Skip to content

CONCEPT Cited by 2 sources

Q-Day

Definition

Q-Day is the day a cryptographically-relevant quantum computer (CRQC) can break the asymmetric cryptography actively protecting deployed systems — RSA, classical Diffie-Hellman, elliptic-curve signatures and key-agreement. The term is Cloudflare / Google / IBM-Quantum-Safe community vocabulary; it names a capability threshold, not a specific date, but in operational writing it's used as a planning horizon.

The moving target

Q-Day is not a property of the cryptographic algorithm — it's a property of the attacker's combined hardware + error-correction + software capability. It pulls forward when any of three independent axes advance, because improvements compound (Source: sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security):

  • Hardware — multiple paradigms in parallel (superconducting qubits, ion traps, neutral atoms, photonics, topological qubits); any one of them reaching scale triggers Q-Day.
  • Error correction — the ratio of physical to logical qubits. Nearest-neighbor superconducting machines need ~1,000 physical per logical; reconfigurable neutral-atom machines need as few as 3-4 physical per logical (Oratomic, 2026). Order-of-magnitude shifts on this axis collapse Q-Day estimates.
  • Software — Shor-family algorithms and architecture-specific optimizations. Google disclosed (via zero-knowledge proof, not the algorithm itself) a major speed-up against P-256 in early 2026.

The 2026 Cloudflare post summarises: "Q-Day has been pulled forward significantly from typical 2035+ timelines, with neutral atoms in the lead, and other approaches not far behind."

Typical timeline ranges (2026 snapshot)

  • Pre-2026 consensus: Q-Day ~2035+ on conservative estimates tracking superconducting-qubit scaling against RSA-2048.
  • April 2026 Cloudflare assessment: full PQ migration target 2029. Google's independent target: also 2029. IBM Quantum Safe CTO: "can't rule out quantum moonshot attacks on high-value targets as early as 2029."
  • Google's inferred concern horizon: 2030 — deduced from Google's public priority flip to authentication over HNDL (authentication is only the urgent threat if Q-Day is near).

These are not predictions. They are bounds on the earliest date by which the migration window must be closed. The deployment horizon is set by the floor, not by the most-likely date.

Q-Day and the migration priority flip

Q-Day's temporal distance changes which threat is dominant:

Q-Day distance Dominant threat Primary response
Far (10+ years) HNDL — adversary captures encrypted traffic now, decrypts after Q-Day PQ encryption — key encapsulation
Near (<5 years) Authentication attacks — forge credentials, impersonate servers at scale PQ signatures + disable classical + rotate secrets

This is why Cloudflare's 2022 rollout focused on PQ key exchange (mitigates HNDL) and the 2026 roadmap explicitly pivots to authentication.

Moonshot attacks vs scalable attacks

A distinction named in the 2026 IBM / Cloudflare analysis:

  • Moonshot attack — a one-off, expensive, high-value attack. Scarce / expensive CRQCs make this the first-generation threat. Targets: long-lived root keys, code-signing certs, trust anchors — see concepts/long-lived-key-risk. Priority: persistent- access keys first.
  • Scalable attack — cheap enough to break many keys. Changes the calculus: attacker may prefer to stay covert and re-focus on HNDL-style passive decryption so the break isn't detected via broken-key events. Sophie Schmieg's Enigma analogy — the British break of Enigma was only valuable because it stayed secret.

Why estimates go dark from here

Scott Aaronson, quoted in the Cloudflare post (end of 2025):

At some point, the people doing detailed estimates of how many physical qubits and gates it'll take to break actually deployed cryptosystems using Shor's algorithm are going to stop publishing those estimates, if for no other reason than the risk of giving too much information to adversaries. Indeed, for all we know, that point may have been passed already.

Cloudflare's statement: "That point has now passed indeed." Planning must now assume progress is being made that will not be publicly reported — Q-Day estimates become asymmetric (dates can surprise earlier but not later).

Q-Day ≠ one-flag-day

The naming is a hazard. "Q-Day" implies a single event; the reality is a capability spectrum that different attackers reach at different times. The deployment implication:

  • Migration windows must close before any attacker reaches Q-Day, not after a specific date.
  • Different cryptographic surfaces have different urgency: symmetric crypto (AES, SHA-2) only loses a square-root factor to Grover; RSA / ECDH / ECDSA fall entirely to Shor. The PQ migration is asymmetric-only.
  • Authentication migration has a long dependency chain (cert issuance + cross-signing + trust-anchor updates + HSMs + federated IdPs) — Cloudflare: "this effort will take on the order of years, not months."

Seen in

  • sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security — canonical instance. 2026 Q-Day reassessment: Oratomic's 10,000- qubit P-256 break + Google's algorithmic speed-up + neutral-atom error-correction advantage compress Q-Day toward 2029-2030. IBM Quantum Safe CTO bound: "cannot rule out 2029 moonshot attacks." Cloudflare's migration target 2029.
  • sources/2026-03-31-google-safeguarding-cryptocurrency-by-disclosing-quantum-vulnerabilities-responsiblydisclosure-methodology landmark for the Google algorithmic speed-up that drives the 2026 Q-Day pull-forward. Producer-side framing: ZKP-based substantiation ([[patterns/zkp-capability- disclosure]]) as the responsible-disclosure primitive for an attack that is too important to keep secret and too dangerous to publish. Explicitly acknowledges the 2026 Q-Day reassessment is being driven by cryptographic-breakthrough claims that can only be proven to exist via ZKP, not peer-reviewed in the classical sense — consistent with Scott Aaronson's "public progress estimates will now go dark" framing on the Cloudflare side.
Last updated · 200 distilled / 1,178 read