Quantum

Google Says Organizations Need Post-Quantum Cryptography by 2029

Google published a new assessment of quantum computing’s threat to encryption this week and the number they put on the table is 2029, which is the year they say organizations need to have completed their migration to post-quantum cryptography if they want to stay ahead of machines that can break the encryption protecting basically everything that moves on the internet right now.

The NSA’s guidance says 2031. The federal government’s official mandate says 2035. Google says sooner.

Somebody is wrong about this, and if it turns out to be the organizations planning around the more comfortable government timeline, then a lot of encrypted data that people assumed was safe is going to be readable by whoever gets to a powerful enough quantum machine first.

The Math That Moved

The original estimates for how hard it would be to break RSA-2048 encryption, which is the standard that protects most of the internet’s secure communications and also underpins the cryptographic security of every major cryptocurrency, were comforting for a long time. A 2012 analysis said you would need roughly a billion precise qubits to do it, and since current quantum computers have a few thousand noisy ones that can barely hold their state long enough to finish a calculation, Q-Day felt like a problem that belonged to someone else’s career.

Google’s updated research says those estimates were too generous. Their analysis now shows that a 2048-bit RSA integer could be factored in less than a week using a quantum computer with one million noisy qubits, not a billion precise ones but one million imperfect ones, and that is a dramatically different number that changes the entire conversation about how much time is actually left.

One million qubits is still far more than anyone has right now. IBM’s roadmap targets 100,000 qubits by 2033, and Google’s own hardware program is aggressive but not there yet. The thing about quantum computing though is that progress has never been linear in this field, it tends to move in sudden jumps where a new error correction method or architecture unlocks capabilities that were not on anyone’s projection spreadsheet the year before.

The Crypto Connection

In February we covered Iceberg Quantum’s claim that their Pinnacle architecture could make RSA-2048 breakable with fewer than 100,000 qubits, which would put the timeline even closer than what Google is suggesting. That claim has not been independently verified and should be treated with appropriate skepticism, but the direction of every revision in the last two years has been the same: the qubit counts keep getting smaller and the timelines keep moving in.

What makes this particularly consequential beyond the usual internet security discussion is that the same RSA and elliptic curve cryptography protecting web traffic is also what secures cryptocurrency wallets, blockchain transaction verification, and the entire mathematical foundation that makes decentralized finance possible. If post-quantum cryptography migration does not happen before capable machines arrive, the exposure is not just corporate data and government communications, it is the entire cryptographic layer that crypto and DeFi are built on, and unlike a bank that can reverse a fraudulent transaction there is no undo button on a blockchain.

Harvest Now, Decrypt Later

The scenario that security researchers talk about most often is not actually Q-Day itself but what is happening right now in the years before it arrives. Nation-states are reportedly collecting encrypted communications today with the plan to store them and decrypt them later once quantum machines are powerful enough, and while this is difficult to confirm with specific public evidence the logic is straightforward enough that multiple intelligence agencies have acknowledged the strategy exists.

Every year that organizations delay their migration to post-quantum cryptography is another year of intercepted data that becomes readable the moment a capable machine comes online, which means that even if Q-Day is 2035 instead of 2029 the data being collected right now is already compromised in every way that matters, it just has a time delay on when someone can open the envelope.

Why Google Might Be Saying This

It is worth being honest about the fact that Google has a commercial interest in accelerating post-quantum cryptography adoption, because they sell cloud infrastructure with PQC capabilities built in and they are developing quantum hardware, so setting an aggressive deadline also happens to create urgency around products and services that Google offers. That does not mean the deadline is wrong, but it is context that belongs in the conversation.

The NIST post-quantum cryptography standards, published as FIPS 203, FIPS 204, and FIPS 205, were finalized in August 2024, with ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures as the recommended algorithms. The algorithms exist, the implementations exist, and the migration path is documented. What does not exist is urgency at most organizations, many of whom have not even inventoried where they use classical cryptography, let alone started replacing it.

China reportedly expects to have its own post-quantum cryptography standards within three years, which suggests that at least one major global power is taking the shorter timeline seriously enough to build around it. And the U.S. government’s own CNSA 2.0 directive mandates that all new National Security System acquisitions must be post-quantum compliant by January 2027, which is even sooner than Google’s 2029 date, though that requirement only applies to classified government systems rather than the broader economy.

Google’s 2029 date might be aggressive, it might be self-serving, and it might be right all at the same time. The uncomfortable reality for everyone still planning around 2035 is that if Google and the researchers revising these estimates downward are even close to correct, the organizations that waited for the comfortable deadline are the ones who will be explaining to their boards why their encrypted data is now readable by anyone with access to a machine that did not exist when they decided not to worry about it yet.