Google's quantum computing team just published a paper that moves the timeline on breaking modern encryption forward by years.
The paper
The team compiled quantum circuits implementing Shor's algorithm that require fewer than 1,200 logical qubits to break ECDLP-256, the elliptic curve problem underpinning most public-key cryptography on the internet. Previous estimates required millions of physical qubits. Google's circuits need fewer than 500,000 — a 20-fold reduction.
The research is significant enough that Google chose not to publish full implementation details. Instead, they used zero-knowledge proofs to let third parties verify the results without revealing the circuit optimizations. It's a responsible approach to a dangerous finding. You can read their full write-up on the Google Research blog.
fewer qubits needed
physical qubits
Google's migration deadline
Why this matters beyond crypto
Google framed their disclosure around cryptocurrency, which makes sense — crypto wallets are the most obvious and immediate target. But elliptic curve cryptography protects far more than Bitcoin. It's the key exchange mechanism behind TLS, secure messaging apps like Signal, most password managers, and banking infrastructure. Virtually every HTTPS connection you make today relies on some form of ECC.
The shift from "millions of qubits" to "fewer than 500,000" compresses the timeline from abstract to concrete. Google themselves are now calling for migration to post-quantum cryptography by 2029. The U.S. government, through NSM-10, has set a 2030 deadline for federal agencies. These are not distant targets.
There's also the "harvest now, decrypt later" problem. State-level adversaries are already intercepting and storing encrypted traffic. They can't read it today. But when a sufficiently powerful quantum computer arrives, they'll decrypt the archive. For data with a long shelf life — medical records, financial data, personal credentials — the window to act isn't 2029. It was years ago.
The state of post-quantum cryptography
The tools to address this exist. NIST finalized its post-quantum standards in 2024, selecting CRYSTALS-Kyber (ML-KEM) for key encapsulation. Chrome, Cloudflare, and Signal have already deployed hybrid post-quantum key exchange in production. The standard approach is to pair a classical algorithm like X25519 with Kyber, so that a break in either one doesn't compromise the connection.
It's worth noting that symmetric encryption — AES-256, XChaCha20 — holds up fine against quantum attacks. Grover's algorithm halves the effective key length, but a 128-bit effective key is still well beyond reach. The vulnerability is specifically in asymmetric cryptography: RSA, ECDSA, ECDH. These are the systems Shor's algorithm targets, and they're the ones that need to be replaced.
Most vendors haven't migrated yet. If your password manager, cloud provider, or messaging platform doesn't have a post-quantum roadmap, that's worth asking about.
What we're doing at Locke
We use X25519Kyber768 for key exchange — the same hybrid approach adopted by Chrome and Signal. Kyber handles the post-quantum side, X25519 provides classical security, and a break in either algorithm doesn't compromise the other. For data at rest, we use XChaCha20-Poly1305 with Argon2id key derivation, both quantum-resistant by design.
We build on Cloudflare's CIRCL library for post-quantum primitives and libsodium for symmetric encryption. Audited, open-source libraries — not custom implementations.
We made this decision before the mandates, before this paper, and before most of our competitors started thinking about it. The harvest-now-decrypt-later threat was reason enough.
The takeaway
A 20x improvement in qubit efficiency is not incremental. It's the kind of result that moves a threat from "someday" to "soon." Google's 2029 migration timeline reflects what their own researchers see coming.
The question for everyone else is whether to migrate before or after it matters.