmitted today is already at risk

Harvest Now, Decrypt Later (HNDL): adversaries capture encrypted traffic today and store it for decryption when quantum capability arrives. The scenario ranges below tell you when the decryption becomes possible.

Cryptography reference texts. NSA CNSA 2.0 advisory. GRI 2025 survey.

Select your cryptographic systems

Which algorithms does your organization use? Select all that apply. Three common defaults are pre-selected.

Vulnerable to Shor's algorithm (asymmetric cryptography)

RSA-2048

Most TLS certificates, email encryption, VPNs, code signing

RSA-3072

Higher-security TLS, government systems, long-lived certificates

RSA-4096

PGP keys, root CAs, long-term document signing

ECDSA P-256

TLS 1.3, Apple/Google certificates, FIDO2/WebAuthn, IoT

ECDSA P-384

Government high-assurance, CNSA Suite, some financial systems

ECDSA secp256k1

Bitcoin, Ethereum, most blockchain networks

Ed25519

SSH keys, Signal protocol, WireGuard, modern TLS

Affected by Grover's algorithm (symmetric cryptography)

AES-128

Reduced to 64-bit equivalent. Low practical risk at scale. Many legacy systems.

AES-256

128-bit equivalent post-Grover. Quantum-safe. Standard recommendation.

SHA-256

Grover gives quadratic speedup on preimage. Minimal practical impact.

3 systems selected

Published data as of April 2026 Scenario analysis, not prediction Complementary to GRI expert surveys

Your encrypted data from before migration completes is already harvestable

Every scenario below shows when decryption becomes possible. The collection already happened. This line extends into the past.

Breakthrough

Acceleration

Central

Stall

Today (2026)

What expert surveys say (complementary data)

The Global Risk Institute surveys 26-32 quantum experts annually. Their 2025 results:

28-49%

say >50% chance of CRQC within 10 years

69%

say >50% chance within 15 years

92%

say >50% chance within 20 years

The scenario ranges above are grounded in published hardware data and resource estimates. The GRI survey captures expert judgment about factors this tool cannot: classified programs, unpublished breakthroughs, funding shifts. Both are useful inputs to migration planning.

Global Risk Institute, Quantum Threat Timeline Report, 2024-2025.

The declining requirements

Published quantum resource estimates for breaking RSA-2048 have dropped by roughly 200x in seven years. Three papers, not a law.

Year	Paper	Physical Qubits	Key Innovation	Source
2021	2021 published estimate	20,000,000	Surface code, 10^-3 error rate	arXiv:1905.09749 (updated 2021)
2025	Published update (2025)	<1,000,000	Yoked surface codes, magic state cultivation	arXiv:2505.15917
2026	Iceberg (Pinnacle)	<100,000	Quantum LDPC codes debated	arXiv:2602.11457

200x reduction in 7 years across 3 papers from related research programs

Each reduction came from a specific technical advance, not a predictable rate of improvement. 2025 published update used yoked surface codes. Iceberg 2026 used quantum LDPC codes (still debated in the community). The next advance may come in one year or in ten. There is no basis for smooth extrapolation.

A common critique in the field: fitting a trend line to three data points is curve-fitting, not science.

Other algorithm estimates

Algorithm	Physical Qubits	Source	Date
secp256k1	<500,000	Google, secp256k1 estimate	2026
ECDSA P-256	~4,000,000	arXiv:1706.06752	2017
AES-128 (Grover)	~5,000,000	AES Grover analysis (2016)	2016

ECDSA P-256 and AES-128 estimates have not been updated with modern error correction techniques. When updated, requirements will likely decrease.

Where hardware stands today

Published benchmarks from hardware vendors and academic labs. Achieved milestones weighted higher than roadmap targets.

Superconducting

Trapped-Ion

Photonic

Neutral Atom

Vendor	System	Physical Qubits	Status	Date
IBM	Eagle	127	Achieved	2021
IBM	Osprey	433	Achieved	2022
IBM	Condor	1,121	Achieved	2023
IBM	Heron	156	Achieved (improved fidelity)	2024
IBM	Starling	10,000	Roadmap target	2029
IBM	Blue Jay	2,000 logical	Roadmap target	Post-2029
Google	Sycamore	53	Achieved	2019
Google	Willow	105	Below-threshold demo (Nature)	2024

IBM has delivered every processor on its published roadmap since 2020. Google's Willow demonstrated error correction below threshold for the first time. Heron prioritized fidelity over qubit count (156 vs Condor's 1,121). IBM Quantum Roadmap (ibm.com/quantum/roadmap). Google Quantum AI, Nature 2024.

Vendor	System	Physical Qubits	Status	Date
Quantinuum	H2	56	Achieved	2024
Quantinuum	Helios	98	Achieved (48 logical)	2025
Quantinuum	Apollo	Thousands	Roadmap (hundreds logical)	2029
IonQ	Forte Enterprise	36	Achieved	Current
IonQ	2027 target	10,000	Roadmap (800 logical)	2027
IonQ	2030 target	2,000,000	Roadmap (80,000 logical)	2030

Trapped-ion systems have the highest gate fidelities but lower qubit counts. IonQ's 2030 target of 2M qubits was announced during its SPAC era and has no demonstrated path. Weight accordingly. Quantinuum's Helios is the current logical qubit leader. IonQ public filings. Quantinuum press releases. IONQ 10-K.

Vendor / Lab	System	Photonic Qubits	Status	Date
USTC (Pan/Lu)	Jiuzhang 1.0	76	PRL	2020
USTC (Pan/Lu)	Jiuzhang 2.0	113	PRL	2021
USTC (Pan/Lu)	Jiuzhang 3.0	255	PRL	2023
USTC (Pan/Lu)	Jiuzhang 4.0	3,050	arXiv	2025
Xanadu	Borealis	216	Nature	2022
PsiQuantum	Target	1,000,000+	Roadmap (no date confirmed)	TBD

Photonic systems demonstrate the highest raw qubit counts (USTC Jiuzhang 4.0: 3,050) but are specialized Gaussian Boson Sampling machines, not universal quantum computers. PsiQuantum's million-qubit target has no confirmed date. Pan Jianwei et al., PRL (multiple). Xanadu, Nature 2022.

Vendor / Lab	System	Atoms	Status	Date
QuEra	Aquila	256	Achieved	2023
Atom Computing	,	1,180	Achieved	2023
Pasqal	,	200+	Achieved	2024
USTC trapped-ion group	2D trapped-ion simulator	512	Nature 2024	2024

Neutral atom arrays offer the highest qubit counts among universal platforms (Atom Computing: 1,180) with native long-range connectivity. Still early in error correction demonstrations. A 2D trapped-ion array at Tsinghua (512 ions) demonstrates a modular architecture path not represented in Western vendor roadmaps. QuEra, Atom Computing, and Pasqal press releases. Nature 2024 publications.

The gap is closing from both directions. Resource estimates are declining (20M → <100K qubits for RSA-2048). Hardware is scaling up (156 → 10,000 target for IBM). But the rates of change are not stable, and there is no physical law that says they will converge on any particular schedule.

What this model includes and what it does not

Data coverage

IBM, Google (superconducting), published benchmarks and roadmaps

Quantinuum, IonQ (trapped-ion), published benchmarks and public filings

USTC Pan/Lu, Xanadu (photonic), peer-reviewed publications

QuEra, Atom Computing, Pasqal (neutral atom), published milestones

Tsinghua trapped-ion group, USTC (trapped-ion/simulator), Nature, PRL publications

Origin Quantum, SpinQ, Baidu Quantum, limited English-language benchmarks

Not included

Classified programs from any country (US, China, Russia, others)

Defense-linked research not published in academic venues

Chinese private company capabilities beyond public announcements

Unpublished algorithmic improvements at any lab

Enabling technologies (cryogenics, control electronics, networking)

Classical co-processing requirements for full CRQC pipeline

The actual capability frontier may be ahead of what published data shows. This model captures what is publicly known.

Model assumptions (verify these for yourself)

1No classified CRQC currently exists

2Published roadmaps are weighted by vendor delivery track record

3No discontinuous algorithmic breakthrough occurs (e.g., new factoring approach)

4Error correction improves along published trajectories

5Enabling technologies (cryogenics, control, networking) keep pace with QPU scaling

6Lattice-based PQC standards (ML-KEM, ML-DSA) remain secure

If any assumption is wrong, the scenario ranges shift. This is why this tool presents ranges, not predictions. Assumptions informed by review of published expert positions (April 2026).

What could change everything

New error correction code, LDPC codes already reduced estimates by 10-20x. The next such advance could do the same. Accelerates timeline.

New factoring algorithm, A breakthrough in quantum or classical factoring would shift resource requirements discontinuously. Direction unpredictable.

Quantum networking, Connecting small QPUs into larger effective systems could accelerate without any single QPU reaching CRQC scale. Accelerates.

Quantum winter, Investor disillusionment slows hardware funding for years. Delays timeline.

Attack on PQC standards, A mathematical attack on lattice-based cryptography breaks the replacement algorithms. Changes the destination, not the timeline.

The question the monitor does not answer

This tool shows you Z: the range of scenarios for when quantum hardware could reach your cryptographic break thresholds. But the X+Y vs Z timing test has three variables.

Your data
shelf life

Your migration
time

Scenario range
(shown above)

The scenario range tells you when. The next question is how long migration will take for your specific infrastructure. Organizations comparable to yours have taken 3-5 years, based on 14 documented PQC migrations.

The PQC Readiness Assessment fills in X and Y with your organization's specific numbers: data shelf life, migration timeline, sector, regulatory obligations. It uses the same framework as the 14 case studies above.

See how your migration timeline compares, 24 questions, 6 dimensions, interactive X+Y vs Z timing calculator with your numbers.

How scenario ranges are constructed

For each cryptographic algorithm, we track: (1) published resource estimates specifying the quantum hardware needed to break it, and (2) published hardware benchmarks showing where current systems stand. The scenario range reflects different assumptions about the pace of improvement on both sides. "Breakthrough" assumes aggressive resource reduction and fast hardware scaling. "Stall" assumes no new improvements for 5+ years.

This is scenario analysis, not statistical inference. We do not compute probabilities. We present the range of outcomes that published data supports under different assumptions.

Sources

Resource estimates: 2021 published estimate, 2025 published update, Iceberg 2026, 2017 ECDLP estimate, AES Grover analysis (2016) 2016, Google 2026 (secp256k1). Hardware benchmarks: IBM Quantum Roadmap, Google Quantum AI, Quantinuum press releases, IonQ public filings (IONQ), USTC publications (PRL, Nature), QuEra/Atom Computing/Pasqal press releases, Tsinghua, Nature 2024. Expert surveys: Global Risk Institute 2024-2025 .

Every number on this page traces to a named source. "Unknown" means nobody knows, not that we did not look.

What this tool is not: This is not a prediction engine. It does not forecast when quantum computers will break your encryption. It visualizes published data trends and presents a range of scenarios to support migration planning decisions. It is complementary to expert surveys (such as the GRI survey) and should be used alongside them, not instead of them.

PQC Readiness Assessment

24 questions, 6 dimensions, interactive X+Y vs Z timing calculator. Fill in your X and Y.

Start assessment →

PQC Migration Intelligence

14 case studies, 28 failure modes, cost data, cross-case patterns. The full database.

Browse intelligence →