In May 2025, a Google researcher named Craig Gidney published a paper that made security professionals across the world recalculate their timelines. Breaking RSA-2048 encryption—the mathematical lock protecting everything from bank transfers to state secrets—would now require just one million quantum bits instead of twenty million. The goal posts had moved twenty times closer overnight.

The Factoring Problem That Protects the Internet

Every time you buy something online or log into your bank account, you're trusting a mathematical trick that's held up for decades: multiplying two massive prime numbers is easy, but working backward from the product to find those original primes is effectively impossible. A classical computer trying to factor a 2048-bit number would need longer than the age of the universe.

RSA encryption banks on this asymmetry. Your credit card details get scrambled using a public key—that giant product of two secret primes. Only someone holding those original prime numbers can unscramble the message. For forty years, this has been enough.

Then Peter Shor came along in 1994 with an algorithm that could factor these numbers exponentially faster than any classical approach, provided you had a quantum computer powerful enough to run it. Suddenly, the theoretical possibility of quantum computing became a multi-billion-dollar race with national security implications.

Why 2025 Changed Everything

Gidney's breakthrough wasn't about making quantum computers faster. He found a way to make them smaller while still breaking encryption. The key innovation involves approximate arithmetic—computing in small pieces using much smaller quantum registers rather than handling the entire calculation at once. Think of it as solving a jigsaw puzzle by working on manageable sections instead of trying to hold every piece simultaneously.

The trade-off is time. Where earlier approaches promised to crack RSA-2048 in eight hours, this method takes nearly a week. But that's irrelevant when the alternative requires hardware that doesn't exist and won't for decades. One million qubits is still far beyond current capabilities—Google's Willow processor, announced the same year, has just 105 qubits—but it's within the realm of engineering rather than science fiction.

The Global Risk Institute surveys quantum experts annually about when a "cryptographically relevant quantum computer" might emerge. In their 2025 report, the ten-year probability jumped from 34% to 49%—a fifteen-point leap in twelve months. Nearly half the experts now consider it extremely likely within twenty years, assigning probabilities above 99%.

These aren't wild-eyed futurists. They're the researchers building these machines, and they're moving their estimates up, not back.

The Hardware Is Catching Up

Google's Willow processor demonstrated something that had eluded quantum engineers for years: a logical qubit that lives longer than the physical qubits composing it. When you scale up error correction from distance-5 to distance-7 surface codes, the error rate drops rather than compounds. The system crossed what researchers call "below threshold"—errors decrease faster than they accumulate.

This matters because Shor's algorithm requires not just qubits, but stable qubits that can maintain their quantum states through millions of operations. Every physical qubit is fragile, decohering within microseconds. But bundle them into error-corrected logical qubits, and suddenly you can run algorithms that take days.

Neutral atom platforms have made what one expert called "truly spectacular" progress, though they face different constraints around clock speed. Ion traps continue advancing. Multiple technological approaches are converging on the same capability threshold from different directions.

The question isn't whether someone will build a million-qubit machine. It's when, and whether they'll announce it publicly when they do.

What Breaks and When

RSA-2048 gets the attention because it's the standard benchmark, but it's not alone. Elliptic Curve Cryptography, which offers equivalent security with smaller keys, falls to quantum attacks just as readily. Between them, these two systems protect virtually all encrypted internet traffic, financial transactions, software updates, and classified communications.

The timeline matters less than you might think because of what security researchers call "harvest now, decrypt later" attacks. Adversaries can record encrypted traffic today and store it until quantum computers become available. If your encrypted email contains information that will still be sensitive in fifteen years—medical records, trade secrets, evidence of affairs, state communications—it's already compromised.

This is why 69% of experts put the fifteen-year probability at 50% or higher. Even a coin flip is unacceptable when the stakes include the entire cryptographic infrastructure of modern civilization.

The Migration That Can't Wait

Governments aren't waiting for certainty. The U.S. National Institute of Standards and Technology has already standardized post-quantum cryptographic algorithms designed to resist both classical and quantum attacks. These rely on different mathematical problems—lattice structures, hash functions, multivariate polynomials—that don't have known quantum shortcuts.

But standardization is the easy part. Actually migrating billions of devices, updating protocols embedded in hardware, and ensuring backward compatibility across a global network takes years. Some experts estimate a complete transition could require a decade, which means organizations already face what's called the Mosca Inequality: if your data needs to stay secret longer than the time until quantum computers arrive minus the time required to migrate, you're already in danger.

The 2025 survey suggests many organizations have crossed that threshold. The margin for delay has closed.

The Covert Development Problem

Every estimate and timeline assumes we'll know when someone builds a cryptographically relevant quantum computer. That assumption may be optimistic. State-sponsored programs operate in classified environments with resources that dwarf academic research. China, the United States, and other nations have clear incentives to develop these capabilities quietly.

If a covert program succeeds first, the world might not discover it until someone starts using it—perhaps by decrypting communications thought secure, or by demonstrating knowledge they shouldn't possess. By then, the damage is done.

This possibility should haunt security planners more than the public timelines. The expert surveys capture what researchers are willing to say on the record about publicly known progress. They can't account for what they don't know, and exponential progress by definition defies linear prediction.

The window for transitioning to quantum-safe encryption is closing faster than the consensus estimate. The only question is whether it closes before we finish walking through it.