Over the last several years, academia and industry have been converging on a shorter and more realistic timeline to Q-Day. While new research continues to move the Q-Day timeline up to 2028-2030, the scale and scope of the impact have been less clear. Broadly, the expectation has been that quantum attacks on cryptography would be serious, but there has been less information on which to base estimates of their speed, accessibility, and breadth. Two new research papers, released within a day of each other, add technical weight to the view that the shorter timelines are credible and provide new clarity about the likely impact. They show that the machines capable of breaking today’s cryptography may be smaller, cheaper, and more practical than earlier models suggested, which means the consequences of Q-Day are likely to be broader and more disruptive than previously assumed.[1]
The first paper, from Google Quantum AI, is titled “Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations.” It examines a very specific target, the elliptic curve used by Bitcoin and Ethereum, known as secp256k1. This curve is the mathematical foundation behind the digital signatures that prove ownership of cryptocurrency coins. If someone can solve the underlying elliptic curve discrete logarithm problem, they can forge signatures and steal funds. Google’s team set out to determine what it would take for a future quantum computer to run Shor’s algorithm against this curve in the real world.
Earlier estimates often spoke of millions of physical qubits and long runtimes. Google revisits the problem with more efficient circuits, improved error-correction layouts, and realistic assumptions about a fast superconducting quantum processor. Their updated resource estimates show that Shor’s algorithm on secp256k1 can be run with roughly 1,200 logical qubits and about 90 million Toffoli gates. When translated into a concrete superconducting architecture with reasonable error rates, this corresponds to fewer than 500,000 physical qubits. On a fast clocked machine, the total runtime to break a single key could be as little as 9 minutes.
To put that in everyday terms, imagine that the old story said you needed a machine the size of a power plant to break a key, running for weeks. The new story says you need a machine the size of a large data center, and once you have it, you can break a key in the time it takes to brew a pot of coffee. The machine is still extremely hard to build, but the gap between impossible and feasible has narrowed dramatically.
The paper then connects these estimates to real-world behavior in the cryptocurrency market. Many Bitcoin and Ethereum addresses have already exposed their public keys on chain. These keys are like padlocks whose shapes are visible to everyone. Once a quantum computer at the scale described exists, an attacker could compute the corresponding private keys and steal funds from these exposed addresses. Google estimates that millions of dollars’ worth of Bitcoin fall into this vulnerable category. Even more concerning, the paper shows that with a 9-minute attack time, an attacker could potentially steal funds during a transaction. When a user broadcasts a transaction, their public key becomes visible in the mempool (the waiting area where new cryptocurrency transactions sit before being added to a block) before the transaction is confirmed. A quantum attacker could conceivably create a race condition with the honest transaction and redirect the funds.
Google does not soften the implications. The paper states that these improved resource estimates “challenge conventional wisdom regarding the timeline of the threat” and that “the margin for error is increasingly narrow.” The authors urge immediate transition to post-quantum cryptography because the effort itself takes years. Google’s public announcements released alongside the paper reinforce this urgency. The company set an internal deadline of around 2029 to complete its own post-quantum transition. The technical work shows that once a quantum computer capable of performing cryptographic operations exists, breaking a key is trivial in time. The corporate roadmap signals that Google now views the overall threat window as converging on the end of this decade.
The second paper, released the next day, comes from a collaboration between Caltech and Oratomic. Titled “Shor’s algorithm is possible with as few as 10,000 reconfigurable atomic qubits”, it explores a different hardware path. Instead of fast superconducting qubits, it focuses on neutral atom quantum computers that trade speed for compactness. The authors ask a different question: how small can a fault-tolerant quantum computer be while still running Shor’s algorithm on cryptographically relevant problems?
Their approach uses reconfigurable arrays of neutral atoms combined with advanced quantum error correcting codes known as high-rate quantum LDPC codes. A simple analogy helps. Traditional surface codes are like building a thick stone wall. You stack many physical qubits to protect each logical qubit, which leads to millions of bricks. High-rate LDPC codes are more like a clever lattice of beams and supports, where the same amount of material protects many more rooms at once. You get more logical qubits per physical qubit, at the cost of more complex control.
By exploiting these codes, along with efficient logical gate constructions and parallelism, the authors show that Shor’s algorithm for elliptic curve cryptography with 256-bit keys and RSA 2048 can be run with dramatically fewer physical qubits than surface code-based designs. Their space-efficient architecture needs roughly 9,700 to 13,300 physical qubits. Their time-efficient designs, which use more qubits to gain speed, require around 26,000 qubits for ECC 256 with a runtime of about 10 days, and around 102,000 qubits for RSA 2048 with a runtime of roughly 97 days.
This means that you do not necessarily need half a million or a million qubits to threaten modern cryptography. You can instead build a smaller, slower, less expensive, but still fully fault-tolerant machine that fits into the 10,000 to 100,000 qubit range and still runs Shor’s algorithm on real-world key sizes. The attack takes days instead of minutes, but for many targets, especially at rest keys that sit unmonitored in exposed addresses or archives, days are more than fast enough.
The Caltech and Oratomic work also compares its qubit count to prior surface code estimates and finds reductions of one to two orders of magnitude. This matters because fewer qubits mean fewer control lines, fewer lasers, fewer cryogenic channels, and fewer engineering challenges. The scale, complexity, and cost of building a cryptographically relevant quantum computer are all implicitly lowered. A project that once looked like a moonshot is starting to look more like a large, but achievable, national or corporate program.
When these two papers are viewed together, they form a coherent and mutually reinforcing argument. Google shows that a fast-superconducting machine with under 500,000 physical qubits could break secp256k1 in minutes. Caltech shows that a compact neutral-atom machine with as few as 10,000 to 26,000 qubits could run the same class of attacks in a matter of days. One path is fast and larger, the other is compact and slower, but both land in the realm of large but buildable rather than fantastical. The old comfort that millions of qubits were required no longer holds.
This convergence should reshape how we think about Q-Day, the moment when quantum computers can practically break widely deployed public key systems. The arrival date is no longer safely parked in the distant future. Lower resource requirements from both hardware paradigms make a cryptographically relevant quantum computer cheaper and more feasible sooner than older models implied. Once such a machine exists, the time to break keys is short. Minutes in the Google scenario, days in the Caltech scenario. That affects not only long lived, at rest data, but also potentially active transactions where public keys are briefly exposed.
The vulnerable surface is also larger than older models suggested. If only machines with millions of qubits posed a threat, the pool of adversaries would be limited to the wealthiest nation-states. If machines with tens of thousands of qubits can already run Shor’s algorithm on ECC 256 and RSA 2048, the financial barrier to entry drops. The field of potential attackers expands to include less wealthy hostile states and, over time, well-funded criminal organizations. The set of vulnerable systems expands from a handful of strategic targets to a broad swath of exposed keys across cryptocurrencies, financial systems, secure communications, and archived data.
Both papers converge on the same recommendation. The transition to post-quantum cryptography must begin now because it will take years. Google’s (and IBM’s) 2029 internal deadline is a concrete example of how seriously a major player is treating that timeline.
The unavoidable conclusion is that the combination of these two papers creates a credible case that Q-Day could materialize sooner than many expected. The financial and engineering barrier to building a cryptographically relevant quantum computer is significantly lower than the old narrative suggested. As a result, the pool of potential attackers is broader, and the real-world consequences, once such machines exist, are likely to be more widespread and more rapid. The prudent response is not alarm, but acceleration. The window for safe transition is narrowing.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://six3ro.substack.com/p/quantum-threats-are-moving-from-theory
Comments