When you discover the lock on your front door isn’t as strong as you anticipated, a certain kind of dread sets in. Not yet broken. However, it is not as strong as promised. That’s about where the field of digital encryption is at the moment, as Google’s quantum researchers discreetly released figures that changed the discussion from “someday” to “sooner than you’d like.”
In early 2025, Google Quantum Research Scientist Craig Gidney published an estimate that reduced the anticipated quantum computing resources required to crack RSA-2048 encryption by a factor of twenty. According to his 2019 paper, the number was approximately 20 million qubits operating for eight hours.
| Category | Details |
|---|---|
| Organization | Google Quantum AI |
| Key Researcher | Craig Gidney, Quantum Research Scientist at Google |
| Chip Introduced | Willow (December 2024) |
| Previous Estimate (2019) | 2048-bit RSA factored in 8 hours using 20 million qubits |
| New Estimate (2025) | Same task achievable with under 1 million noisy qubits in under one week |
| Improvement Factor | 20-fold reduction in qubit requirements |
| Encryption at Risk | RSA-2048, Elliptic Curve Cryptography (P-256), Bitcoin’s 256-bit encryption |
| NIST Recommendation | Phase out vulnerable systems after 2030 |
| Google’s Migration Target | Post-quantum cryptography fully deployed by 2029 |
| IBM Target | 100,000-qubit quantum computer by 2030 (partnership: University of Tokyo, University of Chicago) |
| Quantinuum Target | Fully quantum-immune system by 2029 |
| Project 11 Bounty | 1 BTC (~$85,000) for breaking simplified Bitcoin encryption using a quantum computer |
| Cloudflare Target | Full post-quantum security, including authentication, by 2029 |
| Related Standard | NIST Post-Quantum Cryptography Standards (released 2024) |
Less than one million noisy qubits operating for less than a week makes the new math much more unsettling. same outcome. much more compact device. Although it doesn’t appear on front pages, this type of incremental update most likely ought to.
Even Gidney takes care not to trigger alarms needlessly. He has stated in public that people’s digital assets are still secure as of right now. However, there’s a catch to that assurance: the trajectory is what counts, and it’s pointing in a direction that needs careful consideration. The 2025 paper is proof that this compression is taking place in real time, and the difference between “safe for now” and “not safe anymore” has been closing more quickly than most of the security community anticipated.
When Google’s Willow chip was first unveiled in December 2024, it was already causing controversy. According to the company, it could solve a problem that would take ten septillion years for traditional supercomputers in five minutes.
The implications for Satoshi’s wallet, the hash rate of Bitcoin, and the entire architecture of trust supporting cryptocurrency markets were immediately calculated by critics. There were some alarmist computations. Most likely, some weren’t alarmist enough.
Gidney explains that raw hardware power wasn’t the only factor in the breakthrough. It resulted from improved thinking on two different fronts at the same time. In terms of algorithms, Google’s team discovered a way to calculate modular exponentiations—the complex mathematical operations at the core of RSA encryption—twice as quickly as before. That would have been important on its own. However, the team also discovered that by incorporating an additional layer of error correction, they could triple the density of logical qubits, effectively fitting more practical quantum operations into the same physical space.
Additionally, they used a method known as “magic state cultivation,” which increases the dependability of the unique quantum components needed for intricate operations without requiring additional resources. When you combine all of that, the machine required to crack contemporary encryption becomes much smaller.
It’s difficult to ignore the fact that independent research groups are coming to similar conclusions from various angles at the same time. According to a resource estimate released by Oratomic, a neutral-atom quantum computer could need as few as 10,000 qubits to crack P-256, the elliptic curve encryption commonly used to secure internet traffic.
That figure is startlingly low. Compared to the superconducting systems that most people associate with quantum computing, neutral-atom machines have superior qubit connectivity. According to Oratomic’s research, this advantage translates into error-correcting efficiency that no one had fully considered. Google has indicated that it intends to pursue neutral-atom approaches in addition to its current superconducting work, suggesting that it has taken notice.
In response to these developments, Cloudflare, which manages a large amount of the world’s internet traffic, changed its own post-quantum security deadline from 2030 to 2029. Although post-quantum encryption currently protects more than 65% of human traffic to Cloudflare, the company’s executives have been open about the fact that encryption is no longer sufficient.
The more pressing issue now is authentication, which is the process of confirming that a server or piece of software is who it says it is. A sufficiently powerful quantum computer doesn’t need to crack your data if it can forge cryptographic credentials. It can simply enter as you.
The elliptic curve cryptography used by Bitcoin is based on mathematical ideas that are structurally similar to RSA. A bounty of about $85,000 has been offered by Project 11, a research group focused on quantum computing, to anyone who can use a quantum computer to crack a simplified version of Bitcoin’s encryption.
Although the exercise is intended to monitor progress rather than pose an immediate threat to the network, they are testing keys that are much smaller than Bitcoin’s actual 256-bit encryption, ranging from one to twenty-five bits. Although it’s still unclear if this strategy will yield useful data before Q-Day, the endeavor itself shows how seriously some researchers take the timeline.
Last year, the National Institute of Standards and Technology published its post-quantum cryptography standards and suggested that susceptible systems be phased out after 2030. According to recent research from Google, the schedule might already be out of date. By 2030, IBM hopes to have a machine with 100,000 qubits. By 2029, Quantinuum hopes to achieve complete quantum immunity.
Although the industry is evolving, switching between cryptographic standards is not the same as updating software. Years of planning, third-party dependencies, legacy systems, credential rotation, and the unsettling fact that some organizations won’t begin until it’s almost too late are all part of it.
People in this field believe that the public discourse is significantly behind the technical reality. Google has made it clear that adversaries may already be gathering encrypted data today in anticipation of the eventual development of quantum computers with decryption capabilities.
This “harvest now, decrypt later” attack model has been identified by Cloudflare as an active issue rather than a theoretical one. The data that is currently being created in offices, on phones, and throughout financial networks might not last as long as the systems that safeguard it.
Some of the more concerning predictions might not come to pass on the timelines under discussion. In the short term at least, quantum computing has a long history of exceeding expectations. However, Gidney’s description of a 20-fold reduction in qubit requirements is supported by published math, not conjecture. It’s not really a question of whether encryption will eventually fail.
It concerns whether those in charge of safeguarding digital infrastructure will act quickly enough to replace it before someone with a quantum computer and malicious intent chooses to discover the precise moment the lock malfunctions.