Quantum computing is progressing faster than expected, while companies and governments are not moving fast enough in deploying the cryptography algorithms that will protect them against these machines.
The expression “Quantum Q day”, or “Q Day” refers to the day when a quantum computer will be available to the public. A distant possibility until then, an event located far in the future, and which we were not even sure would ever really happen.
But things have evolved. Google achieved quantum supremacy at the end of 2019 with its Sycamore processor, which made it possible to perform in just over three minutes an operation that would have taken a traditional computer 10,000 years. IBM plans to publish the results of useful quantum computing by the end of the year. At the beginning of June, Microsoft for its part unveiled its Majorana 2 chip, a thousand times more reliable, according to the company, than the previous chip, Majorana 1, released in early 2025. Last year, Amazon also presented its own quantum chip, Ocelot.
Q day keeps getting closer
Added to this are advances in AI, which lead a acceleration of the advances in quantum computingin particular by supporting fundamental research on the design and improvement of quantum hardware, facilitating the discovery of new quantum algorithms and improving the correction of calculation errors made by these new type of computers. It is, for example, the use of AI which enabled researchers from Google and the quantum start-up Oratomic to find an algorithm making it possible to improve the coding of qubits, paving the way towards more powerful and error-resistant quantum computers. Following recent progress, Google has lowered its prediction for the advent of “Q Day” to 2029. This is also the date that IBM aims to release its Starling computer.
“Q Day is on the horizon, and that horizon keeps getting closer,” said Rik Ferguson, VP Security Intelligence at cybersecurity company Forescout. “The National Institute of Standards and Technology calendar (NIST, an American organization responsible since the 1970s for defining algorithms for cryptography used by the American administration, editor’s note)concerning the date by which everyone must be ready, set at 2035 in 2024, is thus already obsolete.”
Collect now, decrypt later
A publicly accessible quantum computer could easily overcome current encryption methods. Asymmetric public key encryption as it exists today, which is based on RSA algorithms, based on public-private key pairs, is inviolable by current computers: it takes around 250 years for a computer today to break such a key. But when Q Day arrives, it will become child’s play: it is estimated that it will then only take about four hours for a quantum machine to achieve this.
However, if the day is looming for the end of the decade, this means that “all the encryption algorithms that are deployed today must already be quantum resistant, because these systems will still be in service when this deadline is reached”, estimates Rik Ferguson.
Especially since in the meantime, players can already collect immense quantities of encrypted data, in order to store and decrypt them once a sufficiently powerful quantum computer becomes accessible. A good part of the data collected by the Muscular program, revealed in the Snowden files, via which the NSA intercepted data between the data centers of Google and Yahoo, was thus encrypted data, for the moment unusable.
“We know from the Snowden documents that the NSA maintains facilities dedicated to storing data that it cannot currently decrypt, but which it maintains in the event that it is able to do so in the future,” specifies Rik Ferguson. From China, the Tycoon cybercriminal network massively stole encrypted data during its attacks on American telecom infrastructure. “They compromised nine different operators and spent more than three years inside one of these networks. So much so that the NSA, CISA, FBI and German BSI have all issued coordinated warnings indicating that Chinese hackers are colonizing networks and stealing data, encrypted or not, on a large scale,” details Rik Ferguson.
Between 2018 and 2020, the Russians did the same with a hijacking of BGP. APIs from Google Cloud and other services were diverted to Russian infrastructure for just over an hour. However, if the data passes through your infrastructure, you can easily make a copy of it.
Prioritize encryption of strategic data over the long term
The ability to collect data to decipher it later is therefore proven. Associated with the rapid emergence of quantum, it poses an obvious risk. Good news: the algorithms to protect against quantum computers already exist. Defined by the National Institute of Standards and Technology, they have been available since 2024, the result of research work carried out with cryptographers around the world for seven years.
Problem: Their adoption isn’t moving fast enough at all, especially given Q Day is approaching. “According to the most recent data we see on networks, only 8% of devices are using quantum-resistant algorithms via the SSH protocol. “Business services, on the other hand, are leading the way, driven by customer concerns and demands,” explains Rik Ferguson.
While accelerating adoption is important, it is also important to prioritize certain types of data over others, based on new criteria. Indeed, the data particularly exposed to “collect now, decrypt later” attacks are those that have a strategic value that extends over several years, or even decades.
This includes medical records, which are required by law to be retained for a significant period of time, and whose value is maintained throughout that period. But also, to stay in the medical field, pharmaceutical research and development projects, formulations, avenues that a laboratory has decided not to patent… Or even negotiations in anticipation of a merger-acquisition, legal communications, or, from a governmental point of view, sovereign debts and the financial positions of States and governments.
So, of course, are defense and intelligence communications, and critical national infrastructure architecture information. These are the most consequential examples, where foreign states have a clear interest in collecting data today, because it will retain its value for a long time.
Conversely, data that may also be sensitive, but whose value will expire before Q-Day arrives, such as session tokens, short-lived credentials, traffic to encrypted websites, login pages, poses a much lower risk.
