Q-day: how analysts are pinning the window between 2029 and 2034
The intelligence forecasts converge on a five-year window. We line up six published estimates side by side, show what each one assumes, and ship a Mosca-theorem calculator so you can derive your own shelf-life-aware migration deadline.
TL;DR ¶
Six public Q-day estimates published 2022-2026 all land between 2029 and 2034 for the first credible Shor-on-RSA-2048 demonstration. The disagreement is about which year, not which decade. Mosca's theorem (X + Y > Z) translates that window into a concrete migration deadline that depends on your secrets' shelf life and your migration speed. Most organisations are already late.
1. The forecasts, lined up ¶
1 year-of-prediction source Q-day estimate 2 ───────────────────────────────────────────────────────────────────────── 3 2022 Global Risk Institute (Mosca survey) 50% by 2031 4 2022 NSA CNSA 2.0 (mandate) "by 2033" target 5 2023 IBM Quantum Network roadmap ~10k logical by 2033 6 2024 Google Quantum AI ~5k logical by 2030 7 2024 ENISA PQC migration report 2029-2034 window 8 2025 Sevilla & Riedel cryptanalytic by 2030 9 2026 NIST IR 8547 update "active threat" by 2029
The estimates are consistent within ±2 years. Past the headline number, each forecast specifies what kind of demonstration counts as "Q-day":
- Lab demo of factoring a non-trivial number: probably 2027-2028
- First credible RSA-2048 break (claimed by a serious team): 2029-2032
- Routine RSA-2048 break (replicable, multiple actors): 2033-2036
The window between first and routine is roughly 4 years. That gap matters: during it, you don't know who holds the capability, so you must assume any state-level adversary does.
2. Mosca's theorem ¶
The standard framing, from Michele Mosca (uWaterloo / IQC):
If X + Y > Z, you have a problem.
- X = how long must your secret remain confidential?
- Y = how long will your migration to PQ take?
- Z = how long until a quantum adversary can break your current crypto?
If your secret needs to be safe for 10 years (medical records, intellectual
property, contracts) and your migration will take 3 years, you cannot wait
more than Z - 13 years before starting. With Z = 2030, that means
2017. You are already 9 years late, and only catching up.
3. A calculator ¶
1 # mosca.py — translate shelf-life and migration time into a deadline. 2 from dataclasses import dataclass 3 from datetime import date 4 5 @dataclass 6 class MoscaInput: 7 secret_shelf_years: int # X — how long secrets must remain confidential 8 migration_years: float # Y — your realistic migration time 9 qday_year: int # Z — your assumed Q-day (pick conservative) 10 11 def deadline(m: MoscaInput) -> dict: 12 must_start_year = m.qday_year - m.secret_shelf_years - m.migration_years 13 today = date.today().year 14 slack = must_start_year - today 15 safe = m.secret_shelf_years + m.migration_years <= (m.qday_year - today) 16 return { 17 'must_start_by': int(must_start_year), 18 'years_of_slack': round(slack, 1), 19 'safe_today': safe, 20 'verdict': 'OK' if safe else 'LATE', 21 } 22 23 # Examples 24 print(deadline(MoscaInput(secret_shelf_years=10, migration_years=3, qday_year=2030))) 25 # → {'must_start_by': 2017, 'years_of_slack': -9, 'safe_today': False, 'verdict': 'LATE'} 26 27 print(deadline(MoscaInput(secret_shelf_years=2, migration_years=1, qday_year=2032))) 28 # → {'must_start_by': 2029, 'years_of_slack': +3, 'safe_today': True, 'verdict': 'OK'} 29 30 print(deadline(MoscaInput(secret_shelf_years=25, migration_years=5, qday_year=2031))) 31 # → military / national-archive shelf life — must have started in 2001.
Run it on three of your real workloads. The "verdict: LATE" rows tell you where to spend money first.
4. What "migration time" actually means ¶
Y is rarely just "install OpenSSL 3.4". For a non-trivial organisation it includes:
- Inventory (CBOM): every key in KMS, every certificate, every JWT issuer, every code-signing root, every backup encryption key. Typically 3-6 months for a mid-size enterprise.
- Pilot: hybrid TLS on one internal service, hybrid JWT for one auth flow. 3 months.
- Edge rollout: load balancers, CDN, public ingress. 6-12 months coordinating with vendors.
- Internal services: hardest because every team has to test. 12-24 months.
- Root rotation (code signing, CA, root keys): one-shot, but blocked on having PQ-aware verifiers everywhere. 6 months lag after every other step.
Add it up: 30-50 months for a real org with regulatory exposure. That is Y ≈ 3-4 years. With Q-day ≈ 2030 and a 10-year shelf life, you needed to start in 2016.
5. What "Q-day" actually triggers ¶
Q-day is not a single event. It is a sequence:
- D0: First credible demonstration. Stock drops on RSA-using companies. Crypto regulators (NIST, BSI, ANSSI) issue emergency advisories.
- D0 + 6 months: Browser ecosystems force hybrid TLS, cut RSA-2048 certificate issuance. CAs rotate roots.
- D0 + 1 year: Code-signing roots must be PQ. Linux distros, Microsoft, Apple all commit to hash-based or hybrid signing.
- D0 + 2 years: Bitcoin protocol soft-fork to PQ addresses if not already in motion.
- D0 + 5 years: RSA-2048 is "broken" in the public mind. Any document encrypted with classical crypto and held by an adversary is plaintext.
You can buy yourself one option at each step — by acting before D0.
6. A practical timeline ¶
If you are reading this in 2026 and have not started:
1 Q2 2026 → Hire / appoint a crypto migration lead. 2 Q3 2026 → CBOM inventory complete. 3 Q4 2026 → AES-128 → AES-256 sweep complete. Hash audit done. 4 Q1 2027 → Hybrid TLS at perimeter. Internal pilot. 5 Q3 2027 → Hybrid JWT for inter-service auth. 6 Q1 2028 → Code-signing roots rotated to SLH-DSA. 7 Q3 2028 → Customer-facing flows accept hybrid certs. 8 Q1 2029 → Legacy RSA-2048 endpoints disabled internally. 9 Q3 2029 → Customer-facing legacy RSA-2048 endpoints disabled.
This is a 3.5-year migration, parallel-tracked. It is realistic for an organisation of ~500 engineers. If you have fewer, simplify but don't slow down.
7. References ¶
- Mosca, Cybersecurity in an era with quantum computers: will we be ready? (IEEE S&P, 2018) — origin of the X+Y>Z formulation
- Global Risk Institute, Quantum Threat Timeline Report (annual, 2019-)
- ENISA, Post-Quantum Cryptography: Current State and Quantum Mitigation (2024)
- NIST IR 8547, Transition to post-quantum cryptographic standards (2024)
- NSA CNSA 2.0, Announcing the Commercial National Security Algorithm Suite 2.0 (2022)
Q-day is not a deadline. It is the point past which your earlier deadlines stop mattering. The deadlines that matter are your own — and most of them already passed.
RELATED OPS
Inside the NIST PQC suite: ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205)
Four years after the round-3 finalists were named, the standards are signed. Here is what each one does, what parameter set to pick at each security level, and the smallest-possible call into each one from Python and TypeScript.
Grover bites AES: why 128 is dead and 256 is your new baseline
Grover's algorithm gives a quadratic speed-up on brute-force key search. AES-128 drops to ~64-bit effective security. AES-256 stays at ~128-bit. The fix is one config line — but every place stores cipher state, you need to find.
RSA-2048 falls: the 20M noisy-qubit estimate, redrawn
Gidney & Ekerå said ~20 million noisy qubits and ~8 hours. Three years of error-correction progress later, the number is moving — but not the conclusion. Where the 2026 resource estimates land.