up:: Quantum Risk Models MOC

Quantum Threat Timeline

The Quantum Threat Timeline is the annual industry reference that estimates when a cryptographically relevant quantum computer is likely to exist. Published by the Global Risk Institute (GRI) with evolutionQ and lead-authored by Michele Mosca and Marco Piani, it aggregates expert-survey probability estimates for a quantum computer capable of breaking RSA-2048, across 5-, 10-, 15-, 20-, and 30-year horizons. It’s the most-cited evidence base for the Z variable in Mosca’s theorem, and the report decision-makers ask about by name.

The short version:

  • It’s an expert-survey estimate, not a government mandate and not a prediction. It polls cryptographers and quantum-hardware researchers and reports the distribution of their views.
  • Its numerical editions give a probability-by-horizon table for a CRQC that can break RSA-2048. That table is what feeds a defensible Z. The current one is the numerical Quantum Threat Timeline Report 2025 (published 9 March 2026, 26 experts): a CRQC is quite possible (28–49%) within 10 years and likely (51–70%) within 15.
  • A separate qualitative companion, Executive Perspectives on Barriers to Action (March 2025), studies why migration programs stall. It complements the numerical report rather than replacing it.
  • It pairs with policy timelines (the U.S. 2035 federal-migration target) to give both a technical-evidence anchor and a policy anchor for urgency.

What is the Quantum Threat Timeline, and who publishes it?

The report comes from the Global Risk Institute in Toronto, in partnership with evolutionQ, and is lead-authored by Michele Mosca (the same Mosca of the theorem, a co-founder of evolutionQ and a researcher at the Institute for Quantum Computing) and Marco Piani. It has run annually since 2019, and it carries no regulatory authority. It’s an expert-survey report and a non-normative reference, which is exactly why it’s trusted: its credibility comes from the panel and the methodology, not from any mandate.

How does it estimate the timeline?

Numerical editions (2019–2025)Executive Perspectives (March 2025)
FormatExpert probability surveyExecutive interview study
OutputProbability of a CRQC by 5 / 10 / 15 / 20 / 30-year horizonsOrganizational barriers to migration
RoleThe operative Z reference (current: the numerical 2025 edition)Qualitative companion on why programs stall

The numerical editions work by polling a panel of cryptographers, quantum-hardware researchers, and quantum-algorithm specialists. Each expert gives probability estimates for a CRQC capable of breaking RSA-2048 within 5, 10, 15, 20, and 30 years, and the responses are aggregated into median estimates plus a quartile distribution. The panel started at around 22 experts in the 2019 inaugural edition and has run in the mid-20s-to-40 range since, with 26 experts on the 2025 edition (published 9 March 2026), which puts a CRQC that breaks RSA-2048 at 28–49% within 10 years and 51–70% within 15. The output is a probability-by-horizon table, and that table is what turns “someday” into a defensible range you can cite.

Alongside the numerical 2025 report, GRI also published Executive Perspectives on Barriers to Action (March 2025), a qualitative interview study of executives, mostly from financial institutions plus regulatory, telecom, and information-security organizations. Its notable finding: every interviewee was aware of the quantum threat, a stated shift from prior years, most were familiar with the 2024 NIST standards, and clear regulatory directives were named as the single most consistent trigger for actually starting migration. That companion doesn’t replace the numerical estimates; the numerical Quantum Threat Timeline Report 2025 (published 9 March 2026) is the current operative Z reference.

How have the estimates drifted across editions?

The aggregate estimate has broadly climbed as the field matured, and reading the drift across editions is more informative than fixating on any single year’s number. The survey has run annually since the 2019 inaugural edition, so there are now several years of the same panel-style question, and the general movement of the expert aggregate for a CRQC within roughly a decade has been upward, with a modest dip around 2022 to 2023 that the authors have associated with a post-pandemic recalibration of expectations before the estimates resumed climbing.

Two editions anchor the recent trajectory with firm numbers. The 2024 edition (published December 2024, 32 experts) put the averaged likelihood of a CRQC capable of breaking RSA-2048 within 10 years at about 34%, or about 19% on the more pessimistic lower-bound reading of the likelihood bins. The current 2025 numerical edition (published 9 March 2026, 26 experts) raised the 10-year figure to a 28–49% range depending on interpretation, the highest 10-year estimate in the survey’s history to that point, and put the 15-year likelihood at 51–70%. The direction across just those two editions is the thing to notice: the aggregate rose while the panel and the question stayed comparable.

Source: Mosca, M. and Piani, M., Quantum Threat Timeline Report 2024 (December 2024, 32 experts; averaged CRQC-within-10-years likelihood ~34%, ~19% on the lower-bound interpretation), Global Risk Institute / evolutionQ, globalriskinstitute.org.

The precise 10- and 15-year percentages for the 2019 inaugural edition are worth confirming against the original report before they’re quoted as a fixed baseline, because the early editions phrased and binned the question differently than the current one, which makes a naive year-to-year percentage comparison misleading. [OPERATOR VERIFY] the exact 2019 inaugural 10-year and 15-year figures against the first-edition Global Risk Institute report if a specific starting percentage is needed; the safe claim without it is the directional one, that the aggregate has risen from the 2019 baseline to the 2025 edition.

What are the limits of the methodology?

The methodology is a defensible expert-opinion elicitation, which is a real strength and a real limit at the same time, so it should be used as a structured aggregate of informed judgment rather than as a forecast. Its power is that it polls a broad panel of cryptographers and quantum-hardware and quantum-algorithm researchers and reports the whole distribution of their views, including the quartile spread, so a reader sees the disagreement rather than a single false-confident number. That is exactly why it’s more citable than any one lab’s roadmap.

The limits follow from the same design, and naming them is part of using the report honestly:

  1. It measures opinion rather than physics. An elicitation captures what informed people currently believe, and belief can move on news and sentiment faster than the underlying engineering does, which is part of why the aggregate dipped and then climbed rather than moving monotonically.
  2. Elicitation carries known biases. Expert forecasts of hard-technology timelines are subject to anchoring on prior editions, optimism from researchers close to the work, and the coarseness of fixed likelihood bins, all of which the report’s own authors flag when they compare bin-based answers to the smaller set of numerical point estimates.
  3. The panel and the framing evolve. The roster changes year to year and the question wording has been adjusted between editions, so a clean longitudinal percentage series isn’t quite what the numbers are, which is the reason to read the drift as a direction rather than a precise curve.
  4. It’s scoped to Shor against RSA-2048. The headline Z it produces is about that specific break, and other quantum-cryptanalytic paths run on their own clocks, as the caveats below spell out.

None of this weakens the report as the best available Z evidence. It sharpens how to use it, as a distribution to run scenarios across rather than a single date to plan one deadline against.

How does it feed Mosca’s theorem?

The report is the primary public evidence for the Z variable, the time until the cryptography can be broken. In practice, the distribution translates cleanly into the three scenario values Mosca’s theorem wants: a conservative Z from the earlier-arrival end of the expert range, a moderate Z from the median, and an optimistic Z from the later-arrival end. Because the estimates are uncertain, running all three is the honest move, and the report’s expert-panel methodology gives each of them a defensibility that a single vendor’s timeline can’t match. It’s especially load-bearing in the many jurisdictions where the regulator hasn’t published its own CRQC timeline. Alongside it, the policy timelines (the U.S. 2035 target and CNSA 2.0) supply the policy-anchored deadline, and the two complement each other: one is grounded in technical evidence, the other in regulation.

The conversion from the report’s table into a usable Z is mechanical once you decide how cautious to be. The probability-by-horizon table gives, for each time horizon, an aggregate likelihood that a CRQC exists by then, and each of the three Mosca scenarios reads a Z off a different point of that distribution:

ScenarioHow to read Z off the tableWorked from the 2025 edition
ConservativeTake the earliest horizon where the aggregate likelihood is already non-trivial, so you plan as if the CRQC could arrive at the early edge of the expert rangeThe 28–49% mass inside 10 years means a conservative planner uses Z of about 10 years or shorter
ModerateTake the horizon where the aggregate crosses roughly even odds, the middle of the expert rangeThe 51–70% band at 15 years puts the moderate Z near 15 years
OptimisticTake a later horizon where the aggregate is high but you’re deliberately betting on the slower endA planner betting on the later arrival end pushes Z out toward 20 years or beyond

Running the inequality with all three Z values, rather than a single point estimate, is what makes the risk finding defensible, because it shows the decision under the full spread of expert opinion instead of hiding the uncertainty behind one number. When the conservative Z already breaches the shelf-life-plus-migration-time sum, the case for starting now holds even under the panel’s cautious tail, which is the strongest form the argument can take.

Honest caveats

  • It’s an estimate, not a forecast. Expert surveys capture informed opinion and its spread, not a known arrival date. Treat the horizons as scenario bands, not a countdown.
  • It has historically focused on Shor against RSA-2048. Other quantum-cryptanalytic paths, like Grover against symmetric primitives or Simon-style attacks against some legacy ciphers, run on their own clocks and aren’t the same Z.
  • Near-term “quantum utility” demos shouldn’t move Z. Reviews of near-term quantum-advantage results have found much of that literature statistically fragile, with apparent effects that can flip under unreported parameter choices or drift from hardware calibration alone. The operative Z stays anchored to fault-tolerant progress on breaking real key sizes, not to un-replicated utility demonstrations. See Cryptographically Relevant Quantum Computer (CRQC).

Source: Mosca, M. and Piani, M., Quantum Threat Timeline Report 2025 (numerical, published 9 March 2026, 26 experts; CRQC vs RSA-2048 at 28–49% within 10 years, 51–70% within 15), globalriskinstitute.org; and the qualitative companion Quantum Threat Timeline 2025: Executive Perspectives on Barriers to Action (March 2025), Global Risk Institute / evolutionQ.


Last verified 2026-07-14 · Maintained by Addie LaMarr, LaMarr Labs.