How exponential hardware progress, fault-tolerant coding, and cryptographic timelines intersect
By Chris Mansell, Senior Scientific Writer, Terra Quantum AG
EXECUTIVE SUMMARY
Quantum risk is not driven by qubit counts alone, but by the compounding relationship between scale, error correction, and computational depth.
- Quantum computing is already strategically real. A quantum computer does not need to break RSA to matter. “NISQ” machines are noisy and shallow, but the next transition is toward logical qubits: protected units of quantum information built from many physical qubits using error correction. The first major payoff of that transition is likely to be much deeper logical circuits for chemistry, materials, simulation, search, optimization, and other non-cryptographic applications.
- Q-day is the wrong place to start, but the right risk to keep in view. “Q-day” means the arrival of a cryptographically relevant quantum computer: a machine able to break widely used public-key systems such as RSA or elliptic-curve cryptography. Today’s public machines are still orders of magnitude away from that. But the graph shows why the gap cannot be read with linear intuition: qubit counts have been rising, error rates have been falling, and cryptanalytic resource estimates have also moved.
- Post-quantum cryptography is a present-tense migration problem. “PQC” means classical cryptography designed to resist known quantum attacks. The reason to move now is not that RSA will definitely fall in 2030; it is that migration takes years, some secrets must remain secret for years, and adversaries can harvest encrypted data now for decryption later. In other words, the relevant clock starts before a cryptographically relevant machine exists.
- The hard-takeoff toy model is about compounding. Below the fault-tolerance threshold, code distance sits in the exponent: adding physical scale can buy disproportionately better logical reliability. If hardware progress continues roughly exponentially while error correction turns more hardware into exponentially deeper logical computation, the field can spend years looking far away and then move through orders of magnitude surprisingly quickly. The right response is neither panic nor reassurance; it is preparation.
Introduction
This analysis is an attempt to compress the quantum computing landscape into a single conceptual picture. The central argument is that cryptographic risk does not emerge from qubit counts alone, but from the interaction between hardware scale, error correction, and the amount of reliable logical computation those systems can sustain. The goal is not to predict an exact Q-day, but to build intuition for how exponential hardware progress and fault-tolerant coding could eventually turn gradual advances into nonlinear security consequences.
Useful Background Knowledge
- A physical qubit is an actual physical system: an ion, atom, superconducting circuit, spin, photon mode, or something similar. A physical gate is an operation performed on one or more of those physical qubits.
- A quantum computation has width and depth. Width means how many qubits are involved. Depth means how many layers of operations the computation can survive before noise overwhelms it.
- In the NISQ era, these are mostly physical quantities: physical qubits undergoing physical gates. Fault tolerance changes the language. Many physical qubits can be used together to protect one unit of quantum information. That protected unit is a logical qubit.
- A logical gate is then an operation on logical qubits. Under the hood it may require many physical gates, measurements, decoding steps, and correction procedures. But at the algorithmic level it counts as one protected operation.
- The graph is about this transition. It asks not merely how many physical qubits a machine has, but how much logical width and logical depth those physical qubits might buy once error correction starts working.
How to read the graph (Read diagonally, not one axis at a time)
- Moving right means more physical qubits. Moving upward means lower entangled-state error.
- The colored background is an idealized surface-code map. It asks: if a machine with N physical qubits is partitioned into about √N logical qubits, how much logical depth does each logical qubit get?
- Warmer colors mean dramatically more per-logical-qubit logical computation depth.
- The solid platform lines are fitted historical trends through 2024; the dashed continuations are simple extrapolations, not promises.
- The RSA curves are resource frontiers, not cliffs. They show where cryptanalytic workloads become plausible under particular assumptions.
This is the most useful thing about the figure: it keeps the axes simple while changing the question. Instead of asking whether a mythical future quantum computer will suddenly matter, it asks what today's trends imply for usable logical computation as machines get bigger and cleaner.
Start with the one thing we can be most sure of
Most discussions of quantum computing jump straight to milestones, company claims, or arguments about timelines. That is backwards. The better place to start is with a simple limit. A raw physical qubit only buys you so much circuit depth before noise wins. If the physical error rate is p, then the natural scale for raw physical depth is on the order of 1/p. A machine with more qubits is wider, but that alone does not make any one qubit live much longer. Now add the second fact. In the standard surface-code picture, once the physical error rate is below threshold, the logical failure rate falls roughly like A (p / p_th)^((d+1)/2), where d is code distance. The constants depend on the decoder and the noise model, but the shape is the point. Code distance sits in the exponent. Below threshold, spending more physical qubits on a logical qubit does not just help a little. It changes the character of the improvement. That is why Google's Willow result mattered so much. It showed below-threshold surface-code memories in which the larger code beat the smaller one, with the distance-7 memory reaching a logical error rate of about 0.143% per cycle. Once you understand that, the rest of the graph becomes easier to read.
The figure is the argument
This figure is more than a picture. It is a map from hardware facts to practical consequences. It does three useful things at once. First, it keeps the axes intuitive: qubit count on one axis, error on the other. Second, it asks a practical question instead of a cinematic one: if you take a machine with N physical qubits and spread those qubits across a useful number of logical qubits, how much logical work does each logical qubit actually get? Third, it lets three stories live in one frame: raw hardware trends, useful fault-tolerant computational depth, and cryptanalytic frontiers such as the resource curves for RSA. That combination is why the graph has explanatory force. It shows why cryptographic panic is premature, why 'quantum is useless forever' is also wrong, and why the interesting near-term change may arrive before the headline-grabbing one.
Why 'hard takeoff' is the right toy model
'Hard takeoff' names the thing that linear intuition misses. The toy model is simple. Suppose hardware scale keeps improving roughly exponentially with time. Suppose also that, once you are below threshold, logical reliability improves roughly exponentially with code distance. Stack those two effects and the result does not feel like ordinary engineering progress. It feels like a long lull followed by a lurch. That does not mean everything becomes double-exponential forever. Real systems hit hurdles: control bottlenecks, decoder latency, leakage, correlated events, packaging, cryogenics, calibration, and all the other stubborn details that turn lab results into systems. But as a qualitative model, hard takeoff is exactly right. The point is not magic. The point is compounding. Craig Gidney later made the same intuition explicit in the cleanest possible slogan: stack one exponential on top of another and you get a lull followed by a FOOM. That is not a prophecy. It is a warning against reading an exponential field with linear eyes.
Why mobile phones are the better analogy
The wrong analogy for this stage of quantum computing is the transistor. The transistor story is a story about a component becoming so intrinsically good that the rest of the system can stop worrying about it quite so much. That is not what today's quantum story looks like. Qubits are not becoming magically perfect devices that make the rest of the stack irrelevant. The better analogy is digital mobile communications. Mobile phones did not take off only because radio hardware and semiconductors improved. They took off because better hardware made it affordable to do more coding, decoding, interleaving, equalization, and digital signal processing. Performance became a joint function of the front-end device and the coding stack wrapped around it. That is the useful parallel. In classical coding, better distance and better decoding buy you disproportionately better reliability. In the surface-code world, once you are below threshold, larger code distance buys you exponentially better logical reliability. The analogy is not literal – Viterbi decoding is not surface-code decoding – but the engineering logic is similar. In both cases, distance is the lever, and scale makes more distance affordable. That is why quantum increasingly looks like a coding story, not just a hardware story. Once more hardware can be turned into more protection, progress undergoes a hard takeoff.
The important near-term story is depth, not RSA
The most understated part of the figure is the heatmap. Public discussion tends to focus on RSA or elliptic-curve cryptography because they are dramatic, legible, and policy-relevant. But the heatmap is telling a broader story. Long before a machine becomes large enough and reliable enough to sit on an RSA frontier, it can move into regions where per-logical-qubit logical depth becomes extraordinarily large while logical width is still useful. That matters because the defining limitation of the NISQ era is not just that devices are noisy. It is that they are shallow. Researchers can propose elegant algorithms for chemistry, materials, simulation, search, optimization, and many other tasks, but there has been very little room to try those ideas at scale in actual experiments. A warmer position on this graph changes that qualitatively. Logical depths need not become merely somewhat larger; they can become experimentally liberatingly larger - millions, billions, or far more logical cycles per logical qubit. That is the real post-NISQ transition. It is the moment when algorithmic ideas can be tried out empirically, experimentally, and iteratively at depths that were simply unavailable before.
Still far from cryptographically relevant - but not safely ignorable
None of this means that the graph predicts an imminent RSA apocalypse. It does not. The cryptanalytic frontiers remain far from where today's public devices sit. Even after recent progress in resource estimation, cryptographically relevant attacks still require machines that are much larger, much cleaner, and much more integrated than anything that exists today. In the two headline metrics on the chart - width and error - current systems remain orders of magnitude away. But the distance is no longer the same as it looked a few years ago. In 2021, a widely cited estimate put RSA-2048 factoring at about 20 million noisy qubits in 8 hours. In 2025, Craig Gidney published a new estimate that brought the requirement below one million noisy qubits at under a week under related surface-code-style assumptions. That is still not today's hardware. It is, however, a reminder that algorithmic and architectural improvements can move the frontiers as well as the hardware can. The sober conclusion is two-part. First: Q-day in 2030 is not something anyone should treat as near-certain. Second: Q-day in 2030 is also not a risk that defenders of long-lived, high-value information can casually round down to zero.
Why post-quantum cryptography is already now
You do not need to believe in an imminent cryptographic break to believe in acting now. You only need to believe three ordinary things: migration takes years, some secrets stay valuable for years, and attackers can store ciphertext before they can decrypt it. That is the Harvest Now, Decrypt Later (HNDL) threat and it is enough to make post-quantum cryptography a present-tense issue. NIST finalized its first three principal PQC standards in August 2024 and urged administrators to start transitioning. The UK's NCSC followed with migration guidance organized around milestones in 2028, 2031, and 2035. That is not the language of panic. It is the language of timeline arithmetic. Even in specialized deployments that use quantum key distribution (QKD) to generate shared keys, PQC-based authentication and modern key management remain essential. So “PQC now” does not depend on dramatic rhetoric. It follows from two simple facts: PQC is foundational, and institutional transitions move slower than research curves.
The right way to read this moment
The most important mistake to avoid is assuming that quantum progress must look like a smooth extrapolation from the NISQ era. If the graph is pointing in the right direction, then the real change is not just that devices are getting bigger or cleaner. It is that the field may be entering a regime where bigger and cleaner devices also buy disproportionately more useful logical depth. That is the moment when a technology stops being judged only by the weakness of its raw parts and starts being judged by what the full stack can do.
That is why this is not just a story about qubits. It is a story about compounding. And that is why the right strategic posture is neither panic nor complacency. Separate four claims clearly.
- Quantum computing is already strategically real outside cryptography.
- Post-quantum cryptography is already a present-tense planning problem.
- Q-day is not near-certain on a fixed date.
- But for anyone protecting long-lived, high-value information, it is no longer a tail risk that can be shrugged off.
Selected references
- Sam Jaques, Quantum Landscape - https://sam-jaques.appspot.com/quantum_landscape
- François-Marie Le Régent, AQCE site - https://francoismarieleregent.xyz/awesome-quantum-computing-experiments/
- François-Marie Le Régent, FTQC benchmarking review (arXiv:2507.03678) - https://arxiv.org/abs/2507.03678
- R. Acharya et al., Willow below-threshold surface-code result (arXiv:2408.13687) - https://arxiv.org/abs/2408.13687
- Craig Gidney and Martin Ekerå, 2021 RSA-2048 estimate - https://quantum-journal.org/papers/q-2021-04-15-433/
- Craig Gidney, 2025 RSA-2048 estimate - https://arxiv.org/abs/2505.15917
- Craig Gidney, 'Quantum Error Correction goes FOOM' (2025) - https://algassert.com/post/2503
- NIST, first finalized PQC standards (2024) - https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
- NIST PQC project page - https://www.nist.gov/pqc
- UK NCSC, PQC migration timelines (2025) - https://www.ncsc.gov.uk/guidance/pqc-migration-timelines
- Richard Wray, The Guardian Newspaper (2010), ‘In just 25 years, the mobile phone has transformed the way we communicate’ - https://www.theguardian.com/business/2010/jan/01/25-years-phones-transform-communication
- Bas Westerbaan, ‘Factoring is not a good benchmark to track Q-day’ - https://bas.westerbaan.name/notes/2026/04/02/factoring.html
Method notes
The historical fits and projected platform trend lines in the figure should be treated as explanatory heuristics, not precise forecasts. The heatmap is an illustrative surface-code calculation intended to make the post-NISQ depth story legible on familiar axes. That is enough for the figure to do useful conceptual work even where exact future trajectories remain uncertain.
Appendix 1: Outside-view cross-check
This appendix is an outside-view cross-check, not a bottom-up model. It is an expert-survey view. The main graph in this essay starts from hardware progress, error correction, and cryptanalytic resource frontiers. Figure 2 does something different. It shows how expert judgments about the timeline for a cryptographically relevant quantum computer have moved over successive annual surveys. In that sense, it is not a substitute for the main argument of this essay. It is a separate lens on the same strategic question.
![Figure 2. Comparison of the change in the coarse-grained estimates from survey to survey. The kind of range for coarse-grained estimates presented in Figure 17 for the 2025 [GRI] survey is plotted also for the 2022-2024 surveys. The plots are shifted so that the estimates produced in each survey align with respect to absolute time. | Attribution: Reproduced unedited from Quantum Threat Timeline Report 2025 by Dr. Michele Mosca and Dr. Marco Piani, Figure 22; published under license by the Global Risk Institute in Financial Services (GRI). © 2026 evolutionQ Inc](/assets/16drwzg4c-quantums-hard-takeoff-appendix1.png)
What makes the figure useful is not that it predicts a date with precision. In fact, the report itself emphasizes uncertainty and frames the exercise as a recurring survey of expert opinion about when a machine able to break RSA-2048 in 24 hours might arrive. The value of Figure 2 is comparative: it lets the reader see how the range of expert expectations has shifted from the 2022 survey to the 2025 survey when aligned to absolute calendar time. The visible pattern is not “Q-day is now certain.” The visible pattern is that the center of gravity has moved upward, especially for the mid-2030s. That is exactly the kind of change that matters for risk management even when it falls far short of certainty. The practical conclusion is the same as in the body of this essay, but it lands here from the outside rather than the inside. One does not need to believe that RSA-2048 will definitely fall by 2030 to conclude that post-quantum migration belongs in the present tense. It is enough that the probability is not negligible, that the consequences are large, and that institutional migration takes years.
Appendix 2: Extrapolation needs to be informed
BT (formerly British Telecom) once projected that only 500,000 mobile phones would ever be sold. Yet market penetration in the U.K. rose from 7% in 1995 to 46% in 1999, and by 2004 there were more mobile phones than people. Anticipating the switch to digital and appreciating its ramifications was a stretch for many executives in the industry. The broader point is that when extrapolating trends into the future, one needs to pay careful attention to foreseeable regime changes. Thresholds are a prime example. Once a threshold is crossed, important metrics begin to scale in a new way, and signs of further progress, at least to the untrained eye, can be deceptive. Naively, one may expect a fault-tolerant quantum computer to be able to break toy RSA codes, like RSA-4, many years before Q-day arrives. However, the curves in the graph below show toy RSA codes sitting very near serious cryptographic codes like RSA-2048. As such, small-scale, public demonstrations of quantum cryptanalysis should not be used in isolation to decide when it is time to start preparing for Q-day. A more informed model, based around the considerations discussed in the main text, is a better starting point.
Continue the Conversation
If this paper has you thinking about what post-quantum readiness looks like for your organization, we'd be glad to continue the conversation.
Explore PQarc: Post-Quantum Cryptography Risk Assessment. PQarc discovers cryptographic mechanisms across your environment, assesses risk, and informs migration planning. Scan the code to explore the platform.
For technical follow-up on this paper, security advisory engagements, and post-quantum migration planning, reach out to our team.