The headlines said Q-Day is 2029. The actual story is that two different Google teams are pointing at the same year for different reasons — and conflating them makes the quantum threat look closer than it is.
image from grok
Google's 2029 post-quantum cryptography migration deadline is based on algorithmic improvements to RSA-2048 factoring (reducing qubit requirements from 20M to under 1M), not on actual hardware progress. While Google's Willow chip demonstrated below-threshold quantum error correction—a genuine milestone—the qubit counts in Gidney's paper assume conditions that don't yet exist, including 0.1% gate error rates and million-qubit machines. The accelerated timeline puts Google ahead of both NIST's deprecation schedule (2030-2035) and NSA requirements (2031), raising questions about whether this reflects genuine threat assessment or competitive positioning.
Google said 2029. The quantum computers don't exist yet.
That's the gap at the center of every breathless headline this week. The search giant's security team published a post-quantum cryptography migration timeline this month, setting 2029 as its target to move authentication services to post-quantum standards. The same week, a paper by Google quantum researcher Craig Gidney estimated that a quantum computer with under 1 million noisy qubits could factor RSA-2048 in less than a week — a 20x reduction from the 2019 estimate of 20 million qubits, and a staggering drop from the 1 billion-qubit estimate that was conventional wisdom in 2012. Project Eleven, a post-quantum crypto startup, sounded the alarm on X: Q-Day, they called it. 2029.
Here's the problem: Google's quantum computing team has been targeting 2029 for a useful, error-corrected quantum computer since CEO Sundar Pichai announced that goal at Google I/O in 2021. The Willow chip, unveiled in December 2024, demonstrated below-threshold quantum error correction for the first time — a genuine milestone. But below-threshold error correction is not the same as having a million-qubit machine. The paper assumes a 0.1 percent gate error rate, a surface code cycle time of 1 microsecond, and a 2D nearest-neighbor qubit grid — the same assumptions Gidney made in 2019. The qubit count dropped because the algorithm got better, not because any hardware materialized.
Brian LaMacchia, who ran cryptography at Microsoft before founding his own security consultancy, put it plainly: "That is certainly a significant acceleration of the public transition timelines we have seen to date, and is accelerated over even what we have seen the US government ask for." His actual question — the one the headlines skipped — was "what is motivating them?" The NSA's deadline for PQC readiness in national security systems is 2031. NIST plans to deprecate legacy algorithms by 2030 and fully disallow them by 2035. Google is ahead of all of those timelines. Whether that's genuine threat awareness, competitive positioning, or a warning shot at the quantum computing program is genuinely unclear from the outside.
The algorithmic advances that made the qubit count drop are real, though. Gidney's 2025 paper achieves its efficiency through three improvements: approximate residue arithmetic, borrowed from Chevignard, Fouque, and Schrottenloher's 2024 work; yoked surface codes for storing idle logical qubits, from a 2023 Gidney-Newman-Brooks-Jones paper; and magic state cultivation, from a 2024 Gidney-Shutty-Jones paper. Together they cut the Toffoli gate count by over 100x compared to the 2024 approach — down to roughly 6.5 billion gates. That's the real number. Running 6.5 billion gates at 1 microsecond per surface code cycle takes days. The paper is a genuine contribution to the field.
The question is what it means for 2029. The honest answer is: nothing yet. The attack requires a quantum computer that doesn't exist. The defense requires migrating to post-quantum standards that aren't universally deployed. Both are happening on different timescales, and conflating them is how you get headlines that terrify Bitcoin holders while the actual researchers are cautiously optimistic that the migration will land before the attack becomes feasible.
Speaking of Bitcoin: the cryptocurrency that most needs a post-quantum plan is the worst positioned to make one. Ethereum has been working on post-quantum cryptography transition for eight years, with a public roadmap and weekly devnet releases. Bitcoin has no equivalent coordinating body. As CoinDesk reported, Bitcoin's governance model makes coordinated response structurally harder — there's no Ethereum Foundation equivalent to treat the problem as a directive and build accordingly. Vitalik Buterin called for quantum urgency in October 2024, citing Scott Aaronson's increased confidence in medium-term quantum computing prospects. That was before Willow. The urgency has only grown.
The concrete action in the near term is device-level. Android 17 will support ML-DSA — a NIST-standard post-quantum digital signing algorithm — in its hardware root of trust, the secure enclave that anchors device security. That's the kind of deployment that actually moves the needle: not a conference talk about timelines, but cryptographic primitives shipping in hundreds of millions of devices. Project Eleven, the startup that put the 2029 frame in front of the public, raised a $20 million Series A in January led by Castle Island Ventures, with Coinbase Ventures participation. It's already collaborating with the Solana Foundation on post-quantum readiness planning. CEO Alex Pruden is a former U.S. Special Forces officer. He's not someone who issued a press release and hoped for the best.
The actual lesson from this week's coverage: a Google security team's internal migration deadline became a quantum decryption timeline because the numbers were close enough and the framing was available. The paper is serious. The threat is real. The 2029 date conflates a corporate planning horizon with a cryptographic emergency. Read the paper, check the qubit counts, and notice that Google's quantum team has been promising a useful quantum computer by 2029 since before any of this was written. That's the deadline worth watching — not the one from the security blog.
Story entered the newsroom
Research completed — 0 sources registered. Gidneys May 2025 arXiv paper (2505.15917) is the technical foundation: 20x qubit reduction (20M to under 1M) for RSA-2048 factoring using three algori
Draft (830 words)
Approved for publication
Headline selected: 2029 Crypto Deadline Has One Problem: No Machine That Can Break RSA
Published (830 words)
Get the best frontier systems analysis delivered weekly. No spam, no fluff.
Quantum Computing · 16h 32m ago · 2 min read
Quantum Computing · 17h 30m ago · 4 min read
