ホーム/ブログ/Q-Day and What Breaking RSA-2048 Actually Requires
Post-QuantumSecurityCryptography

Q-Day and What Breaking RSA-2048 Actually Requires

Q-Day is one of the most abused terms in quantum computing. Here's a precise definition, the published resource estimates for factoring RSA-2048 with Shor's algorithm, and why those estimates disagree by orders of magnitude.

FreeQuantumComputing
·· 9 min read

"Q-Day" appears in vendor decks, government strategy documents, and newspaper headlines, usually with a countdown clock attached. It is rarely defined. That vagueness is doing a lot of work, because the term is used to mean at least two very different things, and the gap between them is measured in years and billions of dollars of engineering.

This post does the part that most coverage skips: what a machine capable of breaking RSA-2048 would actually have to be, according to published estimates, and why those estimates have ranged from twenty million qubits to under one million within six years.

Defining the term precisely

Q-Day is most usefully defined as the day a cryptographically relevant quantum computer (CRQC) first exists — a machine that can run Shor's algorithm against real-world key sizes within an operationally useful time.

The looseness creeps in around "real-world key sizes." Some writers use Q-Day to mean specifically RSA-2048 is broken. Others use it for any CRQC, which would include a machine that breaks NIST P-256 elliptic-curve keys — a meaningfully easier target, since ECC uses far smaller keys for equivalent classical security, and the elliptic-curve variant of Shor's needs a smaller register. A third group uses it loosely for "quantum computers become scary," which is not a technical claim at all.

Precision matters because these events do not happen on the same day. If P-256 falls before RSA-2048, the practical consequences differ sharply: ECDSA underpins TLS certificates, SSH, code signing, and most cryptocurrency, while RSA-2048 still guards a large installed base of older infrastructure. A plan built around one date may be badly calibrated for the other.

Why the date matters less than you'd think

The instinct on hearing "Q-Day" is to ask when. That question is less decision-relevant than it feels, because of harvest now, decrypt later: an adversary records encrypted traffic today and stores it until a CRQC exists. Any data whose confidentiality must outlive Q-Day is exposed now, regardless of when Q-Day lands.

So the question that actually drives decisions is not "when is Q-Day" but "how long must this data stay secret, and how long will my migration take." Regulators have already answered on organizations' behalf with published deprecation dates — we cover those in detail in the post-quantum migration clock, and they are deliberately independent of any hardware forecast.

The core question: what would the machine look like?

Shor's algorithm, introduced in 1994, reduces factoring to period-finding, which it solves using quantum phase estimation over a modular exponentiation circuit. The algorithmic cost is polynomial. The engineering cost is where the difficulty lives, and it splits into two very different numbers.

Logical qubits are the idealized, error-free qubits the algorithm is written against. Gidney and Ekerå's 2019 construction expresses this as 3n + 0.002·n·lg n logical qubits for an n-bit modulus. For RSA-2048 that works out to roughly 6,200 logical qubits, alongside a Toffoli gate count on the order of 0.3n³ — billions of gates.

Physical qubits are what you actually build. The ratio between them is the overhead imposed by quantum error correction, and it is brutal. Under the surface code, each logical qubit is encoded across a patch of physical qubits whose size grows with the code distance, which must be chosen large enough that the total error across billions of gates stays below one. Getting from ~6,200 logical qubits to a working machine is where the millions come from.

The published estimates, and why they moved

The most-cited figure comes from Gidney and Ekerå (2019): factoring a 2048-bit RSA integer in 8 hours using 20 million noisy physical qubits (arXiv:1905.09749, later published in Quantum). That was already a hundredfold reduction in spacetime volume over prior proposals.

In May 2025, Gidney published a revised analysis: fewer than one million noisy physical qubits, running for under a week (arXiv:2505.15917). That is roughly a 20× reduction in qubit count against his own earlier number, traded for a longer runtime.

Both papers assume broadly the same hardware model — a planar square grid of superconducting qubits with nearest-neighbour connectivity, a 0.1% gate error rate, a 1 microsecond surface code cycle, and a 10 microsecond control-system reaction time.

That is the key insight about the discrepancy: the hardware assumptions barely changed. The algorithms and codes did. The 2025 reduction comes from three specific advances — approximate residue arithmetic (fewer operations), yoked surface codes (roughly tripling storage density for idle logical qubits), and magic state cultivation, which makes producing the high-fidelity non-Clifford resource states that dominate the cost far cheaper than traditional distillation.

This is why estimates in the wild vary so wildly. Any published number is a function of at least five assumptions:

  • Physical error rate. The required code distance depends on how far below threshold the hardware sits. A 10× better physical error rate cuts the overhead dramatically.
  • Code choice. Surface codes are the conservative baseline. Higher-rate qLDPC codes could reduce overhead substantially, at the cost of harder connectivity requirements.
  • Cycle and reaction time. These set wall-clock runtime, and runtime feeds back into how much error correction you need.
  • Magic state strategy. Distillation factories historically consumed the majority of the machine's footprint. Cultivation changes that budget.
  • Space–time tradeoff. You can nearly always buy fewer qubits with more hours, which is exactly what happened between the 2019 and 2025 papers. Quoting a qubit count without a runtime is meaningless.

The direction of travel is the important dynamic. Over three decades, published estimates have moved consistently downward, driven by compilation and error-correction improvements rather than by hardware surprises. A migration plan that assumes today's estimate is the floor is planning against a number that has never yet stopped falling.

Where hardware actually stands

Current devices carry roughly 100 to 1,000 physical qubits. Google's Willow processor, used in the 2024 below-threshold demonstration, has 105. Even against the optimistic 2025 estimate, that is three orders of magnitude short in qubit count — before accounting for the fidelity, connectivity, and control requirements those papers assume. Our hardware overview tracks what is actually available.

But the 2024 result matters more than the raw gap suggests. Google ran surface codes at distances 3, 5, and 7 and showed each increase roughly halved the logical error rate — the logical qubit outperformed its best constituent physical qubit. Every fault-tolerance roadmap assumes that adding qubits makes the encoded qubit better rather than worse; until that experiment, it was an assumption. Crossing the threshold converted the remaining problem from an open physics question into a scaling and manufacturing one. Scaling problems are still extremely hard and can take decades. They are a different category of hard.

Machine-checking the numbers

A subtlety that rarely surfaces: these resource estimates are long, intricate, hand-written analyses, and migration budgets running into the billions are set on the basis of them. An arithmetic slip or an unstated assumption in a compilation argument propagates straight into policy.

That is why the 2026 Lean formalization of Shor's algorithm is worth attention beyond its novelty. It formalizes order finding and the reversible circuits for modular and elliptic-curve arithmetic in a proof assistant, and machine-checks the logical resource estimates for both RSA-2048 and P-256. It does not settle the physical-qubit question — that still depends on the hardware assumptions above — but it puts the logical layer on an auditable footing. When a number drives a budget, "a machine verified this derivation" is a meaningfully stronger claim than "several experts read the appendix."

The vendor perspective, clearly labelled

Quantum hardware companies publish extensively on Q-Day, and their framing deserves an explicit caveat: they sell the machines whose urgency they are describing.

IonQ's December 2024 post Q-Day and the Impact of Breaking RSA2048, by SVP of Product and Applications Ariel Braunstein, is a reasonable example. IonQ argues that harvest-now-decrypt-later is already underway, describing nation states collecting encrypted data in anticipation of future decryption capability, and that the unpredictability of algorithmic breakthroughs is itself a reason not to wait. To its credit, the post declines to name a year, presenting a spread of estimates across research organizations instead, and IonQ's recommendation — that organizations begin exploring quantum-resistant algorithms now, while acknowledging urgency varies with the timeline one assumes — is close to the mainstream security-community position.

Note also what it does not contain. The IonQ post cites no qubit count or resource estimate for RSA-2048 at all. Its one concrete figure is an unrelated materials-simulation algorithm reduced from 1.5 trillion gate operations to 410,000. That is a genuine result about a different workload, and it is not evidence about factoring. Treat vendor content as a directionally useful signal about industry expectations, not as a neutral source for the resource question.

How to reason about it yourself

The framing that survives contact with the uncertainty is Mosca's inequality: if your data's required confidentiality lifetime plus your migration time exceeds the time until a CRQC exists, you are already late. Only the third term is unknown, and the first two are usually large enough that the third barely changes the answer.

So the honest conclusion is an uncomfortable one: nobody credible can give you a date, and anyone who does is telling you about their business model or their priors, not about physics. What we can say precisely is what the machine would need to be, that the requirement has been revised downward repeatedly, and that the error-correction threshold has been crossed.

The responsible posture is to migrate on a schedule that does not depend on knowing the date. Start with what PQC actually is, then work the calendar. If your plan breaks when the estimate drops another 10×, it was never a plan.

Further reading: Post-quantum migration deadlines · Quantum error correction explained · Landmark research papers · Latest developments