What Is a Cryptographically Relevant Quantum Computer (CRQC)? A Practitioner's Reference for CISOs and Security Architects

Every post-quantum cryptography conversation eventually circles back to the same foundational question: what, precisely, is the threat model? Vendor briefings invoke quantum computing loosely. Board members conflate quantum communication with quantum computation. And well-intentioned security teams sometimes dismiss the risk entirely because today's quantum hardware cannot factor a large integer, let alone break a production RSA key. The practitioner's job is to cut through all of that - and the starting point is a precise, authoritative definition of the Cryptographically Relevant Quantum Computer, or CRQC.

The Formal Definition: What NIST Actually Means by CRQC

NIST defines a Cryptographically Relevant Quantum Computer as "a quantum computer that is capable of attacking cryptographic systems that would be considered secure against a classical computer." ^{[NIST CSRC Glossary]} That definition is deliberately functional, not architectural. It does not specify a qubit count, an error rate, or a hardware platform. It specifies a capability threshold: the ability to compromise cryptographic systems that are currently considered secure.

This framing matters for security architects because it separates the question of when does a CRQC arrive from what would it actually do. The latter question is answerable with precision today. The former is not - and any vendor, analyst, or briefing that treats a specific arrival year as settled science is overstating the current state of knowledge.

Why Current Quantum Computers Are Not CRQCs: The NISQ Gap

Today's quantum hardware operates in what researchers call the Noisy Intermediate-Scale Quantum (NISQ) era - devices with tens to hundreds of physical qubits that are fundamentally limited by decoherence, gate error rates, and the absence of practical fault tolerance. Google's Willow chip, announced in December 2024, operates at 105 physical qubits with meaningfully improved error correction performance. It represents a genuine engineering milestone. It is not a CRQC, nor is it close to one on any credible technical measure.

The gap between NISQ hardware and a CRQC is not a matter of incremental scaling. Breaking RSA-2048 using Shor's algorithm requires fault-tolerant logical qubits - qubits that have been error-corrected to a standard that physical qubits alone cannot achieve. Published research estimates that attacking RSA-2048 could require anywhere from approximately 372 logical qubits at theoretical minimum thresholds to potentially millions of physical qubits in realistic implementations, depending on the error correction scheme and assumed gate fidelities. ^{[NIST CSRC Glossary]} The variance in those estimates - spanning orders of magnitude - is itself a practitioner signal: the engineering path from today's NISQ devices to a fault-tolerant CRQC remains deeply uncertain, and that uncertainty cuts both ways.

Exactly What a CRQC Would Break - and What It Would Not

Security architects need a clean threat surface, and the algorithm-level picture is actually quite clear. Two quantum algorithms drive the entire PQC threat model.

Shor's Algorithm: The Existential Threat to Public-Key Cryptography

Shor's algorithm, running on a CRQC, would break the two cryptographic families that underpin virtually all current public-key infrastructure. RSA relies on the computational hardness of integer factorization; elliptic curve cryptography (ECC) relies on the hardness of the discrete logarithm problem on elliptic curves. Shor's algorithm solves both problems in polynomial time on a quantum computer - reducing what would take classical computers billions of years to a computation measured in hours or days on a sufficiently capable machine. ^{[NSA Quantum FAQs, August 2021]} Every TLS handshake, every code-signing certificate, every VPN authentication, every PKI-issued credential in your environment depends on one of these two families. That is the threat surface.

Grover's Algorithm: A Manageable Impact on Symmetric Cryptography

Grover's algorithm presents a different and far more manageable problem. Running on a CRQC, it provides a quadratic speedup for brute-force search - effectively halving symmetric key security in bit-strength terms. AES-128 would be reduced to approximately 64-bit effective security, which is considered insufficient. AES-256, however, would be reduced to approximately 128-bit effective security - a level that remains generally acceptable for most threat models. ^{[NSA Quantum FAQs, August 2021]} The mitigation here is parameter selection, not algorithm replacement: organizations already using AES-256 require no fundamental architectural change for symmetric encryption.

This distinction is operationally important. PQC migration is principally a public-key infrastructure problem, not a symmetric encryption overhaul. Security architects should scope their cryptographic inventories accordingly - the most urgent exposures are RSA and ECC deployments, not AES configurations. Understanding which finalized NIST algorithms replace those threatened families is the natural next step in that analysis.

Why "No CRQC Yet" Is Not the Same as "No Risk Yet"

The most dangerous misconception in executive-level PQC conversations is the inference that an absent CRQC means an absent risk. It does not - for two reasons that operate independently of each other.

The first is the Harvest Now, Decrypt Later (HNDL) threat. Adversaries with the motivation and capability to do so are collecting encrypted network traffic today, storing it, and waiting for a CRQC to become available to decrypt it retroactively. The NSA identified this threat vector explicitly in its 2021 quantum FAQs, noting that data encrypted with current public-key algorithms could be compromised once a CRQC exists. ^{[NSA Quantum FAQs, August 2021]} Any data your organization transmits today that must remain confidential for five or more years - financial records, health data, intellectual property, merger communications, classified material - carries HNDL exposure right now, regardless of when a CRQC actually arrives.

The second reason is migration lead time. Cryptographic dependencies in enterprise environments are not patched in a sprint cycle. TLS stacks, PKI infrastructure, hardware security modules, SSH configurations, vendor libraries, and embedded systems all require coordinated transitions measured in years. NIST finalized the first three post-quantum cryptography standards in August 2024 - ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA for hash-based signatures - after a standardization process that began in 2015. ^{[NIST, August 2024]} The standards runway is closing. Organizations that have not begun cryptographic asset inventories are already behind the curve, and every month of inaction compounds a retroactive exposure that cannot be undone once a CRQC arrives.

The Honest State of CRQC Timeline Forecasts

CISOs frequently ask the same question: when will a CRQC actually exist? The honest answer, based on authoritative sources, is that no one knows with confidence. NIST has published no specific predicted date for CRQC arrival. ^{[NIST, What is Post-Quantum Cryptography]} Published estimates across research literature range from less than a decade to more than 30 years, depending on assumptions about fault-tolerance engineering progress, error correction breakthroughs, and the level of sustained investment by nation-state and commercial actors.

That range is not an evasion - it reflects genuine scientific uncertainty about multiple unsolved engineering problems that must be solved in sequence. What it means for security planning is this: the uncertainty is asymmetric. If a CRQC arrives later than expected, organizations that migrated early incur sunk costs and gain operational maturity. If a CRQC arrives earlier than expected, organizations that delayed face catastrophic, retroactive exposure with no remediation path for already-harvested data. Risk-adjusted planning strongly favors early action under that asymmetry, which is precisely why CISA and NIST recommend beginning cryptographic inventory and transition planning as immediate operational steps. ^{[NIST, What is Post-Quantum Cryptography]}

It is also worth drawing a clear distinction here: quantum cryptography - which uses quantum mechanical properties for key distribution (QKD) - is a separate field from post-quantum cryptography. PQC refers to classical mathematical algorithms designed to resist quantum attack, running on conventional hardware. ^{[NIST, What is Quantum Cryptography]} Conflating the two is a common source of confusion in vendor briefings and board discussions; security architects should be prepared to clarify this distinction explicitly.

From Definition to Action: How CISOs Should Use the CRQC Concept in Planning

The CRQC definition is not an academic exercise - it is the threat model anchor for every PQC planning decision your organization will make. Used correctly, it provides three practical planning lenses.

Cryptographic asset inventory as the non-negotiable first step. Before any migration prioritization, algorithm selection, or vendor evaluation, your security architecture team needs a complete map of every system, protocol, and data flow in your environment that relies on RSA or ECC for confidentiality or authentication. This inventory is the prerequisite for everything that follows, and it carries no capital cost to initiate. Prioritize by data sensitivity and longevity - assets that must remain confidential beyond five years carry active HNDL exposure today.

Migration prioritization by exposure class. Not all RSA and ECC deployments carry equal urgency. Long-lived confidentiality use cases - encrypted archives, sensitive communications, key material - are the highest-priority HNDL exposures. Authentication use cases like code signing and certificate infrastructure carry a different risk profile: they are primarily exposed at the moment a CRQC arrives, not retroactively. Sequencing your migration by exposure class prevents resources from being misallocated. Understanding how crypto agility frameworks structure that sequencing is a practical next step for security architects building migration roadmaps.

Vendor and standards alignment. Any PQC migration investment should align with NIST's finalized standards - ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). Vendor solutions that rely on non-standardized algorithms, proprietary implementations, or pre-standardization drafts introduce interoperability and longevity risk. The CRQC threat model is the same regardless of vendor; the standards that address it are not vendor-specific. For organizations with federal contracts or national security system dependencies, CNSA 2.0 compliance timelines introduce additional system-specific obligations that must be mapped against your cryptographic inventory.

Key Takeaways

• A CRQC is defined by capability - the ability to break currently secure cryptographic systems - not by a specific qubit count or hardware architecture. No CRQC exists today.
• Today's NISQ-era quantum hardware, including Google's 105-qubit Willow chip, is orders of magnitude below the fault-tolerant logical qubit threshold required to run Shor's algorithm against RSA-2048 or ECC.
• Shor's algorithm on a CRQC would break RSA and ECC entirely. Grover's algorithm would reduce AES-128 to inadequate security but leaves AES-256 at acceptable security levels - manageable through parameter selection, not algorithm replacement.
• The Harvest Now, Decrypt Later threat means CRQC risk is already operational for data with long confidentiality requirements, regardless of when a CRQC actually arrives.
• No authoritative body has published a confirmed CRQC arrival date. Estimates range from under a decade to over 30 years - and the asymmetric downside of delayed migration makes early action the risk-adjusted choice.
• The immediate, zero-capital action is a cryptographic asset inventory scoped to RSA and ECC dependencies, prioritized by data longevity and sensitivity.

This article draws on primary documentation from NIST CSRC (including the CRQC glossary definition and PQC standardization announcements), NSA/DoD Quantum FAQs (August 2021), and NIST cybersecurity guidance on post-quantum cryptography and quantum cryptography. All claims verified against official sources as of March 2026.

Related Reading

• What Is Post-Quantum Cryptography? The Practitioner's Guide for CISOs and Security Architects - The foundational explainer on PQC standards, algorithm families, and enterprise migration framing for security leadership.
• Harvest Now, Decrypt Later: Why Every Month of PQC Delay Is an Irreversible Security Decision - A deep operational treatment of the HNDL threat model and why inaction compounds retroactive exposure.
• What Is Crypto Agility and Why Every Enterprise Needs It Before 2030 - How to build the operational capability to migrate cryptographic dependencies systematically, using NIST's framework as the structural guide.
• FIPS 203, 204, and HQC Explained: What Security Architects Need to Know About NIST's Finalized PQC Standards - Algorithm-level detail on ML-KEM, ML-DSA, and HQC for architects evaluating implementation options.
• PQC Migration Cost: A Budget Framework for Finance Teams and CISOs - A phased cost model for translating CRQC threat awareness into a defensible migration budget.