Live Threat Assessment · May 2026

RSA.FAIL

Quantum computers are approaching the capability to break RSA-2048 — the encryption protecting most of the internet. This is not a drill.

Estimated time until RSA-2048 is broken

years

months

days

min

⚑ Median expert estimate: Q-Day ~2030–2032 · Target: Jan 1, 2031

Scroll to explore
↓

01 / 09

Current Threat State

The Numbers Are Getting Worse

Every year, researchers find more efficient factoring algorithms. Required qubits have dropped 200× since 2019 — purely through software, before any hardware improvement.

<1M

Physical Qubits Needed

To break RSA-2048 in under a week. Down 95% from 20M in 2019 (Gidney, 2025).

~5 days

Time to Crack One Key

On a fault-tolerant QC with ≥1M qubits, 0.1% gate error rate, 5 days continuous.

2030–32

Median Q-Day Estimate

Consensus window for first CRQC. IBM, Google, Oxford roadmaps all converge here.

6,700

IBM Heron r2 Qubits (2025)

Current state-of-the-art. Noisy, not fault-tolerant. Gap to threshold: ~994K qubits.

NOW

Harvest-Now Attacks Active

State actors collect encrypted traffic today to decrypt once quantum hardware exists.

2030

NIST Deprecation Deadline

NIST IR 8547: RSA/ECC deprecated after 2030, disallowed after 2035.

02 / 09

RSA Key Size Threat Matrix

All Key Sizes Are Vulnerable

Any RSA key can be broken by a sufficiently large quantum computer running Shor's algorithm. Only the timeline differs.

Key Size	Classical Security	Qubits Needed	Crack Time (QC)	Status
RSA-512	Broken classically (1999)	~2,000	Minutes	● Broken
RSA-1024	Insecure (deprecated)	~25,000	Hours	● Critical
RSA-2048	Current standard (~112-bit)	<1,000,000	~5 days	● At Risk ~2031
RSA-3072	128-bit classical equivalent	~2,000,000	~2–3 weeks	● At Risk ~2034
RSA-4096	Strong classical, still used	~4,000,000	~1–2 months	● At Risk ~2036+
Post-Quantum	Quantum-resistant	N/A	N/A	● Safe

03 / 09

Qubit Requirements Over Time

The Floor Is Collapsing

20M qubits in 2019. Under 100K in 2026. Hardware is now catching up to theory.

Year

Physical Qubits to Break RSA-2048

Notes

2019

Gidney & Ekerå

20M

20M qubits · 8 hours

2022

Regev (NYU)

5M qubits · 24 hours

2024

Ragavan & Vaikuntanathan

2M qubits · 36 hours

2025

Gidney (Google)

<1M

<1M qubits · 5 days

2026

Iceberg Quantum (est.)

~100K

~100K · 10 days

04 / 09

Post-Quantum Cryptography

The Replacements Are Ready

NIST finalized three standards in August 2024. They are production-ready now. OpenSSL 3.5+ supports all three. Migration could take 2–5 years for large organizations.

FIPS 203 · Finalized Aug 2024

ML-KEM

Key Encapsulation — primary standard for general encryption. Replaces RSA/ECDH.

Module-Lattice (CRYSTALS-Kyber)

● Ready to deploy

FIPS 204 · Finalized Aug 2024

ML-DSA

Digital Signatures — primary post-quantum signature standard.

Module-Lattice (CRYSTALS-Dilithium)

● Ready to deploy

FIPS 205 · Finalized Aug 2024

SLH-DSA

Digital Signatures — stateless hash-based backup to ML-DSA.

Stateless Hash-Based (SPHINCS+)

● Ready to deploy

FIPS 206 · In development

FN-DSA

Digital Signatures — compact lattice-based signatures (FALCON).

NTRU-Lattice (FALCON)

● Draft standard

Selected Mar 2025 · Final ~2027

HQC

Key Encapsulation — backup to ML-KEM with different math basis.

Code-Based (Hamming Quasi-Cyclic)

● Finalizing 2027

All resist Shor's & Grover's.
Migrate now.
OpenSSL 3.5+ supports all.

05 / 09

Latest Developments

The Threat Is Accelerating

Three major papers in Q1 2026 have rewritten the timeline. Algorithmic improvement is outrunning hardware.

Apr 2026

Iceberg Quantum's Pinnacle Architecture: RSA-2048 With 100,000 Qubits

The Quantum Insider

→

Mar 2026

Q-Day Just Got Closer: Three Papers in Three Months Rewrite the Quantum Threat Timeline

The Quantum Insider

→

Mar 2026

Google, Ethereum & Stanford: Elliptic Curve Vulnerable With Under 500K Qubits

Google Quantum AI / arXiv

→

May 2025

Gidney (Google): RSA-2048 Breakable in Under a Week With <1M Qubits

Quantum Insider · arXiv:2505.15917

→

Mar 2025

NIST Selects HQC as Fifth Post-Quantum Algorithm

NIST

→

Aug 2024

NIST Finalizes First Three Post-Quantum Standards (FIPS 203–205)

NIST

→

06 / 09

What To Do

Don't Wait for Q-Day

Harvest-now, decrypt-later attacks are happening today. Data you encrypt now using RSA could be exposed in 5–8 years.

Conduct a cryptographic inventory

Map every system using RSA, ECC, or DH. Focus on TLS endpoints, VPNs, PKI, email signing, and code signing.

TLSPKIVPNEmail

Prioritize long-lived sensitive data

Data that must stay secret past 2030 is already at risk from harvest-now attacks active today.

HIPAAFinanceGovIP

Migrate to NIST PQC standards

FIPS 203/204/205 are finalized and production-ready. OpenSSL 3.5+, BoringSSL, and liboqs support them.

ML-KEMML-DSAOpenSSL 3.5+

Build crypto-agility

Design systems to swap cryptographic primitives without rewriting app logic. Hardcoded algorithms are the main migration blocker.

ArchitectureDevSec

Know your regulatory deadlines

NIST IR 8547: deprecated after 2030, disallowed after 2035. NSA CNSA 2.0: quantum-safe national-security systems by Jan 2027.

NIST IR 8547CNSA 2.0NIS2

07 / 09

Glossary

Key Terms

RSA

Public-key cryptosystem whose security relies on the difficulty of factoring large primes on a classical computer.

Shor's Algorithm

A quantum algorithm (1994) that factors integers exponentially faster. Breaks all practical RSA key sizes.

CRQC

Cryptographically-Relevant Quantum Computer. Capable of breaking real-world encryption. Estimated ~2030–2032.

Q-Day

The day a CRQC first runs Shor's against real encryption. 50%+ probability by 2035; median 2030–2032.

Harvest Now, Decrypt Later

State actors record encrypted traffic today to decrypt once a CRQC arrives. Makes current RSA data retroactively vulnerable.

Fault-Tolerant QC

A QC with error-correction capable of long computations. Required to run Shor's at cryptographic scale.

Logical Qubit

Error-corrected qubit built from many noisy physical qubits. RSA-2048 needs ~1,400 logical = ~1M+ physical.

ML-KEM (Kyber)

NIST's primary post-quantum standard for key exchange. Replaces RSA and ECDH. Finalized as FIPS 203, Aug 2024.

Crypto-Agility

Architectural property allowing cryptographic algorithms to be swapped without rewriting application logic.

08 / 09