In late 2024, FBI Director Christopher Wray made a public statement about Salt Typhoon—a state-backed attacker that had infiltrated at least nine major U.S. telecom carriers, including AT&T, Verizon, and Lumen Technologies. The group maintained undetected access for one to two years. Its goal was long-term intelligence collection: call records, metadata, and in some cases the content of communications targeting senior government officials. Ransomware and financial theft were not the objective.
The FBI described it as “the most significant cyber espionage campaign in history.”
These attackers were collecting encrypted communications. They cannot read this data today, and they do not need to. They are waiting for quantum computers mature enough to break current encryption, at which point they will bulk-decrypt the traffic sitting in their archives. This strategy has a formal name: Harvest Now, Decrypt Later, or HNDL.
A joint advisory from NSA, CISA, and NIST warned about this as early as 2023. The UK’s NCSC reached the same conclusion in its 2023 annual review. The U.S. Federal Reserve went further in a September 2025 FEDS working paper, explicitly characterizing HNDL as a “present and ongoing threat.”
A common way of thinking about this goes: quantum computers are many years away. When they arrive, I will switch to new encryption.
This framing has problems on two levels.
First, it assumes the threat only waits at the finish line. HNDL is already active at the starting line. A March 2026 arXiv paper quantified its feasibility: data storage costs have dropped roughly 95% since 2010, global backbone traffic reached 68 exabytes in 2024, and nation-state actors are fully capable of intercepting and storing encrypted traffic at petabyte-to-exabyte scale. This is a cost-benefit calculation, and the result tilts toward “worth doing.”
Second, it assumes the defensive migration can wait until the threat is confirmed. Cryptographic migration has an engineering time constant that is nearly impossible to compress. SHA-1 took over 10 years from theoretical weakness discovered (2005) to formal deprecation in TLS certificates. SSL/TLS went from NIST deprecation (2014) to PCI DSS mandate (2018)—four years of regulator-driven forced migration with clear deadlines and compliance penalties. Post-quantum cryptography (PQC) migration is far more complex than either: certificate chains inflate 50x (from 64 bytes for ECDSA to 3,293 bytes for ML-DSA), TLS 1.3 is a prerequisite (many enterprises are still on TLS 1.2), IoT and embedded devices lack the memory for new certificates, and hybrid deployment is itself a complex protocol and engineering problem.
Even if all standards were finalized and all vendors ready tomorrow, full migration would take at least 5-10 years. The migration timeline cannot be dramatically compressed, but the quantum computer’s arrival time can be pulled closer.
In March 2026, Google Quantum AI published a paper showing the minimum quantum resources needed to break 256-bit elliptic curve cryptography (ECC-256): fewer than 1,200 logical qubits and 90 million Toffoli gates, executable on a superconducting quantum computer in minutes. This means the physical qubits required dropped from roughly 20 million to under 500,000—about a 20x reduction.
On the same day, a collaborative team from Caltech and Oratomic published another paper showing that by leveraging the arbitrary-any connectivity of neutral atom qubits, ECC-256 could be broken with as few as 10,000 qubits. The author list includes John Preskill, one of the most authoritative theoretical physicists in quantum computing.
The core implication of these two papers: the attack surface is shrinking not just through hardware breakthroughs, but through algorithmic optimization that is rapidly closing the safety window. Hardware teams build larger machines; algorithm teams make the same machines do more. Both fronts are advancing simultaneously.
The resource estimate curve tells the story:
2012: ~1 billion qubits → 2019: ~20 million → 2025: ~1 million → 2026: under 500,000, or as low as 10,000 with neutral atoms. Five orders of magnitude compressed in twelve years.
Even the way Google disclosed this paper sends a signal. The team did not publish the full quantum circuit. Instead, they used a zero-knowledge proof to validate their resource estimates, because the information was already considered a sensitive attack vector. The paper’s co-authors include Dan Boneh (Stanford, one of the world’s leading cryptographers) and Justin Drake (Ethereum Foundation). The cryptography community is engaged and taking this seriously.
Scott Aaronson holds the Schlumberger Centennial Chair of Computer Science at UT Austin, co-founded and co-directs its Quantum Information Center, and was elected to the U.S. National Academy of Sciences in April 2026. For two decades, he has been the person most likely to pour cold water on quantum hype—he invented complexity classes specifically to understand quantum computing’s limits and spent years correcting overblown claims from media and investors.
On April 30, 2026, on the same day he was elected to the NAS, Aaronson published a blog post titled “Will you heed my warnings?”
He wrote: “Some of the most reputable people in quantum hardware and quantum error-correction—people whose judgment I trust more than my own on those topics—are now telling me that a fault-tolerant quantum computer able to break deployed cryptosystems ought to be possible by around 2029.”
Then this: “If quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post IS your warning.”
Aaronson is not alone in changing his stance. Filippo Valsorda, the maintainer of Go’s cryptography libraries and one of the most respected practitioners in the field, publicly wrote in April 2026 that his position had shifted over the preceding months. He acknowledged not understanding the quantum physics papers himself. But after assessing risk and listening to domain experts, his conclusion was that the “wait and see” window had closed and acceleration was needed.
His exact words: “I don’t actually know what all the physics in those papers means. That’s not my job, and it’s not my expertise.” But his job is not to evaluate quantum physics. His job is to assess and mitigate risk. In that framework, the signals were clear enough.
On March 25, 2026, Google’s VP of Security Engineering Heather Adkins and senior cryptographer Sophie Schmieg jointly announced an internal 2029 deadline for PQC migration. After the ECC paper was published on March 31, Cloudflare followed suit, moving its full PQC readiness target from the 2030s to 2029.
Google and Cloudflare did not coordinate. Two companies with access to the same data and the same papers independently arrived at the same conclusion. The 2029 target is not a market narrative or PR move. It is the risk assessment result from two infrastructure companies with the most advanced technical visibility in the industry.
Both companies emphasized a shift in threat priorities. The conventional view treats HNDL as a data decryption problem. Google and Cloudflare independently elevated authentication—digital signatures—above encryption in PQC migration priority. The reasoning: if a quantum computer can forge signatures, then code signing, firmware updates, TLS certificate chains, and blockchain transactions all fail simultaneously without warning. Encrypted data has a shelf life of years; forged signatures have permanent consequences.
Apple deployed PQ3 in iMessage in early 2024. Signal released SPQR (Triple Ratchet) in October 2025, adding a quantum-safe key agreement layer on top of its protocol. Cloudflare reports that over 65% of human TLS traffic already uses post-quantum hybrid encryption. AWS has offered ML-DSA signing keys in KMS since June 2025 and published a complete phased migration plan in April 2026.
The infrastructure layer is already migrating. When these cloud and platform layers complete their transition, will their customers be ready?
A Bain & Company survey from March 2026 found that roughly 71% of business executives expect quantum-enabled cyberattacks within five years, but only 9% of technology leaders report having a roadmap in place.
NIST’s NCCoE launched a PQC migration collaboration in 2022, bringing together 60+ organizations including AWS, Cloudflare, Google, Microsoft, JPMorgan Chase, HSBC, and Wells Fargo. The project is still in “reviewing comments” stage. Core operational guidance has not been published. Migration tooling and best practices are still under development.
A common point of confusion: when enterprises see Cloudflare’s 65% PQC traffic claim, they assume they are already protected. More likely, the CDN layer uses PQC, but traffic falls back to traditional ECDH/RSA when it reaches the enterprise’s WAF, load balancer, service mesh, corporate proxy, or B2B gateway. One layer of PQC coverage does not mean end-to-end security.
PQC introduces a concept called CBOM (Cryptographic Bill of Materials). Like an SBOM tracks software components, a CBOM requires enterprises to systematically catalog every asset that uses public-key cryptography: certificates, keys, HSMs, cloud KMS, firmware signatures. A typical large enterprise may have tens of thousands of certificates and hardcoded keys spread across dozens of systems. Most enterprises do not have this inventory. Without it, there is no way to know when migration is complete.
This narrative faces several legitimate challenges.
The first is physical. Between Willow’s 105 qubits and a machine capable of breaking ECC lies a vast engineering gap. Quantum error correction overhead—currently requiring roughly 1,000 physical qubits to sustain one reliable logical qubit—has not been shown to scale down to 100:1. If this overhead stays high, even optimistic qubit growth leaves insufficient logical qubits for cryptanalysis.
The second is the Y2K analogy. Could this be another case of massive preparation for an event that never materializes? One possible path is that preparation is exactly why nothing bad happened. But the failure modes are real: premature investment, over-investment, or migrating to a PQC algorithm that turns out to be immature.
In 2022, SIKE—a NIST Round 4 candidate algorithm—was broken by Castryck and Decru on a single-core CPU in about one hour. This was a sobering reminder: even algorithms that survive years of public review can harbor fatal flaws. ML-KEM (based on lattice cryptography) and SIKE (based on isogeny cryptography) rest on different mathematical foundations. Lattice cryptography has roughly a decade of public scrutiny and has received NSA endorsement for classified national security use. But SIKE turned “PQC algorithms might also have undiscovered weaknesses” from a theoretical possibility into a concrete precedent.
The third is opportunity cost. In the real-world threat landscape facing a CTO at a non-tech company, ransomware, supply chain attacks, and social engineering cause actual losses every year, while the quantum timeline carries genuine uncertainty. Shifting limited security budgets from these certain threats to PQC may leave the enterprise more vulnerable today.
These objections have merit. What they do not change are three converging lines: HNDL is already happening, migration has an irreducible engineering timeline, and algorithm-side progress is faster than hardware-side. Waiting for more information is an option, but continued delay removes the possibility of completing migration within the window that high-sensitivity data requires.
Do now:
Can wait:
When Scott Aaronson was asked in April 2026 why he changed his position, his answer was: “I just updated my judgment after seeing new data from 2025. Ten years ago, I estimated quantum computing would take decades. Now I look at the same evidence and think years.”
This is not a prediction that 2029 will be Q-Day. The timeline could still extend into the 2030s—if quantum error correction overhead proves higher than expected, if neutral atom deep circuits fail to verify, or if new classical algorithms bypass the need for quantum advantage. But the asymmetry is the key point: if a quantum computer arrives in 2029 and you wait until 2028 to begin preparing, you will not make it. If you start preparing now and the quantum computer arrives in 2038, your cost is limited to upfront crypto inventory and architecture upgrades.
HNDL changes the decision variable from “when will a quantum computer arrive” to “which parts of your data need to remain confidential for the next 10-15 years.” The answer to the second question is concrete, and it does not depend on your understanding of quantum physics.
Sources: Google Quantum AI ECC paper (arXiv:2603.28627) and responsible disclosure post (research.google/blog), Google 2029 migration announcement (blog.google), Cloudflare 2029 roadmap (blog.cloudflare.com), Scott Aaronson’s blog (scottaaronson.blog), Filippo Valsorda’s analysis (words.filippo.io), NSA/CISA/NIST joint advisory (nsa.gov), Federal Reserve FEDS working paper, HNDL feasibility arXiv paper (arXiv:2603.01091), Sotera Digital on Salt Typhoon (blog.soteradigital.com), Apple PQ3 (security.apple.com), Signal SPQR (signal.org), AWS PQC migration plan (aws.amazon.com), Bain/IBM PQC collaboration (consulting.us), and CoinDesk on Google 2029 and crypto migration (coindesk.com).