Google warns quantum computers could hack encrypted systems by 2029 - The Guardian

Google said on March 26 that quantum computers could break the RSA-2048 encryption protecting much of the internet by 2029. The same day, Google released ML-DSA post-quantum digital signatures in Android 17, integrated into the hardware root of trust. This is a neat trick: announce the threat, sell the solution. The question worth asking is who benefits from that timeline.

The cryptographic threat is real, in theory. In 2019, breaking RSA-2048 with a quantum computer was estimated to require roughly 20 million noisy qubits. A May 2025 paper by Google researcher Craig Gidney, posted to arXiv, revised that estimate down to under 1 million noisy qubits capable of factoring a 2048-bit RSA integer in under a week. The improvement comes from better quantum circuits and algorithmic efficiency — Gidney optimized the modular exponentiation operations at the core of Shor's algorithm. That is a genuine theoretical reduction in the hardware requirements for cryptographically relevant quantum computation. The paper is real. The number is smaller. The threat is not imminent.

The gap between 1 million noisy qubits and any machine in existence is the entire story. IBM's Osprey, announced in 2022, has 433 physical qubits. Google's Willow chip, unveiled in December 2024, demonstrated below-threshold error correction on 105 qubits — an important result for the long road to fault-tolerant quantum computing, but Willow is not Osprey, and neither is close to 1 million noisy qubits with the fidelity required for Shor's algorithm on RSA-2048. Current physical error rates, in the range of 0.1 to 1 percent per gate, would require thousands of physical qubits per logical qubit — pushing the true hardware requirement to hundreds of millions of physical qubits even with error correction. The 1 million figure in Gidney's paper assumes gate fidelities that no current system achieves.

The timeline estimates from intelligence and independent experts paint a different picture than Google's blog post. The U.S. National Security Agency currently adheres to a 2031 deadline for post-quantum migration, according to Ars Technica. The UK's National Cyber Security Centre has advised organizations to prepare by 2035. Leonie Mueck, vice president of quantum hardware at Riverlane, a quantum error correction company, told The Guardian that most credible timelines for a cryptographically relevant quantum computer range from the 2030s to the 2050s. Those estimates are not optimistic projections — they reflect the gap between what current hardware does and what cryptographically relevant computation requires.

Brian LaMacchia, a cryptography engineer who oversaw Microsoft's post-quantum transition from 2015 to 2022 and now works at FARCaster Consulting Group, called Google's 2029 timeline a significant acceleration over even what the U.S. government has publicly asked for, according to Ars Technica. He did not speculate on what was motivating the acceleration. That question — who benefits from a tighter Q-Day deadline — is worth sitting with.

The harvest-now-decrypt-later threat is not hypothetical. Intelligence agencies have been harvesting encrypted communications for future decryption for more than a decade, as Mueck confirmed to The Guardian. Governments and financial institutions treating this as an active threat rather than a theoretical one are not being irrational. The threat model is real. The timeline is contested.

If Q-Day is 2031, enterprises face a narrow window to migrate before encrypted data becomes readable. If it is 2050, organizations that rushed migration absorb performance costs — slower signatures, larger keys, compatibility overhead — for a problem that arrived decades late. The 2029 date from Google aligns neatly with the release schedule of Android 17 and the broader deployment of ML-DSA across Google's cryptographic ecosystem. The urgency and the solution come from the same vendor. That is not automatically suspicious. It is worth noticing.

The practical implication for enterprises building or maintaining systems that handle sensitive data is not new: the migration to post-quantum cryptography is already underway, and it is slower than the threat narrative suggests. NIST finalized its first post-quantum cryptographic standards in 2024. Google's Android 17 integration is a real deployment of those standards at scale. The threat is genuine. The timeline for that threat arriving remains a forecast, not a measurement. The difference matters for how urgently organizations should act — and for who profits from telling them to act now.