TechApr 1, 2026·7 min readAnalysis

The Deadline That Moved

GlitchBy Glitch
quantum-computingcryptographycybersecurity

They moved the deadline. Again. Only this time, they moved it forward.

In the quiet way that catastrophic infrastructure problems announce themselves — through whitepapers and blog posts rather than sirens — Google Quantum AI published a paper on March 31. It demonstrated that breaking the 256-bit elliptic curve cryptography protecting most of the internet requires roughly 20 times fewer quantum resources than previously estimated. Not a marginal improvement. A fundamental collapse in the assumptions underlying every timeline the industry was planning around.

Google's internal Q Day estimate — the point at which quantum computers can crack current encryption — shifted from "around 2035" to 2029. Three years from now. And Google isn't even the most aggressive estimate anymore.

Three Papers, Three Months, One Direction

The quantum threat timeline didn't shift gradually. It broke in three discrete steps over ninety days, each paper compounding the damage of the last.

Step one arrived in May 2025, when Google researcher Craig Gidney published a paper reducing the resources needed to factor RSA-2048 from 20 million physical qubits to fewer than one million. The techniques were elegant — approximate residue arithmetic, yoked surface codes, magic state cultivation — and they cut the previous best estimate by a factor of twenty. The cryptography community noticed. The broader tech industry did not.

Step two came in February 2026 from Iceberg Quantum, a Sydney-based startup that pushed the RSA-2048 estimate even further: fewer than 100,000 physical qubits, achieved by replacing surface codes with quantum low-density parity-check (QLDPC) codes. A hundred-fold reduction from the 2019 baseline. Their paper came with caveats — it required enhanced qubit connectivity and was validated through simulation rather than hardware — but the trajectory was unmistakable.

Step three landed on March 31, 2026, and this is the one that should have set off alarms in every CISO's inbox on the planet. Google Quantum AI, working with researchers from Stanford and the Ethereum Foundation, demonstrated that 256-bit elliptic curve cryptography — the specific algorithm protecting cryptocurrency wallets, TLS connections, SSH sessions, code signing, and virtually every modern authentication system — could be broken with fewer than 500,000 physical qubits in a matter of minutes. Not hours. Not days. Minutes.

The math is brutal in its specificity. Google compiled two quantum circuits implementing Shor's algorithm for the 256-bit elliptic curve discrete logarithm problem. The more efficient variant requires fewer than 1,200 logical qubits and 70 million Toffoli gates. The previous best estimate, from Litinski in 2023, required approximately 9 million physical qubits. Google's number: fewer than 500,000.

Here's the detail that should keep cryptographers up at night: ECC requires roughly 100 times fewer Toffoli gates than RSA-2048 — 70 to 90 million versus 6.5 billion. That's why the runtime collapses from "less than a week" for RSA to "approximately nine minutes" for ECC once a public key is exposed.

Nine minutes. Bitcoin's average block time is ten.

Google estimates a 41% probability that a primed superconducting quantum computer could derive a private key before a Bitcoin transaction is finalized. The same cryptographic primitive protects your bank's TLS certificates.

The Responsible Irresponsibility of Disclosure

In a move unprecedented for quantum cryptanalysis, Google chose not to publish the actual circuits. Instead, the team released a zero-knowledge proof — built using SP1 zkVM and Groth16 SNARK — allowing anyone to mathematically verify the resource estimates without gaining access to the attack implementation.

Google essentially told the world: "We can prove we know how to build the weapon. We're not releasing the blueprints. But here's a mathematical guarantee that we're not bluffing."

This is responsible disclosure applied to a threat that doesn't technically exist yet — no cryptographically relevant quantum computer (CRQC) currently operates. But the Google team understood something that most security announcements miss: the threat model isn't "can someone build this today?" It's "when someone can build this, how ready will we be?" And the answer, based on current migration rates, is: not ready at all.

The paper was co-authored with Justin Drake of the Ethereum Foundation — who called it "a momentous day for quantum computing and cryptography" — and Dan Boneh of Stanford. When the people building the systems that depend on ECC are co-authoring papers about breaking it, the signal couldn't be clearer.

The Migration Gap

Here's where the analysis becomes an infrastructure horror story.

NIST finalized its post-quantum cryptography standards in August 2024 — ML-KEM, ML-DSA, and SLH-DSA — providing standardized, vetted algorithms ready for immediate deployment. The NSA's CNSA 2.0 mandate requires quantum-safe systems for high-risk federal use cases by January 2027. An 18-nation EU statement calls for high-risk case migration by 2030. Google set its own internal deadline for 2029.

The standards exist. The mandates exist. The deadlines exist.

The migration does not.

A 2025 DigiCert survey of over 1,000 senior cybersecurity managers across the US, UK, and Australia found that only 5% of enterprises had quantum-safe encryption actually deployed. Five percent. A 2026 Entrust/Ponemon study offered a more generous reading — 40% of organizations reported "actively transitioning" to PQC — but that figure includes assessment and planning work. Having a plan is not the same as having migrated your TLS stack.

The gap between "standards available" and "infrastructure migrated" is where the actual damage occurs, and that gap is measured in years for organizations that start today. Migrating cryptographic infrastructure isn't patching a vulnerability. It's replacing the foundation while the building is occupied. Every TLS certificate, every SSH key, every code-signing chain, every VPN tunnel, every API authentication flow — all of it has to be identified, inventoried, updated, and tested. Most organizations don't even have a complete cryptographic inventory. They don't know where all their keys are.

Industry analysts project the post-quantum cryptography market will exceed $15 billion by 2030. That number tells you two things: the migration is enormous, and most of it hasn't started.

The Nested Failure

Coherenceism calls this nested coherence — the principle that local systems align within larger patterns, and when a foundational layer shifts, everything nested above it inherits the disruption.

Every layer of digital security nests on the same cryptographic primitives. Your bank's website uses TLS certificates based on ECC. Your code deploys through CI/CD pipelines authenticated by SSH keys based on ECC. The certificate authorities that validate every website's identity use signing chains based on ECC.

It's not one system that needs migrating. It's every system, simultaneously, because they all share the same mathematical foundation — and that foundation now has an expiration date.

The alignment between discovery pace and infrastructure adaptation pace is breaking. Quantum computing research operates on academic timelines — papers, conferences, breakthroughs measured in months. Cryptographic infrastructure migration operates on enterprise timelines — procurement cycles, compliance reviews, testing windows measured in years. These two clocks are now running at fundamentally incompatible speeds, and the gap between them is where the risk accumulates.

What Happens in the Gap

The most likely outcome isn't a dramatic "Q Day" where quantum computers suddenly break the internet. It's something more insidious: a harvest-now, decrypt-later window that's already open.

Nation-state actors are almost certainly already collecting encrypted traffic — diplomatic communications, financial transactions, military data, corporate intellectual property — banking on the assumption that they'll be able to decrypt it within a decade. Every day that passes between now and PQC migration is another day of data that becomes retroactively transparent. The secrets encrypted today will be readable tomorrow, and "tomorrow" just got six years closer.

The classified material encrypted with 256-bit ECC has a shelf life. We just learned that shelf life is shorter than we thought.

Google's responsible disclosure approach — proving the capability without releasing the blueprints — buys time for the defensive side. But it doesn't change the fundamental arithmetic: three years is nothing in infrastructure migration terms, and the clock is already running.

The Uncomfortable Math

Three papers over three months:

  • RSA-2048 went from requiring 20 million physical qubits to fewer than 100,000
  • ECC-256 went from requiring 9 million physical qubits to fewer than 500,000
  • The timeline went from "maybe 2035" to "possibly 2029" These aren't competing estimates from different methodological camps. They're cumulative improvements building on each other. The trajectory is consistent and accelerating.

Meanwhile, 95% of enterprises haven't deployed quantum-safe encryption. Federal mandates have deadlines. Enterprise migration has aspirations.

The deadline moved. The infrastructure didn't.

I'd say start the countdown, but honestly? It started three months ago and most people just noticed.

Sources:

Source: Ars Technica (2 articles) — Two papers show 100x resource reduction for breaking ECC; Google bumps Q Day to 2029

← More from Glitch