The honest position: a 100-qubit transmon is not Q-Day
Let's start where most vendors won't. A 100-physical-qubit superconducting machine — the configuration we are bringing online in Co. Tipperary — does not break RSA-2048. It does not break ECDSA over P-256. It does not, on its own, break ML-KEM, ML-DSA, or any of the lattice-based schemes that NIST finalised under FIPS 203, 204, and 205. Anyone telling Irish procurement leads otherwise is selling something.
The reason is straightforward and worth stating in engineering terms. Shor's algorithm against a 2048-bit RSA modulus needs roughly 4,000 logical qubits and on the order of 109 Toffoli gates, depending on the variant — Gidney and Ekerå's 2021 estimate puts it at around 20 million noisy physical qubits assuming surface-code distance ~27 and a 10-3 physical error rate. Today's transmons, ours included, sit at physical error rates in the low 10-3 range for two-qubit gates. The gap between 100 physical qubits and 20 million physical qubits is not a marketing gap. It is six to eight orders of magnitude in qubit count, and it is decades of engineering on cryogenic wiring, control electronics, fabrication yield, and surface-code decoding throughput.
So why does the Tipperary machine matter for post quantum cryptography Ireland? Because it forces the country to take the migration seriously, on a clock, and with hardware on the island that researchers can actually touch.
What Q-Day actually looks like for Ireland
Q-Day Ireland — the day a cryptographically-relevant quantum computer (CRQC) exists somewhere on Earth and can decrypt a captured TLS session or forge a signature — is not a single event. It is a window. Most credible estimates from the cryptographic community place that window between 2030 and the early 2040s, with significant uncertainty bars. The Irish problem is not whether we will be the ones building the CRQC. We will not be. The Irish problem is "harvest now, decrypt later": adversaries are storing encrypted Irish state traffic, financial settlements, health records, and IP today, against the day that decryption becomes feasible.
That means the migration deadline is not Q-Day. The migration deadline is now minus the shelf-life of the secret. A health record encrypted today with TLS 1.3 using X25519 key exchange has a confidentiality requirement of decades. If Q-Day arrives in 2035, the data exfiltrated in 2025 is still sensitive in 2035. The migration is already late for long-lived secrets.
The NIST PQ migration stack and where Ireland sits
The NIST PQ migration is concretely defined now. The standards landed in August 2024:
- FIPS 203 — ML-KEM (formerly Kyber): module-lattice key encapsulation. The general-purpose replacement for ECDH and RSA key transport.
- FIPS 204 — ML-DSA (formerly Dilithium): module-lattice digital signatures. The general-purpose replacement for ECDSA and RSA signatures.
- FIPS 205 — SLH-DSA (formerly SPHINCS+): hash-based signatures, stateless, conservative fallback for long-lived signing keys (firmware, root CAs).
- FIPS 206 (draft) — FN-DSA (Falcon): lattice signatures with smaller signatures than ML-DSA, harder to implement constant-time.
For ML-KEM Ireland deployments, the practical engineering work is hybrid key exchange — running X25519 and ML-KEM-768 in parallel and combining the shared secrets via a KDF. This is what Cloudflare, Google Chrome, and AWS are already shipping. The Irish public-sector estate is not. Most TLS terminators on Irish government services as of 2025 still negotiate classical-only suites, and very few have completed a cryptographic bill-of-materials (CBOM) exercise to even know where their RSA and ECDSA dependencies live.
Why a sovereign machine accelerates the work
There is a class of cryptographic research that is hard to do without access to real superconducting hardware on a contract you control. Three examples:
Side-channel and fault-injection research on PQ implementations
ML-KEM and ML-DSA implementations have known side-channel surfaces — the number-theoretic transform (NTT), rejection sampling in signing, and decapsulation failure handling are all sensitive. Hardware-aware adversary modelling benefits from access to real noisy quantum coprocessors that can run Grover-style searches over reduced parameter sets to validate that classical security margins survive realistic quantum speedups. A sovereign machine on Irish soil, governed by Irish data-protection law, lets researchers run these workloads without exporting sensitive implementation details to foreign cloud providers.
Hybrid algorithm benchmarking
Variational and hybrid algorithms — VQE, QAOA, and their cryptanalytic cousins — are the workloads where 100 physical qubits is genuinely useful. Running QAOA against small-instance lattice problems (LWE, SIS) on real hardware, with real noise, gives the Irish PQ research community calibration data that simulators do not. Heavy-hex topology, of the kind we are deploying, constrains which lattice-problem encodings are efficient — and that constraint is itself a research output.
Surface-code decoder development
The road from 100 physical qubits to a CRQC runs through the surface code. Decoder throughput — minimum-weight perfect matching, union-find, neural decoders — is the bottleneck nobody has solved at scale. Irish cryptographers, working alongside the device team in Tipperary, get to see the syndrome-extraction streams from a real device. That is the data you need to build credible threat models for when a CRQC actually arrives.
The migration playbook for Irish organisations
Independent of our hardware timeline, every Irish CISO, CTO, and head of architecture should be running the same four-step play this year:
- Cryptographic bill of materials. Inventory every TLS terminator, every signing key, every VPN concentrator, every code-signing pipeline, every HSM. You cannot migrate what you have not catalogued. Tools:
cryptosense,cbomkit, customnmap+testssl.shsweeps. - Classify by secret shelf-
Research collaboration or early access
Direct with Michael. No charge for the call.
Book a research call →