The Quantum Timeline Is Not a Prediction.
It Is a Planning Horizon.

A recurring pattern in discussions about post-quantum security risk is the search for a specific date — the moment when a quantum computer will demonstrably break RSA-2048 in a publicly verifiable way. This date is used as a planning anchor. Organizations wait for the date to become clear before committing to migration. Security vendors use ambiguity about the date to minimize urgency. Policy makers treat the absence of a definitive date as license to delay mandates.

This framing is wrong in a way that is consequential for every organization that handles sensitive communications.

The Wrong Question and Why It Matters

The question of when quantum computers will publicly break RSA conflates several distinct issues: when a quantum computer of sufficient scale exists, when that computer is used for cryptanalysis rather than other applications, when that use is publicly demonstrated rather than classified, and when that demonstration is acknowledged rather than denied.

Nation-state adversaries operating classified quantum computing programs are under no obligation to make public announcements when they achieve cryptanalytic capability. The history of cryptographic advances is filled with capabilities that were known to intelligence agencies years before academic discovery. GCHQ's internal development of public key cryptography predated Diffie-Hellman's public publication by years. The NSA's pre-knowledge of DES weaknesses was classified for decades.

This is not a conspiracy theory. It is the documented historical pattern of how cryptographic capabilities develop in the intelligence community relative to public knowledge. Organizations whose security planning is based on publicly available quantum computing milestones are planning against the wrong timeline.

The Data Longevity Question

The planning horizon question is not about when quantum computing achieves cryptanalytic capability. It is about how long the data being generated today needs to remain confidential, and whether quantum capability — classified or otherwise — will exist before that confidentiality window closes.

For different types of communications, this calculation produces different answers:

A routine operational communication — scheduling, logistics, non-sensitive coordination — has a confidentiality window of days or weeks. Even if quantum decryption were available tomorrow, the strategic value of this data is minimal.

Legal privilege communications — advice between counsel and client, litigation strategy, investigation details — has a confidentiality window measured in years to decades. A legal communication from 2020 that becomes readable in 2030 is fully privileged and fully actionable in any legal context where it is relevant.

National security and defense communications — operational planning, intelligence sources, alliance communications — has a confidentiality window that may extend indefinitely. The sensitivity of some national security communications does not diminish with time.

The question each organization needs to answer is: for the most sensitive communications we generate, how long does confidentiality matter? If the answer is more than five years, the quantum timeline is a current operational concern, not a future theoretical one.

What Cryptographers Actually Think About the Timeline

The cryptographic research community is not unified on quantum computing timelines, but the direction of expert opinion has shifted materially over the past five years. Estimates of ten to twenty years that were common in 2018 and 2019 have been revised toward shorter timelines as quantum error correction research has advanced, as investment in quantum computing has accelerated, and as the gap between public research and classified capability has widened in observable ways.

NIST's decision to finalize post-quantum standards on an accelerated timeline — a process that normally takes a decade compressed to five years — reflects the agency's assessment of the threat timeline. Standards bodies do not compress timelines for theoretical future threats. They compress timelines when threat assessment changes.

The NSA's 2022 announcement that it was discontinuing support for certain elliptic curve algorithms in National Security Systems — years before those algorithms are publicly broken — reflects the same assessment. Organizations whose security professionals look to NSA guidance as a signal of actual threat intelligence should treat that announcement as a data point, not a bureaucratic update.

The Planning Horizon Framework

A more useful framework than the binary question of whether quantum computers have broken RSA is a planning horizon analysis. For each category of communications, organizations should define the confidentiality window — how long does this data need to remain protected? — and compare that window against credible estimates of quantum capability timelines, including the possibility that classified capability already exists.

For organizations whose most sensitive communications have confidentiality windows beyond five years, post-quantum migration is not future planning. It is current operational necessity. The data being generated today under current-generation encryption is potentially already being collected against a future decryption capability. Migration to post-quantum communications infrastructure changes what is being generated going forward. It cannot change what has already been collected.

The organizations with the most sensitive communications and the longest confidentiality windows are precisely the organizations for whom this analysis produces the most urgent answer. Government agencies, legal institutions, defense organizations, intelligence-adjacent enterprises — the organizations that most need to get this right are the ones for whom the standard response of "wait and see" is most dangerous.