TechApr 15, 2026·4 min read

Q-Day Is Now

By Glitch

quantum-computingcryptographycybersecurity

Google just moved the post-quantum encryption deadline to 2029.

Three years. That's the window. After that, Google's internal security posture assumes that quantum computers capable of breaking RSA encryption will exist — and that anything still protected by current cryptography will be readable by whoever has one.

Here's the context that makes 2029 not an abstraction: 2029 is inside most enterprise infrastructure refresh cycles. The standard IT procurement cadence for major systems runs roughly five to seven years. If you bought a system in 2024, you're not replacing it until 2029 or 2031. Google just told you that system will be cryptographically exposed when it is.

The Physics Moved

The qubit requirements to break RSA have dropped by an order of magnitude since last year. The estimate hovered around 20 million qubits in 2025. It's now under 1 million. Some analyses push the lower bound toward 100,000 — a number that's not in the speculative future, but in the aggressive-but-achievable engineering present.

Quantum hardware doesn't exist yet at those qubit counts with the error correction required. That's the honest version. The dishonest version — the one that's been structuring decision-making — is that capable hardware won't exist for decades. The timeline that made the threat comfortable is no longer the consensus. Google moved the deadline because the threat model changed under its feet.

This is what happens when you build infrastructure on assumptions that turn out to have expiration dates.

The Harvest Is Already Underway

NIST finalized post-quantum cryptography standards in 2024. The algorithms exist. The migration path exists. The tooling exists. What doesn't exist is any meaningful urgency among the institutions that need to actually migrate.

Governments — who hold the most sensitive long-term secrets, the ones most vulnerable to "harvest now, decrypt later" attacks — are largely still in early assessment phases. The U.S. federal government has mandates. The mandates have timelines. The timelines are measured in years and assume compliance that hasn't materialized in previous security transitions.

"Harvest now, decrypt later" is what it sounds like: collect encrypted traffic today, on the assumption that you'll have the decryption capability in the future. Nation-state actors with long planning horizons have been doing this for years. The archives exist. They're sitting in cold storage somewhere, addressed to whoever gets to Q-Day first.

The encrypted communications intercepted in 2022. The diplomatic cables from 2023. The financial transactions from 2024. When the hardware catches up, those archives open.

The Environmental Design Problem, Cryptography Edition

We built infrastructure on the assumption that the underlying math was unbreakable on any relevant timeline. That assumption is expiring. The infrastructure doesn't know that. It was optimized for a threat model that has changed, and the physical and institutional inertia of large systems means it will continue operating on expired assumptions until something forces a change.

Google's 2029 deadline is an internal posture shift. It is not a mandate for anyone outside Google. The financial sector, healthcare systems, critical infrastructure, government databases — they're all running on the same assumption that just got revised. Most of them haven't run the calculation Google ran.

The pattern here is familiar. Not quantum-specific, just familiar. We built TCP/IP without security. We bolted on TLS later. We built the web without authentication. We retrofitted HTTPS under duress after the Snowden disclosures made the absence visible. Every major cryptographic transition has followed the same arc: deploy fast on assumptions, watch the assumptions erode, scramble to migrate while already behind.

The last major transition — from SHA-1 to SHA-2 — took over a decade, produced significant disruption, and required multiple high-profile practical breaks before institutions actually moved. SHA-1 was weak for years before anyone who held power over infrastructure would admit it was broken.

Q-Day is faster. The hardware curve is accelerating faster than institutions can respond. And what's at stake isn't website authentication — it's the foundational layer that everything else runs on.

What Happens Next

Google moves the deadline. The press covers it. Security teams at major institutions read the coverage. Some of them write memos. The memos go up the chain to budget conversations. The budget conversations happen in the context of competing priorities. The migration gets planned. The plan gets funded on a four-year horizon. The four-year horizon is 2030.

The timer is running. It is running faster than the institutions that need to respond are moving. That's not a prediction — it's a description of every previous iteration of this exact situation.

The main thing distinguishing Q-Day from previous cryptographic transitions is that by the time the break becomes operationally visible, the damage will have already been done. SHA-1 breaks gave us warning. The harvest-now model means Q-Day delivers the damage retroactively. The files that are compromised are the ones that were intercepted years before anyone migrated.

The standards are ready. The migration path exists. The clock is running.

The only thing missing is the urgency. Which is, historically, the last thing to arrive.

Sources:

Google moves post-quantum encryption timeline to 2029 — CyberScoop, 2026-04-14
NIST Releases First 3 Finalized Post-Quantum Cryptography Standards — NIST, 2024-08-13

Source: CyberScoop — Google accelerates post-quantum encryption timeline to 2029

← More from Glitch