Google dropped a bombshell in March 2026: quantum computers could break the elliptic-curve cryptography protecting most of the internet with just 1,200 logical qubits and 500,000 physical qubits—a 20-fold reduction in resources compared to estimates from May 2025. Three major research papers published in the past three months have rewritten the quantum threat timeline, compressing “Q-Day” from a distant theoretical concern to a concrete infrastructure planning crisis. The Global Risk Institute now estimates a cryptographically relevant quantum computer is “quite possible within 10 years, likely within 15 years.” But here’s the urgent reality developers must understand: the threat isn’t future-tense. State actors are already collecting your encrypted data today through “harvest now, decrypt later” attacks, betting they’ll crack it when quantum computers arrive.
The Timeline Just Compressed Dramatically
Google’s research team published two quantum circuits implementing Shor’s algorithm for ECDLP-256 that execute on a superconducting qubit system with fewer than 500,000 physical qubits in minutes. This is an approximately 20-fold reduction in the number of physical qubits required compared to previous estimates from just 10 months earlier. Combined with Craig Gidney’s 2025 result showing RSA-2048 requires under one million physical qubits, the quantum computing resources needed to break modern encryption have dropped by an order of magnitude in less than a year.
This matters because RSA, elliptic curve cryptography, and Diffie-Hellman—the cryptographic foundations of TLS, VPNs, digital signatures, and blockchain—are all vulnerable to Shor’s algorithm, which solves the integer factorization and discrete logarithm problems in polynomial time on a quantum computer. The encryption securing your bank transactions, healthcare records, and government communications relies on math that quantum computers can break exponentially faster than classical computers.
The narrative has shifted from “quantum computers might someday threaten encryption” to “a cryptographically relevant quantum computer is quite possible within 10 years.” That’s not a theoretical timeline. That’s infrastructure planning reality.
The Threat is Already Operational
“Harvest now, decrypt later” (HNDL) is exactly what it sounds like: state actors and advanced persistent threat groups are collecting encrypted data today—even though they can’t decrypt it yet—to store and decrypt when quantum computers become available. Palo Alto Networks states bluntly: “It’s widely accepted that we are already in the midst of the data harvest stage, as many sophisticated attackers are well aware of the upcoming availability of quantum computing.”
Any data with a 10+ year sensitivity timeline is at risk right now. Financial records, medical data, intellectual property, government communications—all vulnerable. If you encrypted sensitive data in 2026 and a cryptographically relevant quantum computer arrives in 2036 (well within the Global Risk Institute’s “likely within 15 years” estimate), that data becomes readable to anyone who harvested it. The threat isn’t when quantum computers arrive. The threat is the moment sensitive data hits the wire encrypted with RSA or ECC.
This reframes the entire problem. Organizations can’t wait for quantum computers to appear before migrating to post-quantum cryptography. The clock is ticking on data being transmitted and stored today.
NIST Standards Exist, But Migration Takes Years
NIST finalized three post-quantum cryptography standards in August 2024 after an eight-year global competition evaluating 82 algorithms from 25 countries. The solutions exist: ML-KEM (CRYSTALS-Kyber) for key exchange, ML-DSA (CRYSTALS-Dilithium) for digital signatures, and SLH-DSA (SPHINCS+) as an alternative signature scheme. These lattice-based and hash-based algorithms are believed to resist both classical and quantum attacks.
Here’s the brutal timeline reality: enterprise migration to post-quantum cryptography takes 5-7 years for small organizations, 8-12 years for medium enterprises, and 12-15+ years for large organizations. IoT devices with 10-20 year operational lifespans that lack over-the-air update capabilities require physical field replacement. Financial networks need synchronized upgrades across thousands of participating institutions—a single laggard blocks everyone from fully retiring classical cryptography. Organizations starting migration in 2026 complete somewhere between 2031 and 2041.
Do the math: Q-Day “likely within 15 years” means 2036-2041. Migration completion for large enterprises starting now: 2038-2041. That timeline isn’t comfortable—it’s collision course.
Regulatory Pressure is Accelerating
The U.S. government mandates all new National Security Systems be quantum-safe by January 2027—eight months from now. Google announced a timeline for full post-quantum cryptography migration by 2029, and Cloudflare is targeting the same year. These aren’t aspirational goals—they’re commitments that set industry benchmarks.
Federal contractors must comply with the NSS mandate or lose access to classified systems. Commercial organizations lagging behind Google and Cloudflare risk competitive disadvantage when customers start asking “is your infrastructure quantum-safe?” in vendor assessments. The pressure isn’t purely technical—it’s regulatory and commercial.
What Developers Should Do Now
First, audit your cryptographic inventory. Identify everywhere RSA, ECC, and Diffie-Hellman are used: TLS configurations, digital signatures, certificate authorities, VPN endpoints, database encryption, API authentication. Many organizations don’t have complete visibility into embedded cryptography in third-party libraries, firmware, and legacy applications.
Second, learn the NIST post-quantum standards. Understand ML-KEM for key exchange and ML-DSA for digital signatures. The Open Quantum Safe project provides liboqs, a C library implementing NIST-standardized algorithms, and integration guides for TLS, SSH, and other protocols. This isn’t theoretical study—these are the algorithms you’ll be implementing.
Third, test hybrid cryptography in non-production environments. Hybrid approaches combine classical and post-quantum algorithms, protecting against both traditional and quantum attacks while maintaining backwards compatibility. Measure performance impacts: PQC algorithms have larger key sizes and different computational characteristics than RSA and ECC.
Fourth, plan migration timelines based on your organization’s size and complexity. If you’re in a large enterprise and haven’t started planning, you’re already behind the urgency curve. Small organizations have a 5-7 year window. Large organizations need 12-15+ years. The 2029 benchmarks set by Google and Cloudflare are aggressive but achievable—if you start now.
The Bottom Line
Google’s March 2026 research compressed the quantum threat timeline from “someday” to “within a decade, likely within 15 years.” But the harvest-now-decrypt-later threat means the attack is already underway—state actors are collecting encrypted data today. NIST standards provide the solution, but migration takes years and organizations starting in 2026 complete between 2031-2041, uncomfortably close to the likely Q-Day window.
The cryptography securing the internet is on borrowed time. The question isn’t whether to migrate to post-quantum cryptography. The question is whether you start now or wait until Q-Day announcements force panic migrations with insufficient planning. Developers who understand the timeline and start preparing today will navigate the transition smoothly. Those who wait will scramble.
