Post-quantum security in 2026: what the qubit numbers actually mean

In 2019, researchers estimated that breaking RSA-2048 would require roughly 20 million physical qubits. That number became the standard benchmark for thinking about quantum risk. At the time, state-of-the-art processors had a few hundred qubits. The gap felt like a comfortable buffer.
That buffer is gone.
In May 2025, Craig Gidney, one of the original researchers behind the 2019 estimate, published a follow-up. His new analysis showed the same RSA-2048 attack could be done with under one million physical qubits, using identical hardware assumptions as the 2019 paper. The improvement came entirely from better algorithms and more efficient error correction, making the same attack roughly 20 times cheaper to run.
By early 2026, the numbers shifted again. Researchers from Google Quantum AI, the Ethereum Foundation, and Stanford published a whitepaper on elliptic curve cryptography, showing that breaking secp256k1 (the curve securing most of the blockchain ecosystem) could require under 500,000 physical qubits. Separately, Iceberg Quantum proposed a new architecture using quantum low-density parity-check codes, with early projections suggesting RSA-2048 could fall below 100,000 qubits under specific conditions.
Run those numbers in sequence: 20 million qubits in 2019, under one million in 2025, potentially under 100,000 in 2026. Each revision represents a 10 to 20 times reduction from the one before it, driven by algorithmic improvements rather than hardware breakthroughs.
None of this describes hardware that exists today. Google’s Willow chip has 105 qubits. IBM’s roadmap targets systems in the low thousands by the late 2020s. The gap to fault-tolerant systems capable of running these attacks is still large. But the scale of that gap has shrunk consistently, and the direction of every revision has been the same.
The question for security planners is no longer whether these estimates will keep improving. They will. The question is what that means for decisions being made today.
The threat that does not wait for the hardware
Timing the arrival of fault-tolerant quantum computers matters less than most organizations assume, because adversaries can create the problem before the hardware exists.
“Harvest now, decrypt later” describes a strategy that nation-states with advanced programs almost certainly already use: collect encrypted traffic today, store it, and decrypt it once the hardware matures. No quantum computer is needed to execute the harvesting phase. The data being captured now is simply held until the capability to read it arrives.
For most organizations, this sounds abstract until you consider what ten years of encrypted communications actually contains: acquisition plans, source code, customer records, financial projections, IP filings, legal strategy. For healthcare providers and research institutions, the horizon is longer. Patient records, clinical trial data, and attorney-client communications carry confidentiality requirements that extend decades.
If that data needs to remain confidential into the 2030s, the harvest window is already open.
Why migration takes longer than most teams expect
Cryptographic transitions are infrastructure projects, and they tend to surface complexity that organizations did not know they had.
Finding where encryption is actually deployed across a large environment typically takes months. Most organizations lack a complete inventory of where TLS certificates, VPNs, hardware security modules, firmware, code signing systems, and third-party dependencies use cryptographic algorithms. Each of those needs to be located, assessed, and eventually replaced or updated.
Implementation and validation add years on top of the discovery phase. The talent pool for practitioners with hands-on post-quantum experience is already constrained and will tighten as regulatory deadlines approach.
NIST published FIPS 203, 204, and 205 in August 2024, establishing ML-KEM, ML-DSA, and SLH-DSA as the new federal standards. NIST IR 8547 outlines a sunset schedule where RSA and ECC are deprecated by 2030 and fully removed from standards by 2035. NSA’s CNSA 2.0 mandates post-quantum for new national security systems starting 2027.
These are compliance timelines with contractual and regulatory consequences for government contractors, financial institutions, and critical infrastructure operators. Organizations that start now have time for phased, methodical work. Those that delay will eventually face the same migration under tighter external pressure with fewer available resources.
What actually works in practice
The realistic path for most organizations is hybrid deployment: running post-quantum algorithms alongside existing cryptographic infrastructure rather than replacing everything at once.
Building on NIST FIPS 203/204/205 with OpenSSL 3.5 supports this approach. The cryptographic layer can be updated without rewriting the applications that sit on top of it. This is how we approach post-quantum infrastructure at Boosty Labs when working with clients: start with the cryptographic layer, deploy alongside existing systems, no full application rewrite required. Organizations can migrate the highest-risk systems first, based on data sensitivity and longevity requirements, while the rest follows in sequence.
The order matters more than the pace. Cryptographic inventory first. Prioritization by data sensitivity and longevity. Phased implementation in the areas where the risk-to-effort ratio is highest, while tooling and expertise are still accessible.
The window is defined now
The case for starting in 2026 comes down to timeline math. The migration itself takes years, regulatory deadlines are set, and the pool of practitioners who can run this work is already constrained. All three of those things get worse with delay, not better.
For most organizations, the decision about whether to migrate has already been made by the regulatory calendar. What they still control is how much time they give themselves to do it properly. Organizations that begin now can run phased rollouts, build internal expertise, and absorb the problems that complex infrastructure migrations always produce. Those that wait will find fewer good options on the other side.
The qubit estimates will keep dropping. The regulatory dates will not move. Cryptographic systems embedded in infrastructure today will need to be replaced. The difference between starting in 2026 and starting in 2028 is how much of that work happens under control versus under pressure.