Google just moved their own deadline. Maybe take the hint.
We’ve covered what post-quantum cryptography is and why it matters.
We’ve covered what Willow is and what it means for AI.
Now let’s put them together — because this is where it gets interesting.
And by interesting, I mean: the company building the most advanced quantum chip on the planet just accelerated their internal encryption migration deadline to 2029.
Let that land for a second.
The attacker is telling you when to build the wall.
Why Willow Doesn’t Break Encryption. Yet.
Let’s be precise about this, because the headlines are not.
Willow’s famous benchmark — five minutes vs. 10 septillion years — ran a test called Random Circuit Sampling. It is not Shor’s Algorithm. It is not an attack on RSA. It’s a quantum stress test, not a cryptographic weapon.
To break RSA-2048 using Shor’s Algorithm, you need millions of error-corrected logical qubits. Willow has 105 physical qubits. The gap is still enormous.
University of Sussex researchers estimate breaking Bitcoin-grade encryption in one day would need 13 million qubits. Willow has 105. You need roughly 124,000 Willows running together to get there.
So no — Willow doesn’t crack your VPN. Not today. Not this year.
But here’s why that’s the wrong frame.
What Willow Actually Changed: The Timeline
Willow didn’t break encryption. It proved the path to breaking encryption is real and moving faster than expected.
That’s a different kind of threat. And it’s more dangerous in some ways.
Because organizations make investment decisions based on timelines. ‘We’ll migrate to PQC when the threat is imminent’ sounds reasonable until the threat is already harvesting your data while you’re still scheduling the planning meeting.
Google’s response to their own chip? They moved their internal PQC migration deadline from a vague future horizon to a hard target: end of 2029.
IBM is projecting their first error-corrected quantum computer by the same year.
The US government’s CNSA 2.0 framework already mandates PQC as preferred for National Security Systems in 2025, and mandatory by 2030 to 2033.
When the people building quantum computers start hardening their own encryption against quantum computers — urgently — it is reasonable to ask why you aren’t.
The Harvest Now, Decrypt Later Problem — Revisited
In Post 1, I introduced this concept. In the context of Willow, it becomes more concrete.
Here’s the timeline that should focus your mind:
- Today (2026): Nation-state actors and sophisticated groups are archiving encrypted traffic. Your TLS sessions, your VPN tunnels, your email — copied and stored.
- 2029–2032: Google, IBM, and others ship systems approaching CRQC territory. Error correction matures. Qubit counts scale.
- 2032–2035: A Cryptographically Relevant Quantum Computer likely exists somewhere. Probably in a government facility first. Then not just there.
- Retroactive decryption: Everything harvested between now and then becomes readable.
For most consumer data, this is annoying but not catastrophic. Yesterday’s retail transaction isn’t worth decrypting in 2034.
But think about the data that has a long shelf life.
Medical records. Legal archives. Financial transaction logs with 10-year retention requirements. Intellectual property. Drug discovery data. Defense contractor communications. Government correspondence.
That data is already in transit. And some of it is already being collected.
The question isn’t ‘when will quantum computers break encryption?’ The question is: ‘how long does your data need to stay confidential?’ If the answer is longer than 5–10 years, you have a problem right now.
The Standards Are Ready. Are You?
This is the part that frustrates me.
The defense exists. NIST finalized the first post-quantum standards in August 2024, after an eight-year global competition. ML-KEM, ML-DSA, SLH-DSA. Available now. Implemented in Chrome, Firefox, Azure, AWS, Google Cloud. Not future features — current ones.
The tooling is there. The standards are there. The urgency is there.
What’s missing is organizational will.
And the migration problem is real. You can’t patch a legacy SCADA controller. You can’t push ML-KEM to a medical device with firmware from 2016. Industrial systems, critical infrastructure, embedded hardware — these have upgrade cycles measured in decades.
Which is why the answer isn’t ‘wait until everything is ready.’ The answer is:
- Start the inventory now. Map every system that uses RSA, ECC, or Diffie-Hellman. You can’t migrate what you haven’t found.
- Deploy hybrid cryptography where you can. X25519 + ML-KEM in TLS 1.3 is supported today. Layer PQC on top of classical — don’t rip and replace.
- Triage by data longevity. Medical records and legal archives first. Not because they’re the most connected, but because they’re the most exposed.
- Accept that some systems will remain vulnerable. Document them. Isolate them. Plan their replacement cycles around the CRQC timeline, not your normal refresh schedule.
Willow as a Signal, Not a Weapon
Here’s the mental model I keep coming back to.
In 2019, Sycamore proved quantum supremacy on an artificial benchmark. Cool, but easy to dismiss.
In 2024, Willow proved exponential error correction. The field breathed a sigh of relief — and then got nervous.
In October 2025, Quantum Echoes proved verifiable advantage on a real algorithm. Drug discovery. Molecular physics. Actual science.
Each milestone is a signal, not a weapon. No one’s data got cracked. But the trajectory is clear, the engineering is executing on schedule, and the people closest to the hardware are moving their own timelines forward.
Willow is the point in the story where the distant rumble becomes clearly identifiable thunder.
You still have time to get inside.
But the window is not as wide as it was two years ago.
Where This Leaves You
If you’ve read all three posts in this series, here’s where I want you to land:
Post-quantum cryptography is not a future compliance checkbox. It’s a present architecture decision with a hard deadline shaped by hardware progress you can track publicly.
Willow didn’t change the threat. It confirmed the timeline.
And the timeline says: if your data has a long life, your migration needs to start before the CRQC arrives — not after.
Because after is too late.
The good news? The tools are ready. The standards are finalized. The migration patterns exist. You just have to decide it’s worth doing.
Given what’s at stake, it is.
— Markus
Want the enterprise deep-dive?
I’ve written sector-specific whitepapers on PQC migration for Swiss Finance, Insurance, Healthcare, and Public Sector organizations — covering regulatory frameworks (FINMA, revDSG, DORA, VAG), threat scenarios, and concrete migration roadmaps. Available on request.