"Here, by leveraging advances in high-rate quantum error-correcting codes, efficient logical instruction sets, and circuit design, we show that Shor’s algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits. "
That's physical, not logical qubits.
Nope. Firstly, for RSA you need to scale from 32 to 4096. Secondly, Shor requires N^2*log(N) quantum gates where N is number of bits in the integer, so the scaling is superquadratic. And it's very much an open question whether QEC protocols will continue to work with the same efficiency on the required scales.
PQC is not defined as "being resistant to quantum attacks" nor does it necessarily have this property: PQC is just cryptography for which no quantum attack is known yet (for example even when no one has tried to design a quantum computation to break the cryptography). One can not demonstrate that a specific PQC altorithm is resistant to quantum attacks, it is merely presumed until proven otherwise.
There should be some measure of competence-level-adjusted man-hours of cryptographers and mathematicians trying to swing their favorite hammers at the problem; in order to estimate this "quantum resilience".
Note: There are specific address types that are safer to use for long-term storage than others, such as Native SegWit addresses starting with `bc1q`. The newest Taproot type starting with `bc1p` is insecure because it directly encodes a "tweaked" public key into the addresses.
Its the only responsible thing to do.
This also has implications for alot of PQC and QKD stuff that's based on static model assumptions...
Is this as wild a news as I think it is? I'm surprised I haven't yet seen more reactions to the 2029 migration timeline plan (proposed?).
And why do they think that the US government would care about securing cryptocurrencies? Aren't they designed to circumvent the government regulation?
This was the first of several articles coming out of Google: https://blog.google/innovation-and-ai/technology/safety-secu...
And the timeline for web migration is 2027 Q1: https://security.googleblog.com/2026/02/cultivating-robust-a...
And this was Sophie Schmieg’s talk at a cryptography conference this month (they lead PQC migration efforts at Google) tracking migration efforts and urging folks to prioritize signature migrations in lieu of accelerated quantum timelines: https://westerbaan.name/~bas/rwpqc2026/sophie.pdf
No
> why do they think that the US government would care about securing cryptocurrencies?
Our largest institutions manage tens of billions of dollars in cryptocurrency and the US government has designated currencies appropriate for the strategic crypto reserve
> Why do they [not care] about the entire world's infrastructures that are based on RSA and elliptic curve algorithms, such as HTTPS
I'm sure they do. But if you had a working quantum computer that could a) get Satoshi's keys or b) read some emails, most people choose door a first. So it's both a smoke test and a high value target with an easy to assess dollar value.
> No
"No" is not exactly the right answer, the authors are explicit about this in the paper:
"We the authors attest that at the time of the initial arXiv and IACR ePrint publication of this article, none of us hold any short positions against any cryptocurrency assets. Some of us hold long positions in cryptocurrencies, including some that involve the use of post-quantum cryptography. The authors reserve the right to initiate any positions in these assets in the future."
https://www.brookings.edu/articles/the-rise-of-stablecoins-a...
[1] Here's my source and they should of course know https://fred.stlouisfed.org/series/MVMTD027MNFRBDAL
Tradfi has way more at risk... and the hardware/software that cant be upgraded that the financial system uses every day...
i think google is just a disgustingly large company lol, it's hard to talk about them "caring" about one thing but not another
This would leave holders who did not sign in two categories:
1) If you never sent a tx with an address, then you did not reveal your public key, and have some safety, e.g. you could do the PQ signature, wait, and be fine.
2) If you did, then you revealed your public key, and didn't bother to make the cutoff, and well, too bad.
There was a bunch of frankly dumb analysis about how long this would take the chain to process and how expensive it would be assuming that miners would all continue to enforce 10 minute blocks and transaction fees for these signature txs. I would be very surprised if the mining industry shot itself in the foot like that. The actual time to process 200mm or so new signatures just isn't that long. Hey we could do it on Solana if we needed to. That said, I imagine the papers this week plus Google moving up its timeline mean that there will be a concerted effort in Bitcoin land to get a real process down and tested in the next couple of years. Pretty cool.
Finally, I've read very little analysis about whether or not miners would choose to continue the energy dependent nature of mining, or try and move on. I think this is a pretty interesting economic question; I'm looking forward to finding out the answer. I expect mining will have a longer lead time than the signature problem - we're a long way from having Grover implementing SHA-256 as far as I know. And even then you still have 128 bits to deal with ONCE you get an equivalent amount of Grover-capable quantum compute out to the current ASIC ecosystem.
