Two independent research teams published papers on March 31, 2026, showing that quantum computers could break the encryption standards securing most of the internet with far fewer resources than anyone had previously estimated. Artificial intelligence helped drive the discovery. The findings have sent cybersecurity organizations scrambling to compress their post-quantum migration timelines — and raised an urgent, global question: has the window to protect the internet been quietly closing faster than experts assumed?
Two Papers, One Alarming Conclusion
The world could be caught off guard by quantum hackers before the end of this decade, much sooner than expected. This is the take-home message of two studies posted independently on March 30, one a white paper by a team at Google and the other a preprint from Oratomic, a start-up company in Pasadena, California.
Digital technologies that rely on encryption and authentication methods, such as credit-card systems, cryptocurrencies, and internet communications, have long been known to be vulnerable to future quantum computers. But the assumption among researchers and cybersecurity companies working on quantum-proof encryption technologies was that these machines would not pose a serious threat to digital security for at least 10 years.
In its whitepaper, Google showed that future quantum computers may break elliptic-curve cryptography that protects cryptocurrency and other systems with fewer qubits and gates than previously thought. Google engaged with the U.S. government and developed a new method to describe these vulnerabilities via a zero-knowledge proof so they can be verified without providing a roadmap for bad actors. With continued scientific and technological progress, cryptographically relevant quantum computers are getting closer to reality which is why Google simultaneously introduced a 2029 migration timeline.
The Role of Artificial Intelligence
The technical reduction in qubit requirements was not achieved solely through hardware. AI was woven into the research process itself. AI was described as “instrumental” in developing the Oratomic team’s algorithm, according to the paper’s authors. “There is no question that we used AI to accelerate this development,” said Dolev Bluvstein, one of the paper’s authors.
Oratomic, collaborating with Caltech researchers including John Preskill, described building a quantum computer using neutral atoms trapped and moved by laser “tweezers” for flexible connections, combined with advanced error-correction codes that pack more useful computation into each group of qubits — far more efficient than conventional approaches.
The convergence of AI-assisted algorithm development with advances in neutral-atom hardware architecture marks a meaningful shift in how quantum computing progress unfolds. Researchers are no longer relying solely on incremental hardware scaling; AI is now actively compressing the mathematical and algorithmic distances between theoretical threat and practical capability.
The Industry Response: Racing the Clock
The papers triggered immediate action from organizations that protect critical internet infrastructure. Cloudflare announced it is targeting 2029 to complete post-quantum security across its entire product suite, including post-quantum authentication. The company is following a revised roadmap that Google also adopted after announcing it had improved the quantum algorithm used to break elliptic-curve cryptography. The same day, Oratomic published a resource estimate for breaking RSA-2048 and P-256 on a neutral atom quantum computer, putting the qubit requirement at roughly 10,000 a number researchers in the field described as unexpectedly low.
Cloudflare noted that while over 65% of human traffic on its network is already post-quantum-encrypted, credible new research and rapid industry developments suggest the migration deadline is much sooner than expected. These advances prompted Google to accelerate its post-quantum migration timeline to 2029, and IBM Quantum Safe’s CTO stated publicly that quantum moonshot attacks could arrive as early as that same year.
From Encryption to Authentication: A Harder Problem
The post-quantum challenge is broader than encrypting data in transit. The more difficult and more dangerous problem is authentication.
More than 65% of human-generated traffic on Cloudflare’s network is already protected using post-quantum encryption. However, encryption alone is not sufficient. The company’s new roadmap prioritizes post-quantum authentication — the systems that verify identities and establish trust across the internet. These systems are significantly harder to upgrade due to their reliance on certificates, legacy infrastructure, and complex vendor- and device-level dependencies.
Cloudflare laid out a series of milestones toward its 2029 target. The company plans to add support for post-quantum authentication using ML-DSA to origin connections by mid-2026. By mid-2027, it aims to have post-quantum connections from end users to Cloudflare using Merkle Tree Certificates. Its Cloudflare One SASE product suite is targeted for post-quantum authentication by early 2028.
Migrating to post-quantum authentication is more complex than migrating encryption. Disabling quantum-vulnerable cryptography is necessary to prevent downgrade attacks; once that is done, all previously exposed secrets, including passwords and access tokens, must be rotated.
Coordinated Disclosure and Responsible Research
Both Google and Oratomic took deliberate steps to share their findings responsibly rather than publishing full attack blueprints. To share the research responsibly, Google engaged with the U.S. government and developed a new method to describe vulnerabilities via a zero-knowledge proof, so they can be verified without providing a roadmap for bad actors.
The Oratomic team also thought carefully about which parts of their methodology were responsible for publishing, given the potential consequences of a quantum computer being developed.
Matthew Green, a computer science professor and cryptography expert at Johns Hopkins University, called the Google and Oratomic papers a good “precautionary” analysis of the long-term challenge of quantum encryption. However, he expressed skepticism that quantum computing had enough “lucrative immediate applications” to push the field beyond its foundational research stage to more practical applications.
The expert skepticism is worth noting: no new quantum computer was built during this research cycle. What changed was the theoretical estimates of how many qubits a future machine would need, which dropped sharply.
A Fractured but Urgent Global Picture
The underlying assumption had been that a fault-tolerant quantum computer capable of threatening classical encryption would require millions of qubits. The Oratomic paper suggests it may actually only need as few as 10,000. “Ultimately, we have gone from planning for a threat two decades out to one that overlaps with systems actively being deployed and funded,” said Nathaniel Szerezla, chief growth officer at Naoris Protocol.
One key concern is the ability of foreign nations and cybercriminals to collect sensitive, encrypted data today, in hopes of breaking it later with a quantum computer. This “harvest now, decrypt later” technique is one of the main reasons proponents push for faster adoption of post-quantum encryption. Advancements in neutral atom arrays have given scientists more powerful hardware, while breakthroughs in mathematics, such as those in the Google research paper, have enabled more efficient use of that hardware.
Microsoft is targeting 2033. NIST deprecates classical algorithms in 2030 and disallows them in 2035. Cloudflare’s decision to match Google’s 2029 target transforms this from a single company’s internal risk calculus into an emerging industry consensus among the companies that actually operate the internet’s infrastructure.
Outlook
The convergence of AI-assisted algorithm discovery, progress in neutral-atom quantum hardware, and a sharp drop in estimated qubit thresholds has compressed what was once considered a distant problem into a near-term operational risk. The responses from Google, Cloudflare, and IBM suggest that the largest internet infrastructure providers now treat 2029 as a planning horizon rather than a theoretical milestone. For governments, financial institutions, healthcare providers, and anyone dependent on public-key cryptography, that is, nearly every organization with a digital presence, the calculus on post-quantum migration has fundamentally changed.
For Cloudflare customers, the company states that no mitigating action is required for its services. However, the company notes that elements outside its control, such as browsers, applications, and origin infrastructure, will also need to be upgraded. Those dependencies, across thousands of vendors and billions of devices, represent the real scope of what “Q-Day preparedness” demands.
