Google dropped a bombshell yesterday. By 2029, they say, quantum computers will be powerful enough to crack RSA and Elliptic Curve Cryptography - the encryption that holds up the whole global economy. That's not some lab experiment anymore. It's a hard deadline for every engineer and security architect. You've got three years to get ready.
Why 2029? The physics behind the timeline
Google's Quantum AI lab has been making real progress. They've cracked quantum error correction and qubit scaling in ways that change the game. For years, everyone figured a cryptographically relevant quantum computer (CRQC) was decades away. Then, researchers showed they could suppress logical errors enough to run Shor's algorithm reliably. That algorithm can factor huge numbers and solve discrete logarithms fast - the exact math that keeps RSA and ECC safe.
The jump from those noisy, small quantum machines to error-corrected ones is happening faster than anyone predicted. Google's own numbers suggest we could have a machine that tears through a 2048-bit RSA key in about three years. When a company that actually builds quantum hardware gives you a warning that direct, you better believe it's real. That 2029 date is a hard stop for the old encryption.
The real threat: harvest now, decrypt later
The scary part isn't that everything will break down overnight in 2029. It's what's happening right now. Intelligence agencies and well-funded crime groups are scooping up encrypted data from banks, government agencies, hospitals. They don't need to break it today. They just stash it away and wait. When those quantum machines come online, they'll unlock every secret in their archives.
This means any data that needs to stay secret for more than three years is already at risk. Think trade secrets, medical records, or classified documents that have to be safe through 2030. The TLS 1.2 or 1.3 connections you're using now won't cut it. Migrating to post-quantum cryptography (PQC) should have started yesterday for that long-lived stuff. Every day you delay, you're feeding the data hoarders.
What to use: NIST standards and hybrid key exchange
Good news: the National Institute of Standards and Technology (NIST) finalized the new encryption standards in 2024. The big ones are ML-KEM (you might know it as Kyber) for key exchanges and ML-DSA (formerly Dilithium) for digital signatures. Google has already rolled out ML-KEM-768 in Chrome and their own internal traffic. These algorithms are based on lattice math - a type of problem that's tough for both classical and quantum computers.
Most experts are pushing a hybrid approach. Instead of betting everything on the new algorithms, they combine a classic key exchange like X25519 with a post-quantum one like ML-KEM. That way, if someone finds a flaw in the lattice math, the classical layer still protects you. And if the quantum threat shows up as predicted, the PQC layer can handle it. This dual setup is the standard in OpenSSL 3.x and BoringSSL now.
Why it's hard: crypto agility and big keys
Switching to PQC is way more complex than moving from SHA-1 to SHA-256. The new keys and signatures are huge. An ML-KEM-768 public key is 1,184 bytes, while an X25519 key is just 32 bytes. That extra size can break things - like causing packet fragmentation in QUIC or maxing out buffers in old load balancers and middleboxes.
You need what's called crypto agility: the ability to swap algorithms without rebuilding your whole system. That means hunting down every place where your code assumes a fixed key size or signature length. Many legacy systems will choke on a 2,420-byte ML-DSA signature. You've got to test these edge cases in staging before 2027, because those big payloads can also slow down handshakes and hurt latency.
What to do right now
First, figure out everywhere you use asymmetric cryptography. That's not just your public TLS certs but also internal service-to-service calls, code signing, and encrypted backups. Most companies find that their internal PKI is the hardest piece - old certificate authorities that don't support the new NIST IDs.
Start by enabling hybrid post-quantum key exchange at your edge nodes. AWS and Google Cloud already offer PQC options in their key management services and load balancers. For internal services, upgrade your BoringSSL or OpenSSL libraries to support ML-KEM. Your goal for the rest of 2026 is to make sure all data in transit has at least one layer of quantum-resistant math. That stops the harvest-now, decrypt-later threat while you work on the tougher job of updating identity keys and root certificates.
The bottom line
The 2029 date is real for anyone handling sensitive data. This migration will take years. If you wait until 2028 to start, you'll be trying to swap out your whole cryptographic skeleton under the gun of a looming collapse. The math is ready. The standards are set. And the quantum hardware is ramping up faster than expected. The only question left is whether your dependency trees and rotation policies can handle a complete replacement of the asymmetric stack.
Let's not forget: this is like the Y2K bug, but with actual mathematical teeth. The difference is, Y2K was a big date change. This is a whole new era of computing. The smart money is moving now. Are you?