Cryptographically Relevant Quantum Computer (CRQC)
A Cryptographically Relevant Quantum Computer (CRQC) is a quantum computer large and stable enough to break the public-key cryptography that protects most of the world’s digital infrastructure. It’s a threshold, not a description of any machine that exists. The line is drawn where a quantum computer could actually run Shor’s algorithm against real-world key sizes, RSA-2048 or larger and 256-bit or larger elliptic curves, in a practical amount of time. No CRQC exists today, and the gap between current hardware and this threshold is large.
The short version:
- A CRQC is the machine that finishes the threat. Every quantum risk model is anchored to the question of when one might exist.
- The threshold is measured in logical qubits (error-corrected, trustworthy), not the raw physical qubits vendors announce. A CRQC needs thousands of logical qubits, which today means millions of high-quality physical ones.
- It doesn’t exist yet, and qubit-count press releases don’t mean it’s close. Progress toward a CRQC is a different thing from progress in quantum computing generally.
- The reason to act anyway: migration takes years, harvested data (HNDL) is exposed the moment a CRQC arrives, and there’s no patch for data already collected. You have to be finished before the machine shows up.
What actually counts as a CRQC?
A CRQC has enough logical qubit count, gate fidelity, error correction, and circuit depth to run Shor’s algorithm against at least one of these, within a practical timeframe:
- Factoring RSA-2048 or larger.
- Solving the elliptic-curve discrete logarithm at 256-bit curves or larger, which breaks ECDSA, ECDH, Ed25519, and Curve25519.
- Solving finite-field discrete logarithms at standard key sizes, which breaks DH and its ephemeral variants.
The whole definition turns on one distinction that the headlines routinely blur:
- Physical qubits are the actual hardware. They’re noisy and error-prone. Leading machines have reached thousands of them, but raw physical qubits can’t run fault-tolerant computation at cryptographic scale.
- Logical qubits are error-corrected qubits built out of many physical ones. Depending on the error-correction code and hardware quality, a single logical qubit can take hundreds to thousands of physical qubits to construct.
A CRQC needs thousands of logical qubits. Under realistic error-correction assumptions, that translates to millions of high-quality physical qubits. That ratio is the core reason no CRQC exists today.
How far away is it?
The threshold shifts with which algorithm is being attacked and how much error-correction overhead the hardware demands, so it’s a range rather than one fixed qubit number. The most-cited estimates:
| Target | Logical qubits (most-cited estimate) | Physical qubits after error correction |
|---|---|---|
| RSA-2048 | ~4,000 | millions |
| 256-bit elliptic curve (ECDSA, ECDH) | ~2,000–3,000 | millions |
Beyond raw qubit count, a CRQC also needs the circuit depth and the coherence times to run Shor’s to completion, both well beyond what current hardware sustains at scale.
As of 2026, leading processors have reached thousands of physical qubits, physical error rates remain too high to build cryptographic-scale logical qubits, and no published result has come close to the coherence, fidelity, and scale a CRQC needs. That gap doesn’t get closed by quantum-advantage demos on non-cryptographic problems, by qubit-count records on noisy machines, or by algorithmic tweaks that shave overhead within an order of magnitude of current capability.
The gap is now measured directly
The distance to a CRQC is increasingly quantified from real hardware. A 2026 study analyzed 680 order-finding distributions from IBM quantum systems, characterizing when classical post-processing can still recover the correct answer from a noise-distorted quantum result. It’s a hardware-reality floor beneath the timeline forecasts: current machines are far from threatening RSA-2048, and the size of that distance is now being measured directly rather than only projected.
Source: Yang & Markidis, arXiv:2605.16074 (2026).
Why does the CRQC drive the whole timeline?
The CRQC is the pivot of every honest quantum-risk conversation, because it’s what separates real migration urgency from noise. Quantum computers exist and keep advancing, but today’s machines run on small numbers of noisy qubits and can’t touch real key sizes. The CRQC threshold gives that a meaningful line: a machine that could actually derive a private key from a real RSA-2048 or ECDSA P-256 public key.
That single threshold sets the clock for the whole transition:
- In Mosca’s theorem, the time until a CRQC exists is the variable (Z) that decides whether the inequality is comfortable or already broken.
- For HNDL, the CRQC is the event horizon. Exposure is created now by harvesting, and the window of retroactive risk is set by when a CRQC is expected.
- For Non-HNDL and PKI collapse, the CRQC is the precondition. Real-time signature forgery and certificate forging become possible the moment it arrives.
- U.S. federal policy encodes it as a planning horizon: CNSA 2.0 and a 2035 federal-migration target treat CRQC emergence as the deadline to beat.
The honest answer to “how worried should I be?” follows directly: the gap is large, the timeline is uncertain, and migration lead times mean you start now regardless of where the timeline lands. Credible expert and government estimates for a CRQC span roughly 2030 to 2040 and beyond. The right response to that uncertainty is to shorten your own migration time, so you stay safe no matter where the arrival falls.
What replaces what a CRQC breaks?
The entire point of the migration is to make systems CRQC-resistant before a CRQC exists, because once one does, harvested data decrypts immediately, real-time trust attacks begin, and there’s no patch for past exposure. The standards that provide the resistance:
- ML-KEM for CRQC-resistant key establishment.
- ML-DSA for general-purpose CRQC-resistant signatures, with SLH-DSA as the conservative hash-based option and FN-DSA where signature size and speed are constrained.
- HQC as a code-based KEM alternative to ML-KEM.
Hybrid deployments give CRQC resistance through the post-quantum component while staying compatible with classical systems during the transition.
Common misconceptions
- “Quantum supremacy demonstrations mean a CRQC is near.” No. Those run at qubit counts and on problem types entirely unlike cryptographic attacks. They aren’t CRQC-progress evidence.
- “Quantum-resistant products are available now, so a CRQC must exist now.” No. Vendors are responding to the need to be ready before a CRQC emerges, which is exactly the right instinct.
- “A CRQC that breaks RSA also breaks AES-256.” No. Symmetric primitives face a different, much more manageable quantum threat via Grover’s algorithm, which only halves their strength. AES-256 and SHA-384 stay safe.
- “Near-term quantum-utility demos show we’re getting close.” No. Those rely on error mitigation, a statistical stopgap, not the error correction a CRQC requires, and their reported advantages can be statistically fragile. A CRQC is gated by fault-tolerant error correction at scale, which utility demos don’t address.
Everything here is the map, given freely. When your team needs a CRQC-anchored risk framing built for your own estate and timeline, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.