Are you ready for Q-Day?

By
July 8, 2026

Subscribe

Get OpenSSL Foundation news and highlights direct to your inbox through our monthly newsletter.

Share this post:

Ever since Peter Shor discovered an algorithm for finding prime factors using quantum computers in 1994, there has been a theoretical vulnerability to encryption. A functional quantum computer could crack keys in a fraction of the time required for traditional computers. The moment when traditional cryptography breaks is sometimes called Q-Day or Y2Q.

Why are quantum computers a threat to cryptography?

Cryptography depends on the existence of one-way functions which make it very easy to create random problems that are very difficult to solve. The most widely used public-key algorithms depend on one of the following mathematical problems:

For instance, RSA works because it’s easy to multiply two random prime numbers to create a public key while working out what those numbers were given only the key turns out to be substantially harder. Shor’s discovery means quantum computers could solve these problems relatively quickly. In addition, a separate discovery by Lov Grover could reduce the time needed to crack symmetric encryption with quantum computers. 

Lock at Prague Castle (Photo by Jon Ericson)

What will be vulnerable to quantum computers?

Technology that uses traditional encryption algorithms could be vulnerable. Particularly vulnerable are public-key cryptography (RSA and elliptic curve) based on the prime factorization and discrete logarithm problems. That includes anything from digital signatures to smart cards to secure messaging. Significant parts of the internet, including connecting to websites and sending email might be vulnerable. 

Less of a concern is symmetric cryptography, including AES and ChaCha20, where both parties have access to the same secret key. (Often this key is agreed to using public key cryptography using a key encapsulation mechanism (KEM).) Simply doubling the length of the key provides more than enough protection against Grover’s algorithm.

What’s being done to defend against quantum computers?

The good news is that cryptographic researchers have been working on this problem for a long time. In 2016, the National Institute of Standards and Technology (NIST) put out a call for post-quantum cryptography (PQC) algorithms. In 2024, it announced three new standards, including ML-KEM which is useful for securing internet traffic. The OpenSSL Library implemented all three of those standards in its 3.5 release in April, 2025.

When will quantum computers start breaking encryption?

Unlike Y2K, Q-Day isn’t a predetermined moment in time. Indeed there might never be a moment when quantum computers crack non-trivial keys. For an entertaining talk defending this idea, watch Peter Gutmann’s “Why Quantum Cryptanalysis is Bollocks” from the 2025 OpenSSL Conference. On the opposite end of the spectrum, it’s possible that some government agency is already breaking encryption using quantum computers and we may never know about it.

Companies such as IBM and Google regularly announce progress building quantum computers. Recently Google announced a timeline for implementing PQC with a deadline of 2029. In 2024 NIST set a 2035 deadline. Other government agencies agreed with the 2035 date. Just last month, the United States president signed an executive order to:

  • transition all [high value assets] HVAs and high impact systems to use PQC for key establishment by December 31, 2030
  • transition all HVAs and high impact systems to use PQC for digital signatures by December 31, 2031

These deadlines are accounting for the “harvest now, decrypt later” threat. In essence, attackers might begin collecting encrypted data and communications that have a long shelf life, such as state secrets, health records and cryptocurrency, with the expectation that they can be decrypted when quantum computing is viable. Experts, such as the panel at an All Thing Open event last November, give estimates that range from a few years to a few decades. 

What should I do to get ready for Q-Day?

Developers of software that depends on OpenSSL should verify they support at least the 3.5 release. By default that and later versions support hybrid ML-KEM for Transport Layer Security (TLS) 1.3. It also supports all three standard PQC algorithms for other applications. 

For TLS applications, administrators should check their configuration to see if the defaults have been overridden. (The openssl list and openssl s_client commands can help.) Other applications might need to be updated to use PQC algorithms.

Almost everyone else can prepare by making sure their software is up-date. This is best practice in any case since keeping current also makes sure you have patches for known vulnerabilities. 

We believe everyone should have access to security and privacy tools.

Join our mission to protect global digital infrastructure