When Will Quantum Computers Break Encryption? The Timeline Debate That Misses the Point

Google recently pegged the potential damage from quantum threats at over $100 billion. Intelligence agencies and Big Tech are pouring billions into the problem. Yet among working cryptography engineers, there’s surprisingly little consensus on when the threat actually materializes. The real question, though, might not be “when” at all.

What Is a CRQC, and Why Should You Care

CRQC stands for Cryptographically Relevant Quantum Computer — a quantum machine powerful enough to actually break the public-key cryptography we use today. Think RSA, elliptic-curve cryptography, the stuff underpinning TLS, digital signatures, and key exchange across the entire internet.

Today’s quantum computers aren’t remotely close. Breaking RSA-2048 requires thousands of logical qubits. Current hardware struggles with a few thousand physical qubits — and the gap between physical and logical qubits is enormous, filled with error correction overhead.

The threat comes from Shor’s algorithm, which lets a sufficiently powerful quantum computer solve integer factorization and discrete logarithm problems exponentially faster than classical machines. Those two problems are the mathematical bedrock of modern internet security.

The Timeline War: 2035, 2045, or Never

Ask three cryptographers when CRQC arrives and you’ll get three answers.

The aggressive camp says mid-2030s. They point to roadmaps from Google and IBM, rapid advances in error correction, and the fact that the NSA started pushing post-quantum migration back in 2015. If the NSA is worried, maybe you should be too.

The moderate camp says 2040s. Their argument: extrapolating current progress linearly, stable operation of thousands of logical qubits is still far off. Reducing error rates is a fundamentally harder problem than adding more qubits.

The skeptics say decades away, possibly never. Firms like CoinShares have published reports arguing the quantum threat is overhyped. They lean on the physical limits of quantum error correction as their evidence.

What Actually Keeps Cryptographers Up at Night

Here’s the twist: the engineers closest to the problem aren’t losing sleep over the exact date a CRQC arrives.

Their first concern is Harvest Now, Decrypt Later. Nation-state actors are almost certainly hoovering up encrypted traffic today — diplomatic cables, military communications, corporate secrets — and storing it. When a CRQC eventually comes online, they decrypt the archive in one sweep. Whether that’s in 15 years or 30, the data captured today is already compromised in principle.

Their second concern is migration timelines. Replacing cryptographic primitives across large-scale systems typically takes 10 to 15 years. The U.S. government finalized its NIST post-quantum standards in 2024 and gave federal agencies until 2035 to complete the transition. That’s an eleven-year runway, and insiders consider it tight. If CRQC arrives by 2040, organizations starting migration in 2025 are already cutting it close.

Where Post-Quantum Migration Stands Today

NIST published its first three post-quantum cryptography standards in August 2024: ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA for hash-based signatures. In 2025, HQC, a code-based algorithm, was added as a fourth standard.

The early movers are already deploying. Chrome has been experimentally integrating ML-KEM into TLS handshakes since 2024. Signal adopted PQXDH, a post-quantum key exchange protocol. AWS and Cloudflare are rolling out post-quantum TLS support in stages.

But most organizations haven’t even started. The majority can’t tell you which cryptographic algorithms are running where in their own systems. That’s why cryptography engineers consistently recommend the same first step: build a crypto inventory. You can’t migrate what you can’t find.

The Bitcoin Question

No quantum threat discussion is complete without someone asking about crypto — the financial kind. Bitcoin uses ECDSA signatures and SHA-256 hashing. Shor’s algorithm targets the ECDSA part, meaning a CRQC could theoretically derive private keys from exposed public keys and drain wallets.

In practice, there are buffers. Most Bitcoin addresses use hashed public keys, so the actual public key isn’t exposed until a transaction is broadcast. The Bitcoin community is already discussing post-quantum signature schemes. But with trillions of dollars at stake, Google’s $100 billion risk estimate doesn’t feel like hyperbole.

The Point Everyone Keeps Missing

The message from working cryptographers is remarkably consistent: stop arguing about whether CRQC arrives in 2035 or 2050. It doesn’t matter.

Large-scale cryptographic migration is a decade-plus project regardless of the deadline. Harvest Now, Decrypt Later attacks are likely already underway. And the NIST standards are finalized — there’s no technical blocker left, only organizational inertia.

The question was never whether quantum computers will break encryption. It’s whether we’ll be ready when they do.