Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from major technology and security publications.
Google announced last week that it is targeting 2029 for a complete migration to post-quantum cryptography โ six years ahead of the U.S. government’s 2035 benchmark. In a blog post authored by VP of Security Engineering Heather Adkins and Senior Staff Cryptography Engineer Sophie Schmieg, the company warned that “the encryption currently used to keep your information confidential and secure could easily be broken by a large-scale quantum computer in coming years.”
The timeline isn’t arbitrary. Three papers published over three months have dramatically rewritten the math on how powerful a quantum computer needs to be to crack today’s encryption.
The Qubit Threshold Is Falling Fast
Breaking RSA-2048 โ the encryption underpinning most of the internet’s secure communications โ was once estimated to require hundreds of millions of physical qubits. In 2019, Google researcher Craig Gidney put the number at 20 million. In May 2025, Gidney revised that estimate to fewer than one million, a 20x reduction achieved through advances in error correction and arithmetic techniques.
Then in February 2026, Sydney-based Iceberg Quantum published an architecture estimating fewer than 100,000 physical qubits would be sufficient โ another 10x reduction, though validated only through simulation.
Google followed in March with its own research on elliptic curve cryptography โ the algorithm securing Bitcoin, Ethereum, and most digital signature systems. The finding: fewer than 500,000 physical qubits could break ECDSA-256 in approximately nine minutes. Ryan Babbush, Director of Quantum Algorithms Research at Google, and Hartmut Neven, VP of Engineering at Google Quantum AI, described this as “an approximately 20-fold reduction in the number of physical qubits required.”
For context, Google’s current Willow chip has 105 qubits. A cryptographically relevant quantum computer remains a significant engineering challenge. But the gap is narrowing faster than anyone expected.
The Threat That Already Exists
The most immediate concern isn’t a future quantum computer โ it’s the data being harvested today. Intelligence agencies and sophisticated adversaries are widely believed to be executing “harvest now, decrypt later” strategies: intercepting and stockpiling encrypted communications with the expectation that quantum computers will eventually crack them open.
This makes the threat timeline deceptive. Data that must remain confidential into the 2030s is at risk now, regardless of when a cryptographically relevant quantum computer arrives. Former Riverlane Chief Product Officer Leonie Mueck put it plainly: “You need to have classified documents that are classified today in a way that a quantum computer in 10 years won’t be able to decrypt them.”
The Standards Are Ready. The Industry Isn’t.
NIST finalized three post-quantum cryptography standards in August 2024 โ ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA for hash-based signatures. The technical replacements exist. The migration is the problem.
A survey by the Trusted Computing Group found that 91% of businesses lack formal quantum-safe migration roadmaps. Most organizations haven’t inventoried which systems rely on vulnerable algorithms, let alone begun replacing them.
Google is already integrating ML-DSA into Android 17 and has built post-quantum support into Chrome and its cloud services. Apple announced quantum-secure key exchange for iOS 26 and macOS Tahoe at WWDC 2025. Microsoft is embedding post-quantum algorithms into Windows 11 preview builds and building a 50-logical-qubit machine with Atom Computing, targeted for early 2027.
NIST’s own timeline calls for deprecating quantum-vulnerable algorithms after 2030 and disallowing them entirely after 2035. Google is urging the industry not to wait that long. As Adkins and Schmieg wrote: “As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline.”
Not Everyone Agrees on the Deadline
Skeptics argue that Google’s 2029 target conflates its internal migration deadline with the arrival of a cryptographically relevant quantum computer. Mueck noted that most expert timelines for such a machine “range from the 2030s to the 2050s.” Current quantum devices operate with hundreds or thousands of noisy qubits โ far below the hundreds of thousands needed, and sustaining fault-tolerant computation at that scale remains an unsolved engineering problem.
Each algorithmic improvement that reduces the theoretical qubit requirement shifts the difficulty to harder physical engineering. The math is getting easier. The machines are not getting easier at the same pace.
But Google’s point isn’t that quantum computers will definitely break encryption by 2029. It’s that the migration itself takes years, and the harvest-now-decrypt-later threat is already real. Starting late is the actual risk.
Google recommends that engineering teams prioritize migrating authentication services first, and the company urged others to “follow suit” with their own 2029 targets.
Sources
- Google - Quantum Frontiers May Be Closer Than They Appear
- Google Research - Safeguarding Cryptocurrency by Disclosing Quantum Vulnerabilities Responsibly
- The Guardian - Google Warns Quantum Computers Could Hack Encrypted Systems by 2029
- The Quantum Insider - Q-Day Just Got Closer: Three Papers in Three Months
- CyberScoop - Google Moves Post-Quantum Encryption Timeline to 2029
- Hackread - Google Sets 2029 Deadline as Quantum Computers Threaten Encryption
- Help Net Security - Google Races to Secure Encryption Before Quantum Threats Arrive