What changed? First, Craig Gidney’s 2025 paper reduced the estimated requirement for factoring RSA-2048 from the earlier 20 million noisy physical qubits estimate down to less than one million, with runtime under a week under the paper’s stated surface-code assumptions. Then Iceberg Quantum’s February 2026 Pinnacle paper pushed that RSA-2048 estimate below 100,000 physical qubits using a QLDPC-based architecture. Days later, Caltech and Oratomic published work showing Shor’s algorithm could be executed at cryptographically relevant scale with as few as 10,000 reconfigurable atomic qubits, with a larger 26,000-qubit system potentially solving elliptic-curve discrete logarithms in a matter of days.
That is why this moment matters. The conversation is no longer just “How many qubits can hardware vendors build?” It is also “How much are algorithms, coding theory, error correction, compilation, and architecture design shrinking the problem?” The past decade’s trend line has been brutal: better math and better fault-tolerant designs keep compressing the resource estimates. That does not guarantee the same pace continues, but it does invalidate the complacent assumption that only multimillion-qubit machines matter.
Google’s March 2026 cryptocurrency whitepaper added the most urgent operational signal. The team says ECDLP-256 can be implemented with two compiled circuit variants requiring under roughly 1,200 to 1,450 logical qubits and 70 to 90 million Toffoli gates, and that on a superconducting cryptographically relevant quantum computer those circuits could run in minutes with fewer than 500,000 physical qubits. In the same work, Google distinguishes between “fast-clock” architectures such as superconducting, photonic, and silicon spin systems versus slower architectures such as neutral atom and ion trap. That distinction matters because fast-clock systems may enable not just at-rest attacks on exposed public keys, but “on-spend” attacks against live cryptocurrency transactions.
That last point is the headline many people will remember. In the Google paper, the researchers estimate that once the first half of the computation is precomputed, a primed superconducting CRQC could derive a key in about nine minutes on average. Their Figure 6 says that under the paper’s idealized assumptions, that creates slightly less than a 41% theft risk against a Bitcoin transaction with a 10-minute average block time. Google did not publish the attack circuits; instead it used a zero-knowledge proof approach so the resource estimates could be verified without handing over an attack blueprint. That is a remarkable sign of how seriously the authors treated the disclosure risk.
This is also bigger than crypto. Google explicitly says the threat is not limited to a future breaking of encryption and signatures in the abstract. It says encryption is already relevant today because of harvest-now, decrypt-later risk, and that digital signatures require migration before a cryptographically relevant quantum computer arrives. That should get every enterprise leader’s attention, because signatures and authentication are everywhere: PKI, certificates, code signing, software updates, secure boot, device identity, VPNs, APIs, firmware trust chains, and admin workflows.
Now for the caveat that matters: these papers are not proof that Q-Day is here. They are resource estimates under explicit assumptions, and the engineering barriers remain formidable. Gidney’s paper keeps conservative surface-code assumptions but still needs fault-tolerant scale that does not exist yet. Pinnacle depends on QLDPC architecture assumptions that are promising but not yet demonstrated at the required scale. The Caltech-Oratomic work itself says substantial engineering challenges remain, even as it argues neutral-atom systems could support cryptographically relevant computation. And the broader expert community still spans a range of timelines; the 2025 Global Risk Institute survey says experts see a CRQC as quite possible within 10 years and likely within 15.
So how should leaders interpret this? My view is simple: the exact year is still uncertain, but the planning window is clearly shrinking. That is enough to change enterprise behavior now. NIST finalized its first three PQC standards in August 2024: ML-KEM, ML-DSA, and SLH-DSA. In March 2025, NIST selected HQC as a backup encryption algorithm. Google has now publicly set a 2029 migration timeline for itself. On the U.S. national-security side, NSA guidance shows CNSA 2.0 entering new-product timelines in 2027, with broader replacement expectations later in the decade. The standards era is here. The waiting era is over.
What enterprises should do now First, run a real cryptographic inventory. Not a slide. Not a guess. A real map of where RSA, ECC, Diffie-Hellman, certificates, code signing, boot integrity, firmware signing, secrets exchange, and machine identities actually live in your environment. NIST’s transition work is already aimed at moving organizations off quantum-vulnerable public-key systems, and Google is openly prioritizing authentication services in its own threat model.
Second, prioritize by data lifetime. If information needs to remain confidential into the 2030s, the threat is already present because adversaries can collect ciphertext now and wait. This is why harvest-now, decrypt-later matters more than many executives realize. The danger is not just the day a CRQC appears. The danger is the data you are leaking into the future right now.
Third, start hybrid and crypto-agile migration paths now. Waiting for a perfect end-state architecture is how enterprises get trapped. The right move is staged migration: pilot NIST-standardized PQC where it is mature, build certificate and key-management agility, and redesign systems so algorithms can be swapped without breaking production. Use QuSecure for this.
Fourth, test your readiness the way you would test any other material cyber risk. That means running an AI PQ Audit across your environment to identify quantum-vulnerable trust paths, exposed signing dependencies, long-life data flows, third-party concentration, and migration blockers before the timeline compresses further. The organizations that win this transition will not be the ones with the best press release. They will be the ones that can prove where they are exposed, what they prioritized, and how fast they can swap cryptography at scale.
The bottom line is this: Q-Day may still be uncertain, but the threat timeline is no longer theoretical enough to ignore. Three papers did not prove that the world ends tomorrow. They did prove that the bar is moving faster than many security programs were built to handle. Enterprise leaders do not need panic. They need urgency, inventory, crypto-agility, and execution.
https://thequantuminsider.com/2026/03/31/q-day-just-got-closer-three-papers-in-three-months-are-rewriting-the-quantum-threat-timeline/
https://arxiv.org/abs/2505.15917
https://arxiv.org/pdf/2505.15917
https://arxiv.org/abs/2602.11457
https://arxiv.org/pdf/2602.11457
https://arxiv.org/abs/2603.28627
https://arxiv.org/pdf/2603.28627
https://www.caltech.edu/about/news/caltech-team-finds-useful-quantum-computers-could-be-built-with-as-few-as-10000-qubits
https://iqim.caltech.edu/2026/03/31/shors-algorithm-is-possible-with-as-few-as-10000-reconfigurable-atomic-qubits/
https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/
https://research.google/blog/safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsibly/
https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf
https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
https://csrc.nist.gov/news/2024/postquantum-cryptography-fips-approved
https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption
https://csrc.nist.gov/news/2025/hqc-announced-as-a-4th-round-selection
https://thequantuminsider.com/2026/02/13/new-architecture-could-cut-quantum-hardware-needed-to-break-rsa-2048-by-tenfold-study-finds/
https://thequantuminsider.com/2026/03/31/google-suggests-quantum-attacks-on-cryptocurrency-encryption-may-require-fewer-resources/