Citi Institute's new January report estimates that a single-day quantum attack on one top-five U.S. bank could trigger $2-3 trillion in GDP-at-risk. Google has said their Willow chip performed a computation that would take today's supercomputers 10 septillion years.
The contradictory narratives and numbers between risk managers at banks and Google “corporacademics” are causing a time-space collision. Understanding their differences matters for anyone planning a post-quantum migration.
Google Willow Explained
The “10 septillion years” figure comes from Random Circuit Sampling (RCS), which Google describes as “the classically hardest benchmark that can be done on a quantum computer today.” RCS was designed to demonstrate quantum computational advantage, which is another way of saying not to solve practical problems. Think of it like the old bogoMIPS—“the number of million times per second a processor can do absolutely nothing.”
RCS does not factor large primes, solve discrete logarithms, or break any encryption standard. Google's own spokesperson hand waved the BBC by suggesting breaking RSA remains “at least 10 years out.” It's a prediction that they don't need to be called on yet.
The benchmark demonstrates genuine progress in quantum hardware, yet does not change any of our timelines for cryptographic threats. That being said, the buried lede is Google thinks 2048 RSA is breakable soon, very soon.
Market Data Gives Context
The Citi report cites Kalshi prediction market data from January 12, 2026:
| Timeline | Probability of cryptographically relevant quantum computer |
|---|---|
| Before 2027 | 8% |
| Before 2030 | 39% |
| Before 2035 | 50% |
“Cryptographically relevant” means capable of breaking 2048-bit RSA using Shor's algorithm—the actual threat model, not synthetic benchmarks.
Eight percent probability by 2027 might sound reassuring. But Citi's analysis highlights why that framing misses the point:
Q-Day is often treated as a future event. From a risk perspective, it is already here. Data stolen today can be decrypted later.
Harvest-now, decrypt-later attacks don't require waiting for Q-Day. In fact, it's less “Y2K” and more “IPv6”, which means you might not even get to define a discrete turning point. Attackers require only that encrypted data remain valuable longer than classical cryptography remains secure. Medical records, trade secrets, and classified communications all qualify yesterday.
Incredibly Shrinking Resource Estimates
In 2019, Google researcher Craig Gidney estimated that breaking RSA-2048 would require approximately 20 million physical qubits. His May 2025 analysis reduced that estimate to roughly 1 million qubits—a 95% reduction from algorithmic improvements alone.
Gidney's paper includes a notable conclusion:
I agree with the initial public draft of the NIST internal report on the transition to post-quantum cryptography standards: vulnerable systems should be deprecated after 2030 and disallowed after 2035. Not because I expect sufficiently large quantum computers to exist by 2030, but because I prefer security to not be contingent on progress being slow.
The G7 Cyber Expert Group's January 2026 roadmap aligns with this timeline, calling for critical financial systems to complete migration by 2030.
Actual Migration Needs to Happen Already
These timelines create a straightforward planning problem. Organizations need to know:
- Which systems currently rely on quantum-vulnerable cryptography
- Whether migration efforts are progressing or stalling
- How third-party dependencies affect their overall posture
Most organizations can answer the first question partially, as they know about their certificates. Fewer have been able to answer the second. Almost none are building sufficient visibility into the third.
The gap between point-in-time assessment and continuous posture monitoring is where migration plans fail. A scan tells you where you are. A trend tells you whether you'll finish in time.