← Devlog
Research

The state of quantum in 2026

Entry #42 · 2026-05-12 · Devlog

The state of quantum in 2026

The encrypted connection your bank uses to settle an interbank payment, the diplomatic cable a foreign ministry transmitted two years ago, the medical records sitting in your insurer's database, the firmware-signing key on the satellite passing over your house right now. All of them rely on cryptographic problems that a sufficiently powerful quantum computer is designed to solve.

We don't have that quantum computer yet. We're closer than we were last year. And the most defensible threat model assumes adversaries are already collecting the encrypted material now, betting on a decryption capability arriving inside the next decade or two.

This is an attempt to lay out where the quantum-computing field actually is in 2026, who's exposed (almost everyone), who has already started migrating their systems (a small list), and what realistic timelines look like.

Where the hardware actually is

The headline-grabbing announcements over the past two years have come from a small set of labs.

University of Science and Technology of China, Zuchongzhi-3. A 105-qubit superconducting quantum processor. Demonstrated quantum advantage on Random Circuit Sampling at roughly 10^15 (one quadrillion) times the speed of the best classical supercomputer on the same workload. Paper published in Physical Review Letters, March 2025 (USTC, 2025).

USTC, Jiuzhang 3.0. A photonic quantum system using a different architecture. Set records on Gaussian Boson Sampling, completing in microseconds what would take a classical supercomputer roughly 200 million years (USTC, PRL, October 2023).

Google, Willow. Announced in December 2024, a 105-qubit superconducting chip that demonstrated below-threshold quantum error correction for the first time. This is arguably the more significant milestone of 2024, because error correction is the long-standing barrier between today's noisy intermediate-scale processors and the fault-tolerant machines that would actually be useful (Google Research, December 2024).

IBM, Heron R2. A 156-qubit superconducting processor. IBM has published a roadmap targeting 200,000+ physical qubits and 2,000+ logical qubits by 2033 (IBM Quantum Roadmap, 2024).

The important nuance: random circuit sampling and Gaussian boson sampling are benchmarks designed specifically to be hard for classical computers. They are not useful algorithms. The processors that beat classical hardware at these contrived tasks are not, today, capable of running Shor's algorithm at the scale needed to break the RSA-2048 keys protecting your online banking session.

But the gap is closing. Conservative estimates put the threshold for breaking RSA-2048 at around 4,000 logical qubits or roughly 20 million physical qubits with current error rates. Today we have low thousands of physical qubits with poor error correction. That's a multi-order-of-magnitude gap. The trajectory of the past five years suggests that gap closes well within the working lifetime of cryptographic infrastructure being deployed right now.

State-level investment confirms the trajectory. Estimates from McKinsey place Chinese state spending on quantum technology at over $15 billion (McKinsey, 2024). The US Quantum Initiative Act authorized roughly $1.275 billion over five years. The EU's Quantum Flagship has earmarked €1 billion over a decade. Japan's Q-LEAP program runs around ¥30 billion. The capital flows are what signal what the people closest to the work think the timeline is.

Why this is everyone's problem, not just cryptography researchers'

The public-key cryptography that quantum computers threaten is not some niche component. It is the foundational primitive that secures essentially all modern digital infrastructure.

A representative list of systems that depend on RSA, Diffie-Hellman, or elliptic-curve cryptography:

  • Every HTTPS connection. TLS 1.3 uses ECDHE for key exchange and RSA or ECDSA for certificate validation. Approximately 95% of web traffic measured by Cloudflare runs over TLS.
  • SWIFT. The interbank messaging network underpinning international transfers handles roughly 50 million messages per day, with daily values measured in trillions of dollars. The transport layer uses TLS with conventional key exchange.
  • Card payments. Visa and Mastercard combined process roughly 700 million transactions per day. Cardholder authentication (EMV) and most online payment flows rely on ECC.
  • Fedwire and TARGET2. The US Federal Reserve's wholesale settlement system processed approximately $4.5 trillion in daily value in 2024. The European Central Bank's TARGET2 settled €2.6 trillion per day. Both run over cryptographic primitives in the affected family.
  • Government communications. Classified cables, intelligence material, and diplomatic correspondence. The NSA explicitly cited this exposure as a motivator for the 2035 transition deadline (NSA CNSA 2.0 FAQ, 2022).
  • Healthcare records. HIPAA-protected patient data in transit and at rest.
  • Software supply chain. Code signing for Windows Update, macOS, Linux package managers, mobile app stores. If you can fake a code signature, you can ship malicious updates to billions of devices.
  • The energy grid, water treatment, transportation systems. Increasingly digitized and increasingly dependent on certificate-based authentication.

None of this is hypothetical. It's the cryptographic substrate of every operational modern economy.

"Harvest Now, Decrypt Later": what's already been lost

The most defensible quantum-threat argument doesn't depend on when the relevant hardware arrives. It depends on what data has long-term value.

Encrypted material captured today, decrypted in 2040, is still material your adversary now has. For a meaningful portion of the world's encrypted data, that's a real problem:

  • Intelligence material. Classified communications have indefinite sensitivity. A diplomatic cable from 2024 decrypted in 2040 is still a 2024 diplomatic cable.
  • Corporate IP. Engineering trade secrets, formulae, prototype designs typically retain commercial value over a decade or more.
  • Personal records. Medical history, financial history, biometric data. None of it becomes less sensitive with age.
  • Cryptographic key material. Master keys, root CAs, signing keys. If you can derive one of these from a decade-old TLS handshake capture, you can backdate-forge signatures.

Multiple national security services have publicly acknowledged this collection model. The NSA's CNSA 2.0 directive explicitly cites it. The UK's National Cyber Security Centre has guidance on it. The Bank for International Settlements raised it in Project Leap, their joint study with European central banks on quantum-safe payments (BIS Project Leap, 2024).

The asymmetry is what makes this uncomfortable: cryptography that is mathematically safe today is not the same thing as cryptography that will be safe forever. The decryption can happen at any future point, retroactively, against material you already lost custody of.

The policy response

On August 13, 2024, the US National Institute of Standards and Technology published the first set of finalized post-quantum cryptography standards after an eight-year competitive selection process (NIST press release, August 2024):

  • FIPS 203: ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism), the standard for post-quantum key exchange. Based on CRYSTALS-Kyber.
  • FIPS 204: ML-DSA (Module-Lattice-Based Digital Signature Algorithm), the standard for post-quantum digital signatures. Based on CRYSTALS-Dilithium.
  • FIPS 205: SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), an alternative hash-based signature scheme. Based on SPHINCS+.

These aren't research papers. They are the official US federal standards.

The NSA's Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) directive followed, mandating that national-security systems transition to these algorithms by 2035, with critical sub-systems earlier: software signing and firmware verification by 2030, web servers and browsers by 2033.

Other jurisdictions have moved in parallel. The UK's NCSC published quantum-readiness guidance in 2024 with a recommended migration target of 2035. The European Union's eIDAS 2.0 framework includes provisions for quantum-resistant signatures. Japan, Australia, and Canada have all published national quantum strategies that include cryptographic migration timelines.

The Bank for International Settlements, central bank to the world's central banks, has published Project Leap (2023-2024) specifically studying how to make payments infrastructure quantum-safe. The fact that BIS is publishing on this is a strong signal that the world's monetary authorities consider the threat material to the financial system.

Who's actually shipped post-quantum cryptography

A surprisingly short list of organizations have moved from policy discussion to deployed code. The ones that have:

  • Apple shipped iMessage PQ3 in February 2024, deploying ML-KEM in production messaging (Apple Security Engineering, February 2024).
  • Signal shipped the PQXDH protocol in September 2023, the first deployed post-quantum messaging protocol at scale (Signal, September 2023).
  • Cloudflare has been deploying hybrid post-quantum TLS since 2022 and serves approximately 1.8% of all internet traffic with post-quantum key agreement enabled as of late 2024 (Cloudflare Research, 2024).
  • Google Chrome enabled hybrid post-quantum key exchange (X25519Kyber768) in Chrome 116 in August 2023, expanded with newer schemes since (Chrome Security, August 2023).
  • Amazon Web Services introduced post-quantum TLS endpoints for several services starting in 2022.
  • Mozilla Firefox added post-quantum key exchange options in 2024.

Notably absent from that list: any major banking infrastructure. SWIFT, Fedwire, TARGET2, Visa, Mastercard, and the major correspondent banking systems are all running discussions, pilots, and internal studies, but no large-scale production deployment of post-quantum cryptography exists in the banking core.

Also notably absent: any major Layer-1 blockchain. Bitcoin has had post-quantum migration discussions on the bitcoin-dev mailing list since 2019; no consensus path forward exists. Ethereum has active research at the Ethereum Foundation, including Justin Drake's published work on post-quantum migration (Drake, ethresear.ch, 2024), but no deployed plan with binding timelines.

The blockchain wrinkle

The general "Harvest Now, Decrypt Later" threat applies to blockchains exactly the way it applies to TLS traffic. But blockchains have an additional and arguably worse exposure that doesn't apply to most other systems.

When you make a transaction from a Bitcoin or Ethereum address, your transaction signature mathematically reveals the public key associated with that address. Before you transact, an external observer only sees a hash of the public key. After you transact, the public key itself is committed to a public ledger that anyone can scrape, permanently. This is not a bug. It's how the math of ECDSA signature verification works.

What this means: every address that has ever sent a transaction has its full public key sitting in a public record that anyone, adversary or otherwise, can index for free, today, with no need to capture network traffic. The day a sufficiently powerful quantum computer comes online, those public keys are no longer secrets. Private keys can be derived, and any funds at those addresses become claimable by whoever does the deriving first.

Deloitte's 2024 analysis estimated that approximately 25% of all Bitcoin in circulation sits at addresses with exposed public keys, representing over $500 billion in vulnerable value at then-current prices (Deloitte, 2024). This includes the original Satoshi-era pay-to-public-key outputs, large institutional cold wallets that have moved coins, and most active exchange and DAO treasuries.

The vulnerability is already baked into the public record. The chain is waiting on the decryption capability to mature. There is no version of the future in which this exposure goes away unless funds are migrated to new, post-quantum-protected addresses before the quantum clock runs out.

The honest assessment is that a post-quantum migration of a live chain with hundreds of billions in value at stake is one of the hardest engineering problems in the entire field. Progress will be measured in years to decades.

For new infrastructure being designed in 2024 and 2025, however, this is a much easier conversation. Building post-quantum signatures in from the ground up is dramatically simpler than retrofitting them onto a running network.

What to actually do with this information

A 2015 framework from cryptographer Michele Mosca, sometimes called Mosca's theorem, captures the planning problem cleanly. If (the time your data needs to remain secret) + (the time it takes you to migrate your infrastructure) is greater than (the time until a cryptographically-relevant quantum computer exists), you have a problem today, not in 2035.

For most large organizations, the migration time alone is measured in 3-10 years. The data-secrecy lifetime varies, but for government, finance, healthcare, and critical infrastructure, it is comfortably measured in decades. By Mosca's framing, those sectors should have started years ago. Many are starting now.

Concrete guidance for individuals: don't panic, but pay attention. Migration will happen, and which platforms handle it well will start to matter visibly within the next five years.

For builders and operators: ask what your platform's post-quantum roadmap actually looks like. "We will address it via governance in the future" is not a roadmap. A concrete migration plan with milestones, signature-scheme commitments, and a published timeline is.

For institutions: NIST and the BIS both recommend starting with a "cryptographic bill of materials", an inventory of every place your systems depend on quantum-vulnerable cryptography. You cannot migrate what you have not catalogued.

One concrete example from the infrastructure side

A small number of new infrastructure projects have built post-quantum cryptography in from genesis rather than treating it as a future migration problem. Most are research; a few are live.

Full disclosure, we're building one of them. Asentum is a Layer-1 blockchain that uses Dilithium3 (ML-DSA-65, the NIST FIPS 204 standard) for every block proposal, every consensus vote, and every transaction. No hybrid scheme, no "we'll address it via governance" deferral. The chain is live, with 27 validators across three continents, producing 5-second blocks under post-quantum consensus. The live explorer is at explorer.asentum.com; the code is open source.

The point is not to pitch a specific project. The point is that the technology to do this exists, has been standardized, and has been shipped. The question for the rest of the industry (banking, blockchain, government) is when, not whether.

Closing

We are in an unusual window. The cryptographic standards are finalized. The threat model is publicly acknowledged by central banks and intelligence services. The hardware threat is closing in but not here yet. The deployed migrations are concentrated in a small group of consumer-software companies and a few infrastructure pioneers, while the systems that handle the world's actual money and secrets are still in pilot phase.

The migration will happen, eventually, everywhere. The systems that handle it well will be the ones still around in 2040. The ones that hand-wave through it will not.

The quantum clock is running. The only question is who is paying attention.

milkie

Sources referenced

← Previous

POST /tx/batch — and why single-request submission matters

Don't miss the next entry.

Join the launch list and we'll send you a note whenever there's a new devlog entry, a research drop, or a real milestone.

Join the launch list
Read the thesis →