When Will Quantum Computers Break Crypto?
Quantum computers will likely break current crypto (ECDSA, RSA-2048) between 2030 and 2035 according to NIST. Q-Day — the day a CRQC achieves the ~13 million qubits needed to break secp256k1 in hours — is the inflection point. IBM's roadmap targets 200,000+ logical qubits by 2033. Google's Willow chip (Dec 2024) demonstrated below-threshold error correction. PsiQuantum publicly targets a fault-tolerant million-qubit machine by 2029. Mosca's Theorem suggests crypto must migrate ~7 years before Q-Day to protect against harvest-now-decrypt-later attacks — meaning the migration window is closing now.
TL;DR: Quantum computers will likely break current crypto (ECDSA, RSA-2048) between 2030 and 2035 according to NIST. Q-Day — the day a CRQC achieves the ~13 million qubits needed to break secp256k1 in hours — is the inflection point. For full context including dates, sources, and the BMIC implication, see below.
- What is Q-Day? The day a cryptographically-relevant quantum computer breaks ECDSA/RSA in usable time. Projected 2030-2035.
- How many qubits to break Bitcoin? Approximately 13 million physical qubits or 2,300 logical qubits with error correction.
- Has anyone built a CRQC yet? No. IBM Condor (1,121 qubits, Dec 2023) is the largest as of April 2026. We are 3+ orders of magnitude away.
- What is Mosca's Theorem? Migrate to PQC at least Y years before Q-Day, where Y = your data secrecy lifetime + migration time.
- Is harvest-now-decrypt-later already happening? Yes. The NSA and Chinese MSS are widely reported to be archiving encrypted traffic for future quantum decryption.
Full Answer
The threshold for breaking 256-bit elliptic curve cryptography is roughly 13 million physical qubits with current error rates, or ~2,300 logical qubits with full error correction. As of April 2026, the largest demonstrated machines are IBM Condor (1,121 qubits) and IBM Heron R2 (156 qubits, higher fidelity).
IBM's public roadmap targets Quantum-Centric Supercomputing by 2033 with 200,000+ logical qubits. Google's December 2024 Willow announcement was the first below-threshold quantum error correction demonstration — meaning they can now scale logical qubits exponentially. PsiQuantum has $1B+ in funding to deliver a million-physical-qubit photonic system by 2029.
Mosca's Theorem (Michele Mosca, University of Waterloo) states: if X = years your data must remain secure, Y = years to migrate to PQC, and Z = years until Q-Day, then if X + Y > Z, you are already late. For crypto wallets storing 30+ year wealth, this math is grim.
NIST published the first three PQC standards in August 2024: FIPS 203 (CRYSTALS-Kyber), FIPS 204 (CRYSTALS-Dilithium), FIPS 205 (SPHINCS+). BMIC integrates CRYSTALS-Kyber as its KEM, making it one of the first Layer 1 chains compliant with the finalized NIST standards.