Q-Day: Every Major Timeline Prediction, Compared

PUB: 2026-05-27

ETA: [ 5 MIN ]

CAT: Featured

The date when quantum computers crack modern encryption has a name. Q-Day. Depending on who you ask, it’s three years out, five, ten, or somewhere nobody can agree on, which is its own kind of answer. Each of these forecasts is measuring something slightly different, which is why reading them side by side actually tells you more than any single one does alone.

Google: 2029

This may be an aggressive timeline, but it’s also credible in a way most forecasts aren’t, because Google isn’t speculating about when someone else will break encryption. In March 2026, Google moved its internal Q-Day benchmark to 2029 and committed to completing its own infrastructure migration by then.

The technical reason for the shift was a quantum error correction breakthrough from a Caltech team. They demonstrated qLDPC codes (quantum Low-Density Parity Check) that reduce the qubit overhead required for fault-tolerant algorithms by a factor of 161.

Some configurations even go to 5-to-1. Older estimates put the cost of cracking RSA-2048 at about 1 million fault-tolerant qubits. Running that through qLDPC changes the number a lot.

There’s a second thing Google is flagging. State-level adversaries are already collecting encrypted traffic. They don’t need a CRQC right at this moment. When one exists, they decrypt retroactively, reaching back across everything they’ve collected in the meantime. This is what’s generally known as “harvest now, decrypt later” (HDNL).

So, according to Google, 2029 is no longer in the realm of a prediction. It’s the year the tech giant’s experts think you’d better be ready for what’s coming.

Project Eleven: 2033

Then there’s Project Eleven’s tentative 2033 goal. Different firm, different problem, and this one’s even scarier for anyone holding Bitcoin (BTC).

The May 2026 report by quantum risk research outfit Project Eleven 2026 report contains 110 pages and lands on a specific number. According to its approximation, a CRQC capable of breaking Bitcoin’s elliptic curve signatures could arrive as early as 2030 and no later than 2042, but the baseline for Q-Day is in 2033.

The report estimates that 6.9 million BTC already sit in exposed addresses, which refers to wallets where the public key is visible on-chain and therefore readable to a future quantum attacker. At current prices that’s a number with quite a few zeros.

There’s a reason why Bitcoin faces a shorter window than RSA-based systems. Attacks on elliptic curve cryptography are computationally cheaper. A machine that takes a week to crack RSA-2048 might crack an ECC key in hours. Bitcoin runs on ECC. Aaand so does Ethereum.

The part of the report that probably deserves more attention than the headline date is the fact that migrating Bitcoin to post-quantum cryptography requires consensus between miners, node operators, wallet developers, and millions of individual users all moving together. Such a coordination has historically taken years for changes a lot less complicated than a full cryptographic overhaul.

Project Eleven’s report bluntly suggests that, even if the hardware arrives at the further end of the timeline, the human side of the response may not be able to keep up.

NIST: 2035 (Not a Threat Prediction)

The National Institute of Standards and Technology (NIST)’s 2035 is the most cited date and, at the same time, probably the most misunderstood.

Unlike the others in this list, the agency isn’t exactly predicting when a CRQC will exist. It “just” regularly publishes compliance deadlines for U.S. federal systems. By 2030, algorithms providing 112-bit security (RSA-2048, ECC P-256) must be deprecated. By 2035, quantum-vulnerable encryption is fully disallowed.

The misunderstanding here mostly stems from people thinking that this means encryption is safe until that time.

In 2024, NIST finalized three post-quantum standards. These include CRYSTALS-Kyber for key encapsulation, CRYSTALS-Dilithium, and SPHINCS+ for signatures.

Though 2035 isn’t a threat timeline, the date does reflect migration reality. Large government systems move slowly. The window is sized around how long it actually takes to move legacy infrastructure.

The NSA’s separate guidance is tighter, and requires quantum-resistant cryptography for new national security system acquisitions starting in 2027.

Global Risk Institute: Somewhere Between 28% and 49%, Within 10 Years

GRI doesn’t give you a specific year. The organization surveys experts and publishes the probability distribution. Twenty-six quantum computing specialists across academia and industry, polled in GRI’s March 2026 report (Dr. Michele Mosca and Dr. Marco Piani). The result gave a 28-49% chance that a CRQC exists within 10 years (2036), or 51-70% within 15 years.

The number worth paying attention to is the year-over-year shift. The averaged 10-year probability jumped from 34% in 2024 to 49% in 2025. That’s 15 percentage points in 12 months, and the fastest acceleration since GRI started running this survey.

Mosca’s framing, the Mosca Inequality, cuts through the “probably fine” instinct. If your migration timeline runs between five and eight years and the threat probability over that window is 28-49%, you’re already operating at risk levels that the math doesn’t support.

What the Forecasts Disagree On

Google (2029) and Project Eleven (2033) are close to each other. The gap is mostly the attack target. Google is worried about RSA and TLS, which are harder to crack. Project Eleven is focused on ECC, where the attack window is shorter and the exposure is immediately measurable in BTC.

NIST’s 2035 belongs in a different category. It’s a compliance engineering timeline, useful for procurement planning, but useless as a security forecast. GRI’s probability range is the most honest representation of where expert consensus actually sits. Nobody knows exactly when, but 26 people closest to the problem are increasingly confident it’s sooner than they thought a year ago, and they’re moving the number up fast.

All four arrive at the same operational conclusion that acting in 2026 is already late.

Which One to Actually Use

For internal planning, run from Google’s 2029. That’s your survival scenario. Use NIST’s 2030 deprecation milestone as your start-work trigger instead of your finish line.

If you’re communicating upward, GRI’s probability framing is your tool. “30-50% chance this happens in the next decade” lands differently than “Q-Day is 2029” and is more defensible under cross-examination from a CFO who’s read two articles about quantum timelines being overblown.

Where crypto infrastructure is concerned, Project Eleven’s report is the citation you want. The 6.9 million BTC exposure figure is concrete. The organization’s migration analysis doesn’t pretend Bitcoin governance works faster than it does.

All things considered, start with Google’s date, and talk with GRI’s numbers. If you’re in crypto, check out Project Eleven’s 110 pages before you read anything else.

Sead Fadilpašić

Contributor

Sead Fadilpašić is a journalist and content writer who covers blockchain, cybersecurity, privacy, technology, and digital business. His work is featured on a wide range of international publications and technology websites, including Cryptonews and Tom's Hardware. His work focuses on cybersecurity threats, data privacy, emerging technologies, and the broader impact of technology on businesses and consumers. Based in Sarajevo, Bosnia and Herzegovina, he has been reporting on technology-related topics for more than a decade.

>_ View output

Menu

Search