English
In 2026, the timeline for quantum computers to break RSA-2048 and elliptic curve encryption has collapsed from millions of qubits to under 100,000, triggering the 'harvest now, decrypt later' threat at an industrial scale. With the NSA mandating quantum-safe systems by January 2027 and federal agencies racing to inventory vulnerable cryptographic assets, this year has become the critical window for post-quantum migration. The strategic implications ripple across finance, national security, global supply chains, and every sector relying on long-term data confidentiality.
Q-Day Timeline Collapses
Three landmark research papers published between May 2025 and March 2026 have fundamentally rewritten the quantum threat timeline. In 2019, consensus held that breaking RSA-2048 would require 20 million physical qubits. Craig Gidney of Google showed in 2025 that under 1 million qubits could suffice through algorithmic improvements. Then in February 2026, Iceberg Quantum's Pinnacle Architecture — using quantum Low-Density Parity-Check (QLDPC) codes — pushed estimates below 100,000 physical qubits for RSA-2048 factoring. Most dramatically, Google's March 2026 paper demonstrated that elliptic curve cryptography (secp256k1), which protects Bitcoin and Ethereum, could be broken with fewer than 500,000 physical qubits in minutes — potentially within Bitcoin's 10-minute block time.
These breakthroughs mean that a fault-tolerant quantum computer with only 100,000–500,000 physical qubits could break modern public-key encryption. Google's current Willow chip has 105 qubits, but hardware partners including PsiQuantum, Diraq, and IonQ project systems of this scale within 3–5 years (2029–2031). The quantum computing arms race is accelerating faster than most organizations realize.
The 'Harvest Now, Decrypt Later' Threat
The most pressing concern is not a quantum computer existing today, but the 'Harvest Now, Decrypt Later' (HNDL) strategy. Intelligence agencies — including those of China, Russia, and likely the NSA — are already intercepting and storing encrypted internet traffic, diplomatic cables, military communications, medical records, financial data, and corporate R&D. Storage is cheap; the NSA's Utah Data Center was designed to store yottabytes of data. Once quantum computers mature, this harvested data will be decrypted retroactively.
"Any data encrypted with RSA or ECC that has long-term sensitivity is already at risk of future decryption," warns a recent enterprise guide from Gray Group International. The harvest now decrypt later strategy makes 2026 the year of reckoning for data confidentiality.
Regulatory Deadlines: The 2027 NSA Mandate
The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) mandate requires that by January 1, 2027, all new acquisitions for National Security Systems (NSS) must support post-quantum cryptography. This procurement gate is roughly nine months away, making it a binding compliance requirement rather than a future concern. CNSA 2.0 replaces RSA, ECDH, and ECDSA with quantum-resistant algorithms: ML-KEM-1024 (FIPS 203) for key establishment, ML-DSA-87 (FIPS 204) for digital signatures, and LMS/XMSS (SP 800-208) for firmware signing.
A critical bottleneck is FIPS 140-3 validation, with CMVP queues averaging over 500 days, potentially delaying vendor compliance. Full NSS quantum resistance is targeted by 2035 under NSM-10. The FBI, NIST, and CISA have jointly declared 2026 the 'Year of Quantum Security,' urging immediate action.
Financial Sector at Risk
The financial industry faces trillions in exposure. Citi Institute's report, 'The Trillion-Dollar Security Race Is On,' estimates that the race to develop quantum-safe solutions represents both a trillion-dollar challenge and opportunity. The post-quantum cryptography standards from NIST (finalized August 2024) provide a foundation, but fewer than 5% of companies have started the transition.
Cryptocurrency is particularly vulnerable. Google's March 2026 paper classified three attack types on Bitcoin: on-spend (exploiting transactions in mempool within Bitcoin's 10-minute block window), at-rest (targeting exposed public keys on the blockchain), and on-setup attacks. Ethereum plans full post-quantum migration by 2029, while Bitcoin's first step came with BIP-360 in February 2026. Google withheld the attack circuits, using a zero-knowledge proof to verify their claims — a first for quantum cryptanalysis disclosure.
Supply Chain and Enterprise Implications
Apexanalytix's February 2026 report warns that procurement decisions made today will determine exposure to future quantum-enabled threats. Supplier data — invoices, contracts, payment information — exchanged today cannot be secured retroactively. The report offers a practical roadmap: conduct cryptographic inventories, update third-party security requirements, improve supplier data governance, and define high-impact risk use cases.
Enterprise PQC migration costs are estimated at $7–12 million per organization, with the U.S. government estimating $7.1 billion to migrate civilian systems by 2035. Delaying migration significantly increases cost and complexity as demand for specialized resources grows. Industry leaders like Google and Cloudflare target completion around 2029.
Expert Perspectives
"2026 marks a turning point in quantum security. Resource estimates for breaking encryption have dropped dramatically — from an estimated 20 million qubits needed for RSA-2048 factoring in 2019 to potentially under 100,000 qubits by 2026," notes The Quantum Insider. Akhilesh Agarwal, President at apexanalytix, emphasized that supplier data exchanged today cannot be secured retroactively, urging leaders to plan for post-quantum security now.
The quantum-safe migration roadmap is clear but urgent. Mosca's theorem — comparing time to transition (X), data security lifetime (Y), and quantum computer arrival (Z) — shows that for many organizations, X + Y > Z, making migration urgent.
FAQ
What is the 'harvest now, decrypt later' threat?
It is a strategy where adversaries collect encrypted data today with the intent to decrypt it in the future once quantum computers become powerful enough to break current encryption. This makes long-term sensitive data already at risk.
When will quantum computers break RSA-2048?
Current estimates suggest a fault-tolerant quantum computer with 100,000–500,000 physical qubits could break RSA-2048. Hardware partners project such systems within 3–5 years (2029–2031), though some experts believe Q-Day could arrive by 2030.
What is the NSA's 2027 deadline?
Starting January 1, 2027, all new National Security System acquisitions must support post-quantum cryptography under CNSA 2.0. This is a binding procurement gate that vendors must clear to win government business.
How much does post-quantum migration cost?
Enterprise migration costs range from $7–12 million per organization. The U.S. government estimates $7.1 billion to migrate civilian systems by 2035, excluding national security systems.
What should organizations do now?
Conduct a cryptographic inventory, identify high-risk data with long-term sensitivity, begin hybrid deployments of classical and post-quantum algorithms, and engage with NIST PQC standards. The cryptographic agility strategy is essential for a smooth transition.
Conclusion
2026 is the year quantum security moves from theoretical concern to operational imperative. With NSA deadlines approaching, the HNDL threat already active, and quantum resource estimates collapsing, organizations that delay migration risk total cryptographic exposure. The window for action is narrow — but the cost of inaction is incalculable.
Follow Discussion