Technology

Google Says Encryption Breaks Within Years. Migrate by 2029.

New research slashes the qubit threshold for cracking today's encryption by 95 per cent. Banks, crypto networks, and every organisation running elliptic curve cryptography are on notice.

Google has set a 2029 deadline for post-quantum cryptography migration.

Editor

By Editor

Apr 8, 2026 · 6 min read

Google has given the industry a deadline, not a prediction: migrate to post-quantum cryptography by 2029, or accept the consequences of arriving late to a threat that will not wait for board approval.

TLDR

Google has moved its internal deadline for post-quantum cryptography migration to 2029, one year ahead of prior industry guidance. New research from Google's security team shows that breaking the elliptic curve cryptography protecting most blockchains and banking systems may require fewer than 500,000 physical qubits on a superconducting machine, down from earlier estimates of roughly 10 million. The attack runs in minutes once a capable machine exists. Quantum computers are nowhere near that threshold today, but the 2029 deadline is not a prediction of when one arrives: it is a recognition that migrating at scale takes years, and those years are running.

KEY TAKEAWAYS

01Google's internal PQC migration deadline is now 2029, one year ahead of the NIST-aligned 2030 guidance most of the industry still follows

02New circuit designs for Shor's algorithm reduce the physical qubit requirement for cracking ECDLP-256 to under 500,000, roughly a 20-fold reduction from prior estimates

03Every blockchain using elliptic curve signatures for transaction validation faces the same vulnerability: Bitcoin, Ethereum, and most DeFi infrastructure included

04Public blockchains face a coordination problem banks do not: upgrading cryptographic standards requires agreement across miners, validators, exchanges, custodians, and millions of wallet holders

05Android 17 ships with ML-DSA post-quantum digital signature protection; Chrome already supports PQC; Google Cloud has quantum-resistant options available now

The numbers behind that warning are stark. Google Research published new circuit designs showing a sufficiently advanced quantum computer could crack Bitcoin's elliptic curve cryptography in approximately nine minutes. Roughly four million Bitcoin sit at addresses where the public key is already exposed on-chain, making them theoretically attackable the moment a capable machine exists. At current prices, that exposure runs into the hundreds of billions of dollars. Google Cloud offers quantum-resistant key management today. Bitcoin has no agreed migration path.

Kent Walker, Google's president of global affairs, made the 2029 announcement in early 2026. Walker told journalists the goal is to provide "clarity and urgency" to drive faster industry-wide adoption of quantum-safe standards before the threat window narrows further. The infrastructure is "already available and deployable" for any organisation prepared to prioritise the migration, he said, directing the comment squarely at organisations that have treated this as a 2030 problem and done nothing.

Google Research disclosed two new circuit designs for Shor's algorithm targeting ECDLP-256. The research team's position is direct: "future quantum computers may break the elliptic curve cryptography that protects cryptocurrency." Circuit one needs "less than 1,200 logical qubits and 90 million Toffoli gates." Circuit two runs under 1,450 logical qubits and 70 million gates. That is a 20-fold reduction in the physical qubit requirement from prior estimates, achieved through circuit optimisation alone, without any advances in quantum hardware.

Google's security team said in its disclosure that "most blockchain technologies and cryptocurrencies currently rely on ECDLP-256 for critical aspects of their security." The word most is doing no heavy lifting there. The accurate word is essentially all. Google Research said the work was released while "balancing security awareness against providing bad actors with actionable intelligence," using a zero-knowledge proof designed so results "can be verified without providing a roadmap for bad actors."

What precisely will a crypto executive paid $500,000 per year in compensation do about a migration problem their protocol has no clean answer for? The Ethereum Foundation, Coinbase, and Stanford's Institute for Blockchain Research are all listed as Google's partners on this disclosure. None has published a concrete migration timeline.

Quantum Insider reporting in March 2026 found that Google's accelerated deadline reflects updated modelling of hardware progress, not a single breakthrough event. Efficiency gains in Shor's algorithm implementations compound with each improvement in quantum error correction, and what looked like a decade-away problem two years ago now looks like five. In two more years, it may look closer still.

Bruce Schneier, writing on his security blog in April 2026, said the push reflects sound cryptographic practice. "Crypto-agility is always a good thing," Schneier said. Organisations able to swap cryptographic primitives without rebuilding their entire stack are more resilient in every threat scenario, quantum or otherwise.

NIST finalised three post-quantum standards in 2024: ML-KEM, ML-DSA, and SLH-DSA. Google Chrome already runs post-quantum key exchange. Android 17 ships ML-DSA digital signatures as default. The key point is not when a capable quantum machine arrives. The key point is that migration at enterprise scale takes three to five years, and a bank with cryptographic dependencies across payment rails, core banking systems, authentication layers, and API gateways cannot execute a post-quantum transition in a quarter. Most cannot do it in two years even starting today.

Google has given the industry the clearest signal it can deliver without publishing a functional attack. The organisations acting now will be ready by 2029. The ones waiting will be explaining to their boards why they did not.

FREQUENTLY ASKED QUESTIONS

When will quantum computers actually be able to break today's encryption?

No one knows precisely, and Google is not claiming they will break it by 2029. The 2029 deadline is a migration target, not a threat forecast. The research shows the qubit threshold for an attack has dropped sharply, from roughly 10 million physical qubits to under 500,000. Quantum hardware is nowhere near that today, but progress has been faster than most models expected two years ago.

Is Bitcoin at immediate risk from quantum computers?

No, not today. Quantum computers capable of running the relevant attacks do not yet exist. The longer-term risk is real: roughly four million Bitcoin sit at addresses where the public key is exposed on-chain, making them theoretically vulnerable to a future quantum attacker. The coordination challenge of migrating Bitcoin's signature scheme to post-quantum cryptography before that threat materialises is an open and largely unresolved problem.

What should businesses do right now?

Start with an inventory of where elliptic curve or RSA-based cryptography sits in your stack: authentication systems, digital signatures, TLS certificates, hardware security modules. NIST published three post-quantum standards in 2024 (ML-KEM, ML-DSA, SLH-DSA). Most major cloud providers now offer PQC-compatible key management options. Migration is not a single project: it is a multi-year programme, and the organisations starting now will be the ones finished before the threat window closes.

Why does Google say digital signatures matter more than encrypted data?

Data encrypted today can be harvested now and decrypted later when quantum hardware catches up: the store-now-decrypt-later attack. That is a real risk for long-lived secrets. Google's more urgent concern is signatures. A compromised signing key lets an attacker impersonate a trusted entity or distribute malicious software updates. That attack does not require harvesting old data. It works the moment the attacker has a capable machine, and the damage can be instantaneous.