The rapid progress in quantum computing is reshaping long-term security planning. While today’s quantum computers cannot yet break widely used cryptographic algorithms, their future potential creates an urgent need to transition to post-quantum cryptography (PQC). Data intercepted today could be decrypted later in a “harvest now, decrypt later” scenario once a powerful quantum computer becomes available—a moment often referred to as Q-Day.
The Path to Q-Day: Hardware and Software Progress
Two developments influence the arrival of Q-Day: advancements in quantum hardware and improvements in the algorithms that run on these machines.
Hardware Progress
Every year brings new quantum processors boasting higher qubit counts. But qubits are fragile, and noise limits their reliability. Silicon-based quantum computers are fast and scalable, but extremely noisy—requiring millions of qubits with error correction to break RSA-2048. Ion-trap systems are quieter but harder to scale; even hundreds of thousands of qubits could threaten RSA-2048.
Scalability remains a challenge, but Google’s Willow project—announced in late 2024—demonstrated the first scalable implementation of a logical qubit using surface code, a major milestone. Google continues to advance superconducting qubits, while Microsoft explores topological qubits, a theoretically much more stable but not yet proven architecture. Other emerging approaches include neutral atoms and ion traps. Still, software optimizations have accelerated the threat more dramatically than hardware.
Software Breakthroughs
In 2025, Craig Gidney’s work showed that breaking RSA-2048 requires fewer than one million superconducting qubits—down from earlier estimates of 20 million—bringing Q-Day about seven years closer, assuming a Moore’s law of qubit counts doubling every one-and-half years. Further optimisations are expected, but RSA-2048 will likely require at least a quarter million superconductig qubits.
Occasionally, new dramatic algorithmic claims surface. In 2024, a proposed quantum algorithm by Yilei Chen briefly caused concern for lattice-based cryptography before being shown incorrect. This episode highlighted how heavily today’s PQC designs rely on lattice-based schemes, and how few viable alternatives exist. Quantum key distribution, often presented as a solution, is not scalable enough for widespread deployment.
How Soon Will Q-Day Arrive?
While no one can predict the exact date, governments are not waiting. The U.S. NSA’s CNSA 2.0 guidelines set migration targets for 2030–2033, while the U.S. federal government aims for full adoption by 2035. Australia plans completion by 2030, and the UK and EU expect transitions between 2030 and 2035. Regardless of when Q-Day occurs—2034 or 2050—most experts agree it will come too soon for organisations that delay preparation.
Two Migration Priorities: Key Exchange and Signatures
Transitioning to PQC involves two critical components: key agreement and digital signatures.
Symmetric encryption (like AES-GCM) is already considered safe against quantum attacks. Grover’s algorithm does not require doubling key sizes, so AES-128 remains robust. Increasing to AES-256 is optional.
The real vulnerability lies in traditional asymmetric cryptography—RSA and ECC—which quantum computers can break using Shor’s algorithm. Organisations must prioritise replacing these systems rather than strengthening symmetric encryption.
Post-Quantum Key Agreement
Key agreement is urgent because it prevents harvest-now/decrypt-later attacks. Today’s TLS handshakes rely on X25519, which collapses under quantum attack. Post-quantum methods like ML-KEM can be integrated into existing systems with minimal disruption. Cloudflare already protects about half its traffic using hybridfully post-quantum key exchange methods, and all major browsers now support PQC by default.
Post-Quantum Signatures and Certificates
Digital signatures authenticate identities online. RSA and ECDSA signatures will be forgeable by quantum computers, but replacing them is far more complex than updating key exchange. TLS handshakes use multiple signatures, certificate chains are long, and post-quantum signatures tend to be much larger.
NIST has standardised ML-DSA and SLH-DSA for signatures, but wide adoption requires updates to certificate formats, browsers, and certificate authorities. We expect the first PQ certificates available in 2026, with broader adoption by 2027.
Where PQC Stands Today
By 2025, PQC entered mainstream deployment. NIST standardised ML-KEM (FIPS 203) for key exchange and ML-DSA/SLH-DSA for signatures (FIPS 204/205). ML-KEM is now widely supported in TLS, browsers, and operating systems. ML-DSA support in certificates is progressing but not fully integrated.
Meanwhile, Cloudflare, Google, and browser vendors have spent years testing hybrid approaches like X25519MLKEM768 to ensure compatibility, performance, and resilience during the transition. Despite early friction—largely due to middleboxes expecting classical packet sizes—over 50% of global internet traffic is now protected against quantum-era decryption attacks.
The Harder Part: PQ Signatures
Signatures remain the biggest hurdle. ML-DSA-44 adds around 15 KB of extra data to each TLS handshake—too heavy for slow mobile networks. FN-DSA-512 reduces this overhead but introduces side-channel risks from floating-point operations. Experimental schemes like SQISign, MAYO, SNOVA, and UOV offer trade-offs between size, performance, and security, but none are ready for large-scale deployment. That is why we’re working with Chrome on Merkle Tree Certificates, a next generation of certificates, that brings post-quantum without performance degradation.
For now, ML-DSA-44 is the most realistic starting point, even if not ideal.
What Organisations Should Do Now
Companies should act on two priorities:
Adopt post-quantum key exchange immediately.
Use hybrid modes like X25519 + ML-KEM-768 to prevent harvest-now/decrypt-later attacks. Tools such as Cloudflare Radar and Wireshark can verify support.
Prepare for PQ signatures.
Identify high risk uses of cryptography,, modernise outdated systems, enable automated certificate management, and begin testing PQ-ready infrastructure.
The global transition to PQC is an opportunity to modernise decades of legacy cryptography. Those who start early will be ready long before Q-Day arrives.
