Cryptographically Relevant Quantum Computer (CRQC): The Threat Timeline

IBM

Superconducting · Largest 2026: ~1,121 physical (Condor) · CRQC verdict: not yet

IBM has the most detailed public roadmap toward fault tolerance, targeting its Starling machine with around 200 logical qubits by 2029 and far larger error-corrected systems by the early 2030s. Breaking RSA-2048 needs thousands of logical qubits running deep circuits, so even Starling would not be a CRQC. IBM is nonetheless the clearest yardstick for how fast the threshold is approaching.

ibm.com →

Google Quantum AI

Superconducting · Willow 105 qubits, below-threshold · CRQC verdict: not yet

Google’s Willow chip showed error rates falling as a code grows, the key sign that error correction can scale, and the team targets a useful fault-tolerant machine around the end of the decade on a path toward a million physical qubits. That milestone is about scientific utility rather than code-breaking. A CRQC would still sit several hardware generations beyond it.

quantumai.google →

Quantinuum

Trapped ion · Highest fidelity, Helios · CRQC verdict: not yet

Quantinuum builds the highest-fidelity qubits in the industry, which lowers the number of physical qubits needed per logical qubit and so shortens the road to fault tolerance. Its roadmap targets hundreds of logical qubits by the end of the decade. Reaching the thousands of logical qubits that define a CRQC remains a longer-term goal.

quantinuum.com →

IonQ

Trapped ion · Forte / Tempo · CRQC verdict: not yet

IonQ has set aggressive targets for thousands of logical qubits early in the 2030s, helped by its acquisition of the chip-based ion specialist Oxford Ionics. Those numbers would put code-breaking within reach if fidelities and connectivity hold up at scale. For now no IonQ system is close to a CRQC.

ionq.com →

PsiQuantum

Photonic · Targeting ~1M physical qubits · CRQC verdict: not yet

PsiQuantum skips small machines and aims straight for a utility-scale, fault-tolerant photonic computer with around a million physical qubits, which is the regime where code-breaking becomes conceivable. The company is building large fabrication and cryogenic plant to get there. If it delivers on schedule it would be among the first credible routes to a CRQC.

psiquantum.com →

QuEra Computing

Neutral atom · Aquila 256, 48 logical demonstrated · CRQC verdict: not yet

QuEra and its Harvard collaborators ran one of the largest logical-qubit demonstrations to date, and neutral atoms scale to large arrays quickly. Its roadmap pushes toward hundreds and then thousands of logical qubits over the coming years. Like every other platform it is still far from the depth and error rates a CRQC demands.

quera.com →

Atom Computing

Neutral atom · 1,000+ physical qubits · CRQC verdict: not yet

Atom Computing was first to announce a platform with more than a thousand physical qubits and has partnered with Microsoft to deliver logical qubits commercially. Raw physical qubit counts are necessary but not sufficient, since error correction consumes most of them. A CRQC needs those qubits organised into thousands of stable logical ones.

atom-computing.com →

Origin Quantum / USTC (China)

Superconducting · Wukong-180, Zuchongzhi 3.0 · CRQC verdict: not yet

China’s USTC processors and the commercial maker Origin Quantum keep the country at the quantum-advantage frontier, and any national programme could pursue code-breaking as a strategic goal. Current Chinese machines, like their Western peers, run far too few logical qubits for the task. No public evidence places China near a CRQC.

originqc.com.cn →

What the assessments show

The pattern across every platform is identical, with strong progress on physical qubits and early logical-qubit demonstrations but nothing within several generations of code-breaking. Trapped-ion makers lead on quality while neutral-atom and superconducting makers lead on raw count, and photonics bets on jumping straight to scale. The race to a CRQC is therefore a race to thousands of stable logical qubits, not to headline physical-qubit records.

Expert timelines and the Mosca survey

Because no machine is close, timelines come from expert judgement rather than measurement, and the most cited source is the annual survey of researchers run through the Global Risk Institute by the cryptographer Michele Mosca. Those surveys consistently show most experts assigning a meaningful probability to a CRQC within a decade, with the heaviest weight falling between 2030 and 2035. A minority sees it sooner and a minority sees it much later or never.

The spread matters as much as the central estimate, since security planning has to account for the earlier, less likely scenarios rather than the comfortable median. Mosca frames the risk through a simple inequality, comparing how long your data must stay secret and how long migration takes against the time until a CRQC exists. When the first two added together exceed the third, you are already exposed, which is why many organisations treat the threat as present rather than future.

Harvest now, decrypt later

The most immediate danger from a future CRQC is not a sudden break but a slow one that has arguably already begun, known as harvest now, decrypt later. Adversaries can capture and store encrypted traffic and files today, holding them until a CRQC can decrypt the public-key material that protected them. Anything with a long secrecy requirement, from state secrets and health records to intellectual property, is therefore at risk now.

This is what turns a distant hardware milestone into a current security problem for governments and enterprises. The data being stolen in 2026 does not need a quantum computer to be useful in 2035, only patience. That logic is the strongest argument for migrating to quantum-safe cryptography well before any CRQC appears.

How to prepare with post-quantum cryptography

The practical defence is post-quantum cryptography, a set of new algorithms designed to resist both classical and quantum attack, which the United States standardised in 2024. The National Institute of Standards and Technology published the first standards as FIPS 203 for key exchange, FIPS 204 and FIPS 205 for digital signatures, giving organisations approved replacements for vulnerable algorithms. Migration involves finding where public-key cryptography is used, prioritising long-lived secrets and upgrading systems to the new standards.

Most large organisations are now building a cryptographic inventory and a phased migration plan rather than waiting for a CRQC to arrive. Our guide to the top post-quantum cryptography companies covers the vendors helping with that transition, and our explainer on what quantum supremacy means sets the milestones in context. The official national strategy that tracks the cryptographically relevant quantum computer threat coordinates the United States response.

When the CRQC threat matters for you

Long-lived secrets and regulated data

If your organisation holds data that must stay confidential for years or decades, the CRQC threat is a present concern rather than a future one. Government, defence, finance and healthcare all handle secrets whose shelf life exceeds the most pessimistic CRQC timelines, which puts them squarely inside Mosca’s inequality. These sectors are leading the migration to post-quantum cryptography for exactly that reason.

Vendors, infrastructure and signatures

Anyone who ships software, runs infrastructure or relies on digital signatures should also be planning, because public-key cryptography is embedded everywhere from device firmware to certificate authorities. Replacing it is a multi-year engineering effort that cannot start the day a CRQC is announced. Beginning the inventory now is the only way to be ready in time.