THE SIGNAL: The Clock Just Got Shorter

For years, the industry assumed two things about quantum computing.

First, that Q-Day (the day a quantum computer becomes powerful enough to break current encryption) was 10 to 15 years away. Second, that building a quantum computer capable of doing it would require millions of physical qubits.

Both assumptions broke in the last three weeks.

From the top: on March 28, Google announced it moved its internal post-quantum cryptography migration deadline from 2035 to 2029. This isn’t an analyst forecasting. It’s the company with more visibility into quantum hardware than almost any other organization on Earth adjusting its own clock six years forward. Heather Adkins (VP Security Engineering) and Sophie Schmieg explained the decision reflects faster-than-expected progress on three fronts: quantum hardware development, error correction, and factoring resource estimates.

From the bottom: three days later, Caltech and Oratomic published research that reduced the physical qubits needed for a fault-tolerant quantum computer from millions to 10,000-20,000. A 100x reduction in error correction overhead. Dolev Bluvstein, CEO of Oratomic, said: “It is plausible, although not guaranteed, that we will have a fault-tolerant quantum computer by the end of this decade.”

Manuel Endres, one of the co-authors, has already assembled arrays of 6,100 neutral atoms in a lab. The jump from there to 10,000-20,000 is non-trivial, but it’s no longer science fiction.

This isn’t theoretical. In the last two weeks, the general public panicked over Anthropic’s announcement of Claude Mythos, a model capable of finding thousands of zero-day vulnerabilities across every major operating system and web browser. LinkedIn threads. Coverage in Tom’s Hardware, NPR, SecurityWeek. Debates about responsibility. The industry responded more carefully, forming consortia with AWS, Apple, Google, JPMorgan, Microsoft.

And yet: few of the organizations that reacted to Mythos are reacting with the same urgency to quantum. Banks. Pharma. Government. Financial services. Healthcare. Silence.

Mythos finds bugs in your code. Quantum makes your encryption irrelevant. The first is a patching problem. The second is an architecture problem.

And there’s a more uncomfortable difference: the data you’re worried about isn’t safely waiting. Store-now-decrypt-later is an active threat today. Adversaries are capturing encrypted data now, storing it, waiting for the quantum computer to decrypt it later. If your data needs to remain confidential for more than five years (medical records, intellectual property, contracts, regulatory information) you’re already exposed.

Pattern match: the SHA-1 to SHA-2 migration (a much simpler cryptographic transition) took 12 years. The PQC migration is bigger. If Google is right and the real deadline is 2029, that leaves three years to do what the industry took 12 years to do on simpler transitions.

Microsoft targets 2033. NIST plans to deprecate legacy algorithms in 2030, with a final deadline of 2035. NSA: national security systems to PQC by 2027. Most private organizations don’t have PQC migration on their roadmap at all. If they do, it points to 2032-2035. Or it isn’t on the radar.

The gap between what Google sees and what most organizations assume is the blind spot.

This isn’t about quantum. It’s about the gap between what insiders know and what the market assumes. That gap is about to close in an uncomfortable way.

THE APPLICATION: The Infrastructure Already Moving

PQC migration is already underway. Not everywhere.

Google. Chrome already supports post-quantum key exchange. Android 17 integrates ML-DSA (the NIST standard for PQC digital signatures) as a first phase. Google Cloud offers PQC solutions to enterprise customers. Internal deadline: 2029.

Ethereum. Launched pq.ethereum.org this week, a hub dedicated to post-quantum migration. Eight years of accumulated preparation. A concrete roadmap: full migration across four hard forks, targeting 2029. More than 10 client teams shipping weekly devnets.

NSA. CNSA 2.0 requires quantum-safe algorithms for all U.S. national security systems by January 2027.

The contrast is what matters. Microsoft targets 2033, four years behind Google. Bitcoin: official silence. The private sector at large: no mandate.

The organizations moving first share one thing in common: the most to lose if the timeline compresses. Google has Chrome, Android, and Cloud. Ethereum has billions in encrypted value. NSA has secrets that cannot be leaked retroactively. They understand the asymmetric cost of arriving late.

The companies with the most to lose are moving first. The rest assume they have time.

THE NOISE: “Quantum Is Still 10-15 Years Away”

You’ll hear it at conferences. In pitch decks. In vendor keynotes.

It was true two years ago. It isn’t anymore.

Google shortened its deadline to 2029. Caltech demonstrated you need 100x fewer qubits than previously estimated. The CEO of Oratomic, a company founded by researchers from Caltech, Berkeley, Harvard, Amazon, and Google, said “plausible by the end of the decade.”

The problem isn’t whether Q-Day arrives in 2029, 2031, or 2033. The problem is that most organizations don’t have quantum on their radar at all. The ones that do are planning around 2035-2040, and that window has already closed.

And there’s a deeper reason not to trust the old consensus: store-now-decrypt-later is already an active threat. Q-Day’s timing matters less than your exposure timing. If your data needs to stay confidential for more than five years, you’re exposed now.

The timeline didn’t shift. The consensus did.

THE QUESTION: What’s Your Crypto Horizon?

What data in your organization needs to remain confidential beyond 2029?

If that list exists, who is protecting it against something that can be decrypted retroactively?

If your team can’t answer with a specific list in 48 hours, you already have the answer about your state of readiness.

WHAT I’M WATCHING

Insilico Medicine signed a $2.75B deal with Eli Lilly. This closes the loop with the previous edition. In March we said the real bet wasn’t on the drugs but on the AI discovery infrastructure. One week later, Lilly signed the largest AI drug discovery contract to date, including a GLP-1 candidate. It wasn’t a future thesis. It was materializing as we were writing.

Renault plans 350 humanoid robots in 18 months. The first brownfield deployment at scale in the automotive industry. Toyota already signed a RaaS agreement with Agility Digit at its RAV4 plant in Canada. Mind Robotics (a Rivian spinout led by RJ Scaringe) raised $500M. The robotics conversation is shifting from demos to real production deployment.

Google published a 20x reduction in the qubits needed to break ECDLP-256. The same company that moved its PQC deadline also published research showing that breaking blockchain encryption requires fewer than 500,000 physical qubits, 20 times less than previously estimated. A convergent signal: the margins keep compressing in every direction.

This is WaveLens. Emerging tech without the hype. Real signals for strategic decisions.

If this edition helped you see something you weren’t seeing before, forward it to one leader in your network who needs to be in this conversation.

Subscribe at newsletter.wavelens.ai so you don’t miss the next edition. Follow WaveLens on LinkedIn for daily signals on the convergence.

Javier D’Ovidio WaveLens