When people say "Google changed Q-Day," they usually mean one thing.
In May 2025, Google published a new estimate that reduced the resources needed to factor RSA-2048 from its prior 2019 estimate of 20 million noisy qubits down to less than 1 million noisy qubits, with a longer runtime assumption.
That is not the same as saying "Q-Day is here." But it is a serious update to the risk curve.
What actually changed
Google's security blog post on May 23, 2025 summarized the result: RSA-2048 could theoretically be broken by a quantum computer with about 1 million noisy qubits running for less than a week. The referenced preprint followed on June 5, 2025.
The important part is not the headline itself. It is the delta against prior assumptions.
| Estimate snapshot | Physical qubits for RSA-2048 | Runtime assumption |
|---|---|---|
| 2012-style estimate (cited by Google) | about 1 billion | different historical assumptions |
| Google 2019 estimate | about 20 million | about 8 hours |
| Google 2025 update | less than 1 million | less than 1 week |
So yes, the model moved materially.
Why the estimate moved
Google attributes the drop mainly to three technical improvements:
- better arithmetic and algorithmic strategy for modular exponentiation
- denser error-corrected qubit storage patterns
- improved handling of expensive fault-tolerant operations
The 2025 preprint details those pieces explicitly, including approximate residue arithmetic and newer error-correction optimizations.
Why this matters for real programs
Security programs usually fail here by waiting for certainty.
Q-Day is not a single public countdown clock with one agreed date. It is a planning threshold. Once credible resource estimates keep dropping and timelines get tighter, migration urgency increases even before a cryptographically relevant machine exists.
Google's own writeup ties this directly to "store now, decrypt later" risk and points to NIST transition guidance. The NIST draft timeline referenced in Google's post marks many vulnerable 112-bit strength configurations as deprecated after 2030 and disallowed after 2035.
That is not far away for large estates.
What this does not mean
A lot of bad takes appeared after the announcement. The two biggest misses are:
- "RSA is broken today." It is not.
- "We can wait until there is a public break demo." That is usually too late for enterprise migration timelines.
Both are wrong in opposite directions.
Practical response, without hype
If you own a production platform, this is the practical sequence:
- inventory where RSA/ECC appears in your stack
- classify data by confidentiality lifetime
- prioritize traffic and artifacts exposed to harvest-now-decrypt-later risk
- build hybrid or phased PQC rollout plans now, not in the final years
- run crypto-agility drills so key rotation and algorithm swaps are operationally routine
This is boring compared with headline-driven quantum debates, but this is what actually reduces exposure.
Final note
My read is that Google did not "set" Q-Day to a specific calendar date. It did something more important: it changed the cost assumptions that many teams were quietly using to justify delay.
That is enough reason to move PQC planning from "later" to "active roadmap" now.