Expert technical analysis on quantum computing, post-quantum cryptography, and quantum-safe infrastructure for Ireland and the EU.
Quantum Threat Intelligence | Ireland | EU
Meta Description: When will quantum computers break encryption? Michael English, Irish quantum expert, analyses the CRQC timeline from IBM, Google, NIST and NSA perspectives. EU and Ireland impact.
Target Keywords: when will quantum computers break encryption, CRQC timeline 2025, quantum threat timeline Ireland, quantum computer break RSA when, quantum computing threat 2030 EU
"When will a quantum computer break encryption?" is simultaneously the most important and most uncertain question in cybersecurity. The answer determines the urgency of post-quantum migration and, for those handling sensitive long-lived data, whether you're already too late.
In this analysis, I'll give you the most honest, evidence-based timeline I can, drawing on public statements from NIST, NSA, IBM, Google, academic researchers, and intelligence community assessments. I'll also explain why the precise date matters less than most people think — and what the right response is regardless.
The vague question "when will quantum computers be powerful enough?" needs precision. Security researchers use the term Cryptographically Relevant Quantum Computer (CRQC) — a quantum computer capable of running Shor's algorithm at sufficient scale to break RSA-2048 or ECDH P-256 within a reasonable time frame (hours to days, not millions of years).
The specifications for a CRQC (per Craig Gidney and Martin Ekerå's landmark 2021 paper "How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits"):
This is the concrete target. Everything else follows from asking: when will a machine with these specifications exist?
Let's establish where we are:
IBM's publicly committed quantum roadmap:
| Year | System | Physical Qubits | Key Feature |
|---|---|---|---|
| 2021 | Eagle | 127 | First 100+ qubit system |
| 2022 | Osprey | 433 | 3× qubit increase |
| 2023 | Condor | 1,121 | First 1000+ qubit system |
| 2023 | Heron | 133 | Error rate reduction |
| 2024 | Flamingo | ~156 | Quantum communication research |
| 2025+ | Kookaburra and beyond | TBA | Modular multi-chip architecture |
IBM's 2023 roadmap revision was notable: they shifted from focusing purely on qubit count to emphasising error rates and quantum volume. The Heron processor has ~40× lower error rates than Condor, despite having far fewer qubits.
IBM's stated position: IBM has not publicly given a CRQC timeline. IBM Research leaders have noted that fault-tolerant quantum computation "at useful scale" likely requires 1 million+ physical qubits, which remains many years away.
Google Willow (December 2024): Google's 105-qubit Willow processor achieved a landmark: below-threshold quantum error correction. This means that as the code distance (number of physical qubits per logical qubit) increases, the logical error rate decreases. This is the key property required for fault-tolerant quantum computing and was not definitively demonstrated before Willow.
Google's paper demonstrated:
The second claim is carefully scoped — it's not a claim of general quantum advantage or progress toward a CRQC. Google's CEO Sundar Pichai projected "useful" quantum computing within 5–10 years. Breaking RSA-2048 specifically was not claimed.
Critical gap: Willow has 105 physical qubits. A CRQC needs ~20 million. The scaling challenge from 105 to 20 million qubits with progressively lower error rates involves:
Microsoft's topological qubit programme (Azure Quantum) achieved a significant milestone in 2023: the demonstration of topological qubit-like behaviour using nanowire-superconductor hybrids. If successful at scale, topological qubits could have intrinsically lower error rates, potentially dramatically reducing the physical-to-logical qubit ratio.
Microsoft has been cautious about timelines but their architecture (if it works) could change the scaling calculations significantly.
Trapped-ion systems achieve very low gate error rates (~99.9%+ fidelity per two-qubit gate) but scale slowly in qubit count. Quantinuum's H-series processors are arguably the highest-fidelity quantum systems available, but with 56 qubits (H2 processor), they remain far from CRQC territory.
NIST's post-quantum standardisation process documentation states: "It is now widely accepted that a quantum computer capable of breaking current public-key cryptographic standards could be built within the next decade." NIST began the standardisation process in 2016 precisely because a 10+ year migration window demands starting now.
The U.S. National Security Agency's Commercial National Security Algorithm Suite 2.0 sets mandatory PQC migration requirements for National Security Systems. NSA's implicit timeline assumption (based on migration deadlines):
NSA's stated rationale: these timelines protect against adversaries who are today harvesting encrypted NSS traffic for future decryption.
ENISA's report "Post-Quantum Cryptography: Current State and Quantum Mitigation" assessed: "In 10–15 years, quantum computers may be able to break current public-key encryption." ENISA recommended beginning migration "as soon as possible" for critical infrastructure, financial systems, and long-lived data.
Michele Mosca (University of Waterloo / Global Risk Institute): Mosca's annual surveys of quantum computing researchers consistently find median estimates of 1-in-7 chance of a CRQC by 2026, 1-in-2 by 2031. His framing emphasises the distribution of probabilities, not a single date.
Scott Aaronson (UT Austin): More skeptical than many — Aaronson believes a general-purpose CRQC is likely "many decades" away but acknowledges the security community should prepare now given the severity of consequences if wrong.
John Preskill (Caltech): Coined the term "quantum supremacy" and has been careful to distinguish near-term noisy quantum processors (NISQ devices) from fault-tolerant machines needed for Shor's algorithm. Preskill emphasises we are still in the NISQ era.
The most meaningful signal about quantum timelines may come not from public statements but from government actions:
NSA 2022 CNSA Suite 2.0: Mandating PQC migration by 2025-2033 implicitly assumes a CRQC is possible before 2035, or that nation-state actors are harvesting traffic today for future decryption.
EU Quantum Flagship funding (€1B): The scale of EU investment signals belief that quantum computing is strategic infrastructure, not a speculative bet.
US Intelligence Community reports: Unclassified assessments note that state actors (specifically naming China and Russia) are investing heavily in quantum computing with the explicit goal of breaking cryptography.
China's quantum investments: China has invested an estimated $15B+ in quantum technology — comparable to all Western government quantum investments combined. Key Chinese quantum milestones include Jiuzhang photonic processors and Zuchongzhi superconducting processors.
The most security-critical insight is that you don't need a CRQC to be threatened today.
Nation-state adversaries are almost certainly:
The targets are high-value, long-lived sensitive communications: diplomatic cables, defence procurement, intelligence assessments, commercial IP, healthcare data, financial long-term contracts.
AWS S3 storage costs approximately $0.023/GB/month. Recording and storing 1 TB/day of filtered encrypted traffic costs approximately $690/year in storage. For a nation-state adversary, this is negligible. The investment in "harvest now" is trivial compared to the potential value of "decrypt later."
If your data must remain confidential for:
Dr. Michele Mosca's risk framework:
Quantum risk is unacceptable if:
(time to CRQC) < (migration time) + (data sensitivity period)
Where:
If you start migration today with a 3-year project timeline, and a CRQC arrives in 8 years, you complete migration in 2028, and data encrypted after 2028 is quantum-safe. Data encrypted before 2028 (but after harvest activities began) may eventually be vulnerable.
For most Irish businesses: Begin migration now. The downside of starting early (cost, complexity) is vastly smaller than the downside of starting late (breached historical data, regulatory liability, customer trust destruction).
The following technical milestones, if achieved, would significantly shorten CRQC timeline estimates:
The honest answer to "when will quantum computers break encryption" is: we don't know precisely, but the consequences of being wrong are catastrophic and irreversible. Encrypted data stolen today cannot be un-stolen.
The rational response is risk-proportionate action now:
There is no consensus on the exact year a CRQC will arrive. Estimates range from "probably within 10 years" (NSA/NIST implicit) to "many decades" (some academic skeptics). What is not in dispute: the threat is real, the harvest-now-decrypt-later attack is happening now, migration takes years, and the standards to migrate to are finalised and ready.
The quantum computing industry is making genuine progress. Google's Willow demonstration of below-threshold error correction removed a fundamental barrier to fault-tolerant computing. IBM's aggressive roadmap, Microsoft's topological qubit bets, and massive Chinese investment all point to a CRQC timeline measured in years, not decades.
For Irish and EU businesses: the responsible position is to treat the CRQC as a 2030–2035 event and plan accordingly. Start now.
Michael English is Co-Founder & CTO of IMPT.io. He provides quantum security analysis for Irish and EU enterprises. Based in Clonmel, Co. Tipperary, Ireland.
Keywords: when will quantum computers break encryption, CRQC timeline 2025 2030, quantum threat timeline Ireland EU, harvest now decrypt later, quantum computer RSA break date, Michael English quantum timeline