On March 31, 2026, Google published research indicating that quantum computers may break elliptic curve cryptography with 20 times fewer qubits than previously estimated. Cloudflare accelerated their post-quantum deadline to 2029 within days. Most organizations are still on the 2035 NIST timeline.
Written April 2026 · Sources verified against Google Research, Quantum Insider, TIME Magazine, Cloudflare public statements
Google publishes a blog post titled "Quantum frontiers may be closer than they appear" by Heather Adkins (VP of Security Engineering) and Sophie Schmieg (Senior Staff Cryptography Engineer). The company accelerates its internal post-quantum migration target from 2035 (NIST guidance) to 2029.
This is not a marketing statement. Google's own Quantum AI team produces much of the underlying research on cryptographic resource estimates. When Google moves its deadline, they are moving based on their own threat intelligence.
Google Quantum and AI publish new research demonstrating that breaking elliptic curve cryptography requires 20 times fewer qubits and gates than previously estimated. The paper focuses on ECDSA, the signature scheme behind TLS key exchange, SSH authentication, code signing, and most digital signatures on the internet. Cryptocurrency wallets, which also rely on ECDSA, are prominent in the news coverage, but the finding affects all cryptography built on elliptic curves. That includes the key exchange protecting your email, your banking session, your VPN tunnel, and most file transfer tools.
Separately, a Caltech and Oratomic paper uses AI-assisted algorithm design to further reduce qubit requirements using neutral-atom quantum architectures.
In 2026 the word "crypto" has two meanings. In financial news it refers to cryptocurrency. In security it refers to cryptography, the mathematics of encryption and digital signatures. The Google research is a cryptography finding that has cryptocurrency implications. Paramant is a cryptography product, not a cryptocurrency product. No coins, no wallets, no tokens. This page, and Paramant generally, uses "crypto" only as shorthand for cryptography.
Cloudflare's Bas Westerbaan, one of the most respected voices in applied cryptography, tells TIME magazine: "It's a real shock. We'll need to speed up our efforts considerably." Cloudflare announces its own accelerated 2029 deadline for complete post-quantum migration.
CISOs at regulated enterprises begin re-evaluating their post-quantum roadmaps. The conversation shifts from "planning" to "execution," with PQC market projections reaching $2.84 billion by 2030 at a 46.2% CAGR.
Google blog post (March 25 2026): blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline
Google ECDLP research (March 31 2026): published via Google Quantum AI
Cloudflare response (April 2026): TIME magazine interview
Quantum Insider analysis: thequantuminsider.com/2026/03/31/q-day-just-got-closer
"Harvest now, decrypt later" is no longer a theoretical threat model. It is a budget line at every major intelligence agency.
Adversaries intercept and archive encrypted traffic today with the explicit plan of decrypting it once quantum capability arrives. What changed in March 2026 is the arrival date.
It is at risk today. Medical records, legal documents, financial plans, research, trade secrets, government communications. Anything that has a confidentiality horizon beyond three years.
TLS 1.2 and 1.3 without post-quantum extensions, most SFTP, most email encryption, standard HTTPS, all rely on key exchange that quantum computers will break. The underlying AES encryption of the actual content remains safe. But AES is useless if the key that protects it can be recovered retroactively.
It was built before the March 2026 research. The industry is recalibrating. Providers who stay on pre-2026 timelines are implicitly accepting that harvested data from 2026-2030 will be decryptable. That data is what is being harvested right now.
If your file transfer provider does not use post-quantum encryption for key exchange today, what you are transmitting through them can be recorded for retroactive decryption. The strength of their AES is irrelevant. The weakness is in the key exchange.
Paramant deployed ML-KEM-768 post-quantum key exchange in production on August 2024 following the NIST FIPS 203 finalization. Every ParaShare transfer since that date has been protected with post-quantum hybrid key exchange. Every transfer since March 31, 2026 has benefitted from the same architecture.
This is not marketing. The ciphertext of authenticated Paramant transfers from the last 18 months is not retroactively decryptable even if the March 2026 research proves correct. The key exchange was post-quantum before the threat was acknowledged.
| Month | Event | Paramant status |
|---|---|---|
| Aug 2024 | NIST finalizes FIPS 203 (ML-KEM) | ML-KEM-768 in production |
| Aug 2024 | NIST finalizes FIPS 204 (ML-DSA) | ML-DSA-65 in production for receipts |
| Sep 2022 | NSA CNSA 2.0 advises PQC migration | Paramant was already planned with this |
| Mar 25 2026 | Google accelerates to 2029 deadline | No change needed, already compliant |
| Mar 31 2026 | Google publishes 20x qubit reduction | Hybrid PQ + classical still protects |
The question Paramant asked in 2024 was: "If quantum capability arrives sooner than expected, what decision do we want to have made?" The answer was post-quantum from day one. The March 2026 research validates that decision.
Audit your file transfer vendors' post-quantum status. Ask specifically: which algorithms are in production today for key exchange, not roadmap. Any vendor whose production key exchange is RSA or classical ECDH is currently contributing to harvestable traffic.
NIS2 Article 21 requires "appropriate cryptographic measures." As post-quantum standards become available and industry urgency grows, "appropriate" shifts. A provider using classical cryptography in 2027 will be harder to defend in an audit than a provider using post-quantum cryptography in 2026.
Add ML-KEM to your cryptographic agility plan now. If you run your own infrastructure, OpenSSH 10.0 and OpenSSL with crypto-policies PQ modules already support ML-KEM. For TLS, hybrid ML-KEM-768 + X25519 is implemented in Chrome and available in Cloudflare's edge.
The simplest answer: stop sending regulated data through non-post-quantum channels. Paramant's ParaShare flow is one option. Tresorit's announced PQC roadmap is another when it ships. Running your own post-quantum TLS is a third. The migration is no longer optional.
We are not saying quantum computers will exist in 2029. We are saying that the research now suggests they could exist before 2035, and the cost of being wrong about timing is catastrophic and retroactive. Post-quantum cryptography is insurance against a non-zero probability of an outcome that cannot be undone once it occurs.
Every file transferred with classical encryption in 2026 is a potential entry in an adversary's decryption archive. Every file transferred with post-quantum encryption is safe regardless of when quantum capability arrives.
The decision of which channel to use for sensitive data is not academic. It determines what will be readable to adversaries in 2030, 2032, 2035. Most organizations will look back on 2026 and wish they had migrated six months sooner.
Paramant uses ML-KEM-768 (NIST FIPS 203 Level 3) hybrid with ECDH P-256 for all authenticated transfers. Operational since August 2024. Not a roadmap, a production system.