The Quantum Reckoning
The Rollover of Digital Proof
The market is waiting for Q-Day. The state has already started the rollover. The asset being repriced is not encryption. It is proof: the certificates, signatures, credentials, firmware roots, payment instructions, and legal records that civilization still needs to trust after the old public-key notary expires. Trust-duration is the liability. Proof-rollover capacity is the asset. The deficit between them is what reprices.
By Shanaka Anslem Perera June 22, 2026
Zero
The most important number in the security of the internet this year is zero.
In a measurement study of 32,011 live domains conducted in June 2026, researchers found that 49.3 percent supported hybrid post-quantum key exchange. That is the more deployable half of the migration, and it is moving. In that measured sample, the hard half had not yet reached live certificate deployment. The number of domains serving a hybrid post-quantum certificate, the cryptographic proof that the server on the other end is who it claims to be, was zero. Not a low single digit. Zero. And 15.70 percent of them, concentrated in banking and government, were still negotiating a version of the transport protocol that predates the entire post-quantum era.
That contrast is the whole thesis in a single snapshot. The internet is bolting its doors against a burglar who has not yet arrived. It has done almost nothing about the fact that the burglar, when he arrives, will not need to pick the lock. He will forge the deed.
It is the error at the center of almost every conversation about quantum computing and money, and it is an expensive one. The market has been trained to watch for a single dramatic event, the arrival of a machine large enough to break the mathematics underneath modern encryption, the moment the industry has taken to calling Q-Day. Capital is positioned for that event. Valuations are priced against it. Research desks model its probability the way they model a binary catalyst. And the frame is wrong, not because the machine is impossible, but because the machine is not the variable that decides when value moves.
The variable that decides when value moves is already visible, already dated, and already binding. It is the gap between how long the world needs its secrets, signatures, certificates, credentials, and records to remain trustworthy, and how fast the institutions that depend on them can actually replace the cryptography underneath. That gap has two sides. The liability is trust-duration. The asset is proof-rollover capacity. The deficit between them is what reprices.
The machine can stay distant. The proofs are already expiring.
The Two Clocks
There are two clocks running on the quantum transition, and the market is staring at the wrong one.
The first is the hardware clock, and on the builders’ own published numbers it is genuinely distant. IBM, which has one of the clearest public fault-tolerance roadmaps in the industry, targets its first fault-tolerant machine, Starling, in 2029: 200 logical qubits running circuits of 100 million gates. Its successor, Blue Jay, is slated for after 2033 and targets roughly 2,000 logical qubits, closer to the logical-qubit scale relevant to public-key cryptanalysis but still not, by itself, a demonstrated cryptographic break. In June 2026, QuEra and Amazon Web Services announced Libra, targeting 2028 as a Megaquop-scale fault-tolerant system capable of one million quantum operations over hundreds of logical qubits.
Set those numbers against the published attack estimates. Google Quantum AI’s March 2026 elliptic-curve paper estimates that 256-bit elliptic-curve discrete logarithms, the mathematical problem behind secp256k1 and other widely deployed elliptic-curve systems, can be attacked with either fewer than 1,200 logical qubits and fewer than 90 million Toffoli gates, or fewer than 1,450 logical qubits and fewer than 70 million Toffoli gates. Craig Gidney’s 2025 estimate puts the factoring of RSA-2048 below one million noisy physical qubits in under a week, under explicit assumptions. These are not machines. They are papers. But they matter, because the theoretical attack surface is compressing while the public roadmaps still point to machines built for scientific fault tolerance rather than deployed cryptanalysis. The logical-qubit requirement alone, more than 1,200, sits roughly six times above the 200 logical qubits scheduled for 2029. No institutionally meaningful key has been broken on fault-tolerant hardware as of this writing, and on public roadmaps the machines scheduled for 2028 and 2029 do not yet show institutionally meaningful public-key-breaking capability.
So the skeptics are right about the hardware. They are simply answering the wrong question. The honest timing conclusion is the only one the evidence supports. The hardware clock is moving. It has not yet struck.
The second clock has nothing to do with qubits. It is the regulatory clock, it is not stochastic, and it is already inside the window. It runs on calendar dates written into procurement law.
On 1 January 2027, the United States National Security Agency’s Commercial National Security Algorithm Suite 2.0 requires that new acquisitions for national security systems be compliant with the suite, unless otherwise noted, with non-compliant equipment to be phased out by the end of 2030. On 21 September 2026, FIPS 140-2 module validations move to historical status, creating a procurement cliff for federal buyers and vendors still relying on the older validation regime. This June, France’s national cybersecurity agency announced that from 2027 it will stop certifying security products that lack quantum-resistant encryption, and that it expects businesses to buy only quantum-safe products by 2030, with its approval required for French government and critical-infrastructure use. The agency’s chief of staff put it without euphemism. It is not only a technical issue. It is a matter of governance, industrial planning, regulation, and sovereignty. The United States Office of Management and Budget has required federal agencies, since 2022, to maintain an annual inventory of quantum-vulnerable systems through 2035, and to flag specifically any data that, if captured now and decrypted later, would still be sensitive in 2035, including its time-to-live characteristics.
A government wrote the thesis down before any analyst did. The state has stopped asking when the machine arrives. It is regulating a duration mismatch.
This is the temporal arbitrage, and it is the most actionable line in this briefing. The market over-focuses on the hardware clock, which is uncertain, and underprices the regulatory clock, which is near and dated. A product does not need to be broken to lose its value. It needs only to become uncertifiable. Certification is a binary gate, structurally identical to a credit-rating downgrade or the loss of a license. It excludes a supplier from the contract regardless of how good the underlying product is. And the first wave of that exclusion is already inside the next three to twelve months, depending on the gate, written in ink, indifferent to whether a quantum computer exists.
The arithmetic is merciless. The machine is the headline. The calendar is the catalyst.
The Notary, Not the Lock
The thing the world is failing to migrate did not become a lock. It became a notary.
Over three decades, a narrow set of mathematical assumptions, RSA and the elliptic curve, quietly became the layer of civilization that attests to identity, ownership, software provenance, legal evidence, settlement instructions, and authority. When your browser trusts your bank, a certificate notarizes that trust. When a software update installs without warning, a signature notarizes its origin. When a custody record holds in a dispute, a cryptographic proof notarizes the chain. The world did not merely encrypt with these assumptions. It built the digital system of record on them.
And here is the bifurcation the consensus misses. The quantum threat does not arrive through one door. It arrives through two, and they are on completely different timelines.
