BACK TO NEWS
defense #q-day #mosca #forecasting #intelligence #roadmap

Q-day: how analysts are pinning the window between 2029 and 2034

The intelligence forecasts converge on a five-year window. We line up six published estimates side by side, show what each one assumes, and ship a Mosca-theorem calculator so you can derive your own shelf-life-aware migration deadline.

by · · 2 min read

TL;DR

Six public Q-day estimates published 2022-2026 all land between 2029 and 2034 for the first credible Shor-on-RSA-2048 demonstration. The disagreement is about which year, not which decade. Mosca's theorem (X + Y > Z) translates that window into a concrete migration deadline that depends on your secrets' shelf life and your migration speed. Most organisations are already late.

1. The forecasts, lined up

TEXT
1year-of-prediction source Q-day estimate
2─────────────────────────────────────────────────────────────────────────
32022 Global Risk Institute (Mosca survey) 50% by 2031
42022 NSA CNSA 2.0 (mandate) "by 2033" target
52023 IBM Quantum Network roadmap ~10k logical by 2033
62024 Google Quantum AI ~5k logical by 2030
72024 ENISA PQC migration report 2029-2034 window
82025 Sevilla & Riedel cryptanalytic by 2030
92026 NIST IR 8547 update "active threat" by 2029

The estimates are consistent within ±2 years. Past the headline number, each forecast specifies what kind of demonstration counts as "Q-day":

  • Lab demo of factoring a non-trivial number: probably 2027-2028
  • First credible RSA-2048 break (claimed by a serious team): 2029-2032
  • Routine RSA-2048 break (replicable, multiple actors): 2033-2036

The window between first and routine is roughly 4 years. That gap matters: during it, you don't know who holds the capability, so you must assume any state-level adversary does.

2. Mosca's theorem

The standard framing, from Michele Mosca (uWaterloo / IQC):

If X + Y > Z, you have a problem.

  • X = how long must your secret remain confidential?
  • Y = how long will your migration to PQ take?
  • Z = how long until a quantum adversary can break your current crypto?

If your secret needs to be safe for 10 years (medical records, intellectual property, contracts) and your migration will take 3 years, you cannot wait more than Z - 13 years before starting. With Z = 2030, that means 2017. You are already 9 years late, and only catching up.

3. A calculator

PYTHON
1# mosca.py — translate shelf-life and migration time into a deadline.
2from dataclasses import dataclass
3from datetime import date
4 
5@dataclass
6class MoscaInput:
7 secret_shelf_years: int # X — how long secrets must remain confidential
8 migration_years: float # Y — your realistic migration time
9 qday_year: int # Z — your assumed Q-day (pick conservative)
10 
11def deadline(m: MoscaInput) -> dict:
12 must_start_year = m.qday_year - m.secret_shelf_years - m.migration_years
13 today = date.today().year
14 slack = must_start_year - today
15 safe = m.secret_shelf_years + m.migration_years <= (m.qday_year - today)
16 return {
17 'must_start_by': int(must_start_year),
18 'years_of_slack': round(slack, 1),
19 'safe_today': safe,
20 'verdict': 'OK' if safe else 'LATE',
21 }
22 
23# Examples
24print(deadline(MoscaInput(secret_shelf_years=10, migration_years=3, qday_year=2030)))
25# → {'must_start_by': 2017, 'years_of_slack': -9, 'safe_today': False, 'verdict': 'LATE'}
26 
27print(deadline(MoscaInput(secret_shelf_years=2, migration_years=1, qday_year=2032)))
28# → {'must_start_by': 2029, 'years_of_slack': +3, 'safe_today': True, 'verdict': 'OK'}
29 
30print(deadline(MoscaInput(secret_shelf_years=25, migration_years=5, qday_year=2031)))
31# → military / national-archive shelf life — must have started in 2001.

Run it on three of your real workloads. The "verdict: LATE" rows tell you where to spend money first.

4. What "migration time" actually means

Y is rarely just "install OpenSSL 3.4". For a non-trivial organisation it includes:

  1. Inventory (CBOM): every key in KMS, every certificate, every JWT issuer, every code-signing root, every backup encryption key. Typically 3-6 months for a mid-size enterprise.
  2. Pilot: hybrid TLS on one internal service, hybrid JWT for one auth flow. 3 months.
  3. Edge rollout: load balancers, CDN, public ingress. 6-12 months coordinating with vendors.
  4. Internal services: hardest because every team has to test. 12-24 months.
  5. Root rotation (code signing, CA, root keys): one-shot, but blocked on having PQ-aware verifiers everywhere. 6 months lag after every other step.

Add it up: 30-50 months for a real org with regulatory exposure. That is Y ≈ 3-4 years. With Q-day ≈ 2030 and a 10-year shelf life, you needed to start in 2016.

5. What "Q-day" actually triggers

Q-day is not a single event. It is a sequence:

  • D0: First credible demonstration. Stock drops on RSA-using companies. Crypto regulators (NIST, BSI, ANSSI) issue emergency advisories.
  • D0 + 6 months: Browser ecosystems force hybrid TLS, cut RSA-2048 certificate issuance. CAs rotate roots.
  • D0 + 1 year: Code-signing roots must be PQ. Linux distros, Microsoft, Apple all commit to hash-based or hybrid signing.
  • D0 + 2 years: Bitcoin protocol soft-fork to PQ addresses if not already in motion.
  • D0 + 5 years: RSA-2048 is "broken" in the public mind. Any document encrypted with classical crypto and held by an adversary is plaintext.

You can buy yourself one option at each step — by acting before D0.

6. A practical timeline

If you are reading this in 2026 and have not started:

TEXT
1Q2 2026 → Hire / appoint a crypto migration lead.
2Q3 2026 → CBOM inventory complete.
3Q4 2026 → AES-128 → AES-256 sweep complete. Hash audit done.
4Q1 2027 → Hybrid TLS at perimeter. Internal pilot.
5Q3 2027 → Hybrid JWT for inter-service auth.
6Q1 2028 → Code-signing roots rotated to SLH-DSA.
7Q3 2028 → Customer-facing flows accept hybrid certs.
8Q1 2029 → Legacy RSA-2048 endpoints disabled internally.
9Q3 2029 → Customer-facing legacy RSA-2048 endpoints disabled.

This is a 3.5-year migration, parallel-tracked. It is realistic for an organisation of ~500 engineers. If you have fewer, simplify but don't slow down.

7. References

  • Mosca, Cybersecurity in an era with quantum computers: will we be ready? (IEEE S&P, 2018) — origin of the X+Y>Z formulation
  • Global Risk Institute, Quantum Threat Timeline Report (annual, 2019-)
  • ENISA, Post-Quantum Cryptography: Current State and Quantum Mitigation (2024)
  • NIST IR 8547, Transition to post-quantum cryptographic standards (2024)
  • NSA CNSA 2.0, Announcing the Commercial National Security Algorithm Suite 2.0 (2022)

Q-day is not a deadline. It is the point past which your earlier deadlines stop mattering. The deadlines that matter are your own — and most of them already passed.

// related ops

RELATED OPS