Why the Quantum Computing Timeline Is the Most Important Number in Cryptography
In 2022, the consensus estimate among quantum computing researchers was that breaking Bitcoin's elliptic-curve cryptography would require roughly 20 million physical qubits. By 2026, the leading estimates using next-generation error correction architecture have compressed that requirement to fewer than 100,000 physical qubits. That is a 200-fold reduction in seven years, and it is the single most consequential number in cryptographic security planning today.
This guide explains how that compression happened, where the timeline stands as of mid-2026, what the major hardware programs and standards bodies are projecting, and what it means for every system built on classical public-key cryptography, including Bitcoin, Ethereum, and the broader blockchain ecosystem. The goal is not to predict the exact date a cryptographically relevant quantum computer arrives. The goal is to give you the framework to make accurate decisions before that date, rather than after.
The Foundation: Logical Qubits Versus Physical Qubits
Any serious discussion of the quantum computing timeline requires understanding the distinction between logical and physical qubits, because the entire 200x compression story is really a story about this gap closing faster than expected.
A logical qubit is the idealized unit of quantum computation that algorithms are written for. When researchers say that Shor's algorithm requires approximately 4,000 logical qubits to break Bitcoin's secp256k1 elliptic curve, they mean 4,000 perfectly reliable, error-free quantum bits that can execute gate operations without accumulating noise. Logical qubits do not physically exist in today's hardware. They are abstractions built from many physical qubits working in concert.
A physical qubit is the actual hardware unit, whether a superconducting loop in an IBM or Google chip, a trapped ion in a Quantinuum system, or a neutral atom in an optical tweezer array. Physical qubits are inherently noisy. Thermal fluctuations, electromagnetic interference, and imperfect gate operations introduce errors into every computation. The error rate for leading physical qubits in 2026 sits in the range of 0.1 percent to 1 percent per gate operation. For the thousands of sequential operations required to run Shor's algorithm at meaningful key sizes, that error rate accumulates to the point where the computation produces noise rather than results.
The solution is quantum error correction: encoding the information of one logical qubit redundantly across many physical qubits, such that errors in individual physical qubits can be detected and corrected without disturbing the underlying computation. The ratio of physical qubits required to produce one reliable logical qubit is the error correction overhead, and it is the number that has fallen most dramatically in recent years.
Surface Codes and the Webber 2022 Estimate
For most of the 2010s and into the early 2020s, the dominant approach to quantum error correction was the surface code. Surface codes arrange physical qubits in a two-dimensional grid and use neighboring qubits to measure and correct errors through a process of repeated stabilizer measurements. The error suppression improves as the grid grows larger, but the overhead scales steeply: achieving a logical error rate low enough for a long computation requires hundreds to thousands of physical qubits per logical qubit, depending on the quality of the underlying hardware.
The landmark Webber 2022 paper, published by researchers at the University of Sussex, applied this surface code framework to a careful resource estimate for breaking Bitcoin. Their analysis concluded that attacking Bitcoin's ECDSA signatures within a one-hour window, the approximate time it would take a miner to include a competing transaction in a block, would require approximately 317 logical qubits running Shor's algorithm. Translating those 317 logical qubits through realistic surface code overhead produced the headline figure: roughly 13 million physical qubits.
The Webber estimate was significant because it was rigorous, peer-reviewed, and explicitly accounted for hardware error rates rather than assuming ideal conditions. Its message to the security community was that the gap between existing hardware and dangerous hardware was very large, and the timeline was safely distant. At the time, that assessment was accurate. The problem is that it was anchored to surface code assumptions that have since been superseded.
QLDPC Codes: The Technical Breakthrough That Compressed the Timeline
The 200x compression from 20 million to under 100,000 physical qubits is primarily the consequence of a single theoretical advance: quantum low-density parity-check (QLDPC) codes. Understanding why QLDPC codes matter requires understanding what makes surface codes inefficient.
Surface codes use local parity checks: each stabilizer measurement involves only neighboring qubits in the grid. This locality is architecturally convenient, because it only requires connections between adjacent qubits. But it is also wasteful, because local checks provide relatively little information per measurement. To achieve high error suppression, you need a very large grid, and the physical-to-logical qubit ratio stays high.
QLDPC codes use sparse but non-local parity checks, where each check involves a small number of qubits that may be spread across the array rather than sitting next to each other. The mathematics of low-density parity-check codes, adapted from classical information theory, allows each check to carry much more information about the error state of the system. The result is dramatically better encoding efficiency: fewer physical qubits are needed to protect each logical qubit at the same error suppression level.
Theoretical analyses incorporating QLDPC codes, published through 2025 and 2026, reduce the physical qubit estimate for breaking Bitcoin's cryptography to below 100,000 qubits. Some analyses targeting specific hardware architectures, particularly neutral-atom systems where the non-local connectivity required by QLDPC codes is more naturally available, suggest the number could fall as low as 20,000 to 26,000 under favorable conditions, though with computation times measured in days rather than hours. The full timeline compression analysis and detailed qubit estimates for Bitcoin cover the underlying methodology in depth.
The critical point is that QLDPC codes are not speculative. IBM, Google, and multiple academic groups have published concrete implementation results. The theoretical gap between what QLDPC codes promise and what hardware can deliver is narrowing. The 200x compression is not a projection. It is a description of where research already stands.
Google Willow: The Hardware Milestone That Changed the Framing
In December 2024, Google announced results from its Willow quantum processor that crossed a threshold researchers had been targeting for years: below-threshold error correction. The Willow chip demonstrated that adding more physical qubits to the array reduced the logical error rate rather than increasing it, the behavior that error correction theory predicts but that had never been cleanly demonstrated at scale.
This is the inflection point for the entire hardware argument. Prior to Willow, it was technically possible to argue that quantum error correction might not scale as predicted, that the noise characteristics of real hardware might defeat the theoretical error correction models. Willow closed that argument. Error correction at scale is not a physics problem. It is an engineering problem. The question is now how long it takes to build machines large enough to matter for cryptography, not whether such machines are possible.
Willow's 105-qubit chip is nowhere near the qubit counts required for cryptographic attacks. The detailed analysis of Willow's implications for Bitcoin makes clear that no present system threatens production cryptography. But Willow's significance is as a demonstration of principle: the scaling trajectory assumed by every qubit estimate is physically real, and the hardware industry is following it.
IBM Roadmap and the 2029 Fault-Tolerance Target
IBM's quantum roadmap is the most detailed public commitment in the hardware industry. IBM has published specific qubit count targets and capability milestones on an annual cadence since 2020, and its track record of delivering on those milestones is one of the most reliable data points in the field.
IBM's current roadmap targets fault-tolerant quantum computing by 2029. Fault tolerance means the system can run arbitrarily long computations with arbitrarily low error rates by continuously correcting errors as they occur, the prerequisite for algorithms like Shor's that require millions of gate operations. IBM's path to fault tolerance runs through progressively higher-quality physical qubits, improved error correction code implementations, and the modular architecture needed to connect multiple chips into systems with thousands of logical qubits.
IBM unveiled a 120-qubit chip in late 2025 as part of this roadmap. Each generation has improved gate fidelity alongside qubit count, recognizing that raw qubit numbers without quality improvements produce diminishing returns for error-corrected computation. The 2029 target is not a vague aspiration. It is a commitment backed by IBM's track record and by the specific engineering milestones published in its roadmap documentation.
Google's Internal 2029 Deadline
Google's quantum ambitions are not limited to published research. Multiple reports indicate that Google has set an internal deadline of 2029 for demonstrating a fault-tolerant quantum computer capable of running commercially relevant algorithms. This aligns closely with IBM's public roadmap, and the convergence of two independent major programs on the same target date is among the strongest signals that the late-2020s window is the credible planning horizon for fault-tolerant hardware.
Google's commitment extends to its broader infrastructure. The company has announced that 2029 is its target for completing post-quantum migration across its own systems, recognizing that the harvest now, decrypt later threat makes waiting until Q-Day irrational for any organization handling long-lived sensitive data. A technology company setting a 2029 internal deadline for both building fault-tolerant quantum hardware and migrating its own systems to post-quantum cryptography is making a very specific statement about where it believes the risk window opens.
The Coinbase 2026 quantum report analyzed these hardware trajectories alongside the revised qubit estimates and concluded that the 2030 to 2034 window represents a credible first-capability range for cryptographically relevant quantum attacks on Bitcoin-scale targets, with the uncertainty interval extending earlier if QLDPC code engineering matures faster than expected.
NSA and NIST: How the Standards Bodies Responded
The regulatory response to the compressed timeline has moved faster than most observers expected five years ago. The US government's two primary actors in this space, the National Security Agency and the National Institute of Standards and Technology, have both moved from research mode to mandate mode.
NIST published its first three finalized post-quantum cryptographic standards in August 2024: ML-KEM (key encapsulation, FIPS 203), ML-DSA (digital signatures, FIPS 204), and SLH-DSA (hash-based signatures, FIPS 205). These are not draft proposals. They are published Federal Information Processing Standards, which means US federal agencies and federally regulated industries are obligated to begin migration planning against them. A fourth algorithm, FN-DSA, based on the FALCON lattice scheme, completed standardization in early 2025. NIST also selected HQC, a code-based key encapsulation mechanism, as a backup KEM standard in March 2025.
The NSA's Commercial National Security Algorithm Suite 2.0 sets a concrete mandate: all new national security systems must use quantum-safe algorithms from January 2027. This is not a recommendation for particularly sensitive systems. It is the baseline requirement for any new system touching national security infrastructure. Every technology vendor with government contracts is now building to this requirement.
NIST's broader guidance for the commercial sector recommends phasing out quantum-vulnerable algorithms, RSA, ECDSA, Diffie-Hellman, after 2030, and disallowing them entirely after 2035. A system designed in 2026 with a planned operational lifespan past 2030 should already incorporate post-quantum algorithms, not as an upgrade path but as a design requirement.
To understand these algorithms in depth, the post-quantum cryptography primer covers the mathematical foundations of lattice-based, hash-based, and code-based schemes. For blockchain-specific migration challenges, the blockchain quantum migration problem explains why retrofitting post-quantum cryptography onto existing chains is far harder than it appears.
Why the Timeline Compression Changes the Harvest Now, Decrypt Later Calculus
The harvest now, decrypt later threat model posits that adversaries are already collecting encrypted data and blockchain transaction records against the day when quantum hardware matures enough to decrypt them. When the expected Q-Day was twenty-five years away, the practical relevance of most harvested data was limited by the data's shelf life. Financial records, communications, and even blockchain wallet credentials lose relevance if the adversary cannot act on them for a quarter century.
As the credible Q-Day window moves to the early-to-mid 2030s, the calculus changes for a much larger category of data. Bitcoin wallet credentials that are publicly exposed on-chain today will still be valid in 2032. Long-term contracts, healthcare records, intellectual property, and governmental communications all have value horizons that extend well into the 2030s. The compression from a 2040s threat to a 2030s threat means that data being generated and encrypted today is already within the harvest window for a patient adversary.
This is the mechanism through which the timeline compression creates present-day risk, not just future risk. For a full treatment of the mechanics, see the harvest now, decrypt later guide. For an assessment of which specific cryptocurrencies face the most acute exposure, the cryptocurrency vulnerability analysis ranks the major chains by their exposed-key surface area and migration readiness.
What the Timeline Means for Blockchain Architecture in 2026
For blockchain developers and infrastructure designers making decisions today, the quantum computing timeline creates a concrete architectural constraint: any system being designed for a ten-year-plus operational horizon should not be built on ECDSA or RSA as its primary cryptographic layer. The NIST guidance makes this explicit for general-purpose systems. For blockchain, the constraint is sharper, because the immutable nature of the on-chain record means that historical key exposure cannot be remediated after the fact.
Existing major blockchains face an especially difficult version of this problem. Bitcoin and Ethereum have been exposing public keys in spending transactions since genesis. The total value of Bitcoin in addresses with permanently exposed public keys is estimated at approximately 6.9 million BTC, a figure that represents a direct target for the first adversary to reach cryptographic capability. The governance and coordination challenges involved in migrating these networks to post-quantum cryptography are substantial, as detailed in the migration problem analysis.
New infrastructure built from scratch has no such legacy constraint. The appropriate architectural response to the quantum timeline, for systems being designed today, is not to choose a post-quantum signature algorithm and otherwise replicate the classical blockchain model. It is to rethink whether public keys need to appear on-chain at all.
QuanChain's TADEQS architecture addresses this at the structural level: spending transactions authorize through hash commitments rather than exposed public keys, so the attack surface that makes quantum threats acute for Bitcoin simply does not exist. The Quantum Oracle monitors hardware advancement in real time and adjusts the network's cryptographic parameters automatically as the threat landscape evolves, rather than requiring a governance vote when the window is already closing. The Cryptographic Continuity and Rotation Protocol ensures that key rotation and algorithm upgrades can be executed without disrupting the network or requiring user action.
To assess your personal or organizational exposure given current hardware trajectories, the Quantum Threat Calculator models how declining qubit costs and improving error correction rates translate into a personalized risk timeline. For a broader picture of what Q-Day itself would look like in practice, the Q-Day scenario analysis covers the first hours and days after the capability threshold is crossed.
The quantum computing timeline has not closed. No machine today threatens production cryptography. But the 200x compression from the Webber 2022 surface-code baseline to the current QLDPC estimates is not a fluke of one research paper. It reflects a consistent trajectory across multiple independent research groups, hardware platforms, and algorithmic approaches. The appropriate response to that trajectory is accurate calibration, not panic and not dismissal. The planning window is still open. The question is whether the systems being built today are designed to survive when it closes.
Frequently Asked Questions
What was the Webber 2022 estimate and why does it matter?
The Webber 2022 paper, published by researchers at the University of Sussex, was the most rigorous publicly available resource estimate for attacking Bitcoin-scale elliptic-curve cryptography using quantum hardware. It calculated that breaking Bitcoin's ECDSA signatures within a one-hour window would require approximately 13 million physical qubits, using surface code error correction at realistic hardware error rates. This estimate set the benchmark that subsequent research has progressively revised downward. Its significance is that it was the first widely cited, peer-reviewed figure that took error correction overhead seriously rather than counting only logical qubits.
What are QLDPC codes and how do they compress the timeline?
Quantum low-density parity-check (QLDPC) codes are a class of quantum error correction schemes adapted from classical information theory. Unlike surface codes, which use local parity checks between neighboring qubits and require large physical-to-logical qubit ratios to achieve low error rates, QLDPC codes use sparse non-local checks that encode logical qubits much more efficiently. The practical effect is that fewer physical qubits are needed per logical qubit at the same level of error suppression. Applying QLDPC code analysis to Shor's algorithm resource estimates reduces the physical qubit requirement for breaking Bitcoin's cryptography from the approximately 13 million figure of the Webber surface-code estimate to below 100,000 in the most recent analyses, a compression of roughly 130x to 200x depending on the specific assumptions used.
What did Google Willow demonstrate and what does it mean for the timeline?
Google's Willow processor, announced in December 2024, demonstrated below-threshold error correction: as the chip's qubit array was scaled up, the logical error rate fell rather than rising. This is the behavior that quantum error correction theory predicts and that is required for scaling toward fault-tolerant computation, but it had not previously been cleanly demonstrated at meaningful scale. Willow's 105 physical qubits are far too few to threaten cryptography. Its importance is as a proof of principle: the scaling trajectory assumed by every qubit estimate is physically real, error correction works as the models predict, and the remaining challenge is engineering rather than physics.
What are the NSA and NIST deadlines for post-quantum migration?
NIST published its first finalized post-quantum cryptographic standards in August 2024: ML-KEM, ML-DSA, and SLH-DSA. The NSA's CNSA 2.0 framework requires all new national security systems to use quantum-safe algorithms from January 2027. NIST's broader guidance for commercial systems recommends phasing out classical public-key algorithms after 2030 and disallowing them entirely after 2035. For organizations designing systems in 2026 with planned operational lifespans past 2030, these deadlines mean post-quantum cryptography should be a design requirement, not a future upgrade path.
What is the difference between logical and physical qubits in the context of cryptographic attacks?
Logical qubits are the error-free, idealized units that quantum algorithms like Shor's are written for. Physical qubits are the actual hardware units that exist in quantum computers today, which make errors at rates of 0.1 percent to 1 percent per gate operation. Because physical qubits are noisy, many of them must be combined through error correction protocols to simulate one reliable logical qubit. The ratio of physical to logical qubits is the error correction overhead, and it depends on the error correction code used and the error rate of the underlying hardware. Surface codes require hundreds to thousands of physical qubits per logical qubit. QLDPC codes, using more efficient encoding, can achieve the same protection with far fewer physical qubits, which is why the shift from surface-code to QLDPC-based estimates produces the 200x compression in the headline qubit requirement for breaking Bitcoin.
What is the 2029 Google deadline and what does it represent?
Google has set an internal deadline of 2029 for completing post-quantum migration across its own infrastructure, citing the harvest now, decrypt later threat as the motivation. Google has also publicly stated 2029 as its target for demonstrating fault-tolerant quantum computing capability. The convergence of these two timelines, one for building dangerous quantum hardware and one for protecting against it, reflects the company's internal assessment that the 2030 to 2035 window is when cryptographically relevant capability becomes realistic. IBM's published roadmap targets fault tolerance by the same year, and the alignment of two independent major hardware programs on the late-2020s target date is among the strongest external signals of where the industry believes the inflection point lies.
