A top quantum scientist just issued the kind of warning that is easy to misunderstand.

He is not saying quantum computers are about to drain your bank account tomorrow. He is not saying Bitcoin dies next week. He is not saying Google has secretly built a machine that can crack every password on Earth.

He is saying something more realistic, and therefore more important: the people closest to quantum hardware and quantum error correction are now telling him that a quantum computer capable of breaking widely deployed cryptography could plausibly arrive around 2029.

…and only 3 companies are ready for it:

The warning came from Scott Aaronson, one of the best-known quantum computing theorists in the world and the author of Shtetl-Optimized, one of the most influential quantum computing blogs on the internet. Aaronson has spent years pushing back on quantum hype, so this is not coming from a startup founder trying to sell a quantum moonshot. It is coming from someone who usually tells people to calm down.

That is what makes the post land.

Aaronson's message is basically this: if quantum computers start breaking cryptography a few years from now, do not say nobody warned you. This is the warning.

Scott Aaronson is the Schlumberger Centennial Chair of Computer Science at the University of Texas at Austin and the founding director of UT Austin's Quantum Information Center. His work focuses on the capabilities and limits of quantum computers, and on computational complexity theory more broadly.

He is also not just a quantum guy. Aaronson spent the 2022-2023 and 2023-2024 academic years on leave at OpenAI, where he worked on the theoretical foundations of AI safety and was connected to OpenAI's now-dissolved Superalignment effort.

That background matters because Aaronson sees the parallel between two races: the AI race and the quantum race.

In AI, companies often argue that dangerous capabilities are coming no matter what, so it is better for responsible actors to build them first, deploy them carefully, and keep the lead away from adversaries. Aaronson points out that some quantum companies are now making a similar argument. Cryptographically relevant quantum computers may be inevitable. They may be built by someone. So maybe it is better if US-based companies build them openly before foreign intelligence agencies build them secretly.

He does not fully endorse that logic. In fact, he says it sounds suspiciously self-serving, which is exactly why the comparison to AI is so interesting.

The quantum industry may be entering the same moral zone as the AI industry: if a dangerous capability is coming anyway, is racing ahead the safest option, or just the most convenient one?

Aaronson's best phrase is the "Shor of Damocles."

That is a pun on two things:

The point is simple: Shor's algorithm already exists. The math is known. The sword is hanging there. What does not exist yet is the large, reliable quantum computer needed to swing it.

That is why this story is not really about whether quantum computers are magic. They are not. It is about whether the hardware is getting close enough that the internet needs to start changing its locks now.

Encryption is how computers lock information so only the right person can read it.

A simple way to think about it: imagine sending a locked box through the mail. You need a way for the recipient to open it, and you need a way to prove the box really came from you and was not swapped out by somebody else.

Modern internet security uses two broad types of cryptography.

First, there is symmetric encryption. Both sides share the same secret key. Think of it like two people having copies of the same house key. AES is the classic example. This is used to encrypt large amounts of data efficiently.

Second, there is public-key cryptography. This is the magic trick that makes the internet work. You have a public key that anyone can see, and a private key that only you control. This lets strangers on the internet agree on secrets, prove identity, sign messages, sign software updates, and control crypto assets.

The big vulnerable families are RSA, Diffie-Hellman, and elliptic curve cryptography.

These systems protect a huge amount of internet trust. Not just private messages. Also logins, certificates, software updates, APIs, cloud systems, blockchains, and identity.

The biggest quantum threat is not directly "your password." The bigger threat is the public-key layer that lets the internet know who is who.

Today's public-key cryptography relies on math problems that normal computers are terrible at.

RSA depends on factoring huge numbers. Multiplying two huge prime numbers is easy. Figuring out which two primes were multiplied together is extremely hard for a classical computer.

Elliptic curve cryptography depends on a different hard math problem called the discrete logarithm problem.

A large enough fault-tolerant quantum computer can run Shor's algorithm, which gives quantum computers a shortcut through both of those problems.

So quantum does not "guess the password" faster. It does something more fundamental.

It makes the math behind the lock stop being hard.

That is why the implications are so large. If a future quantum computer can break RSA and elliptic curve cryptography, then the old public-key trust layer becomes obsolete.

This is where the story needs nuance.

Quantum computers do not break all encryption equally.

Symmetric encryption like AES is much safer. Hash functions like SHA-256 are also much safer. Quantum algorithms can still provide speedups against some symmetric systems and hashes, but it is not the same kind of total break as Shor's algorithm against RSA and elliptic curves.

That is why you will hear people say AES-256 is generally much more quantum-resistant than RSA or elliptic curve cryptography.

So the safe version is:

Aaronson says reputable people in quantum hardware and quantum error correction are now telling him that a cryptographically relevant quantum computer could be possible around 2029.

He is careful. He says maybe they are too optimistic. Maybe it takes longer. He is not claiming the date is certain.

But Google and Cloudflare are making the same broad move.

Google recently announced that it is setting a 2029 timeline for post-quantum cryptography migration. Google says the timeline reflects progress in quantum hardware, quantum error correction, and quantum factoring resource estimates.

Cloudflare also says it is targeting 2029 for full post-quantum security, including authentication.

That is a major signal. These are not random observers. Google operates Chrome, Android, Google Cloud, Workspace, authentication systems, and a huge amount of internet infrastructure. Cloudflare sits in front of a massive share of internet traffic.

If those companies are treating 2029 as the migration target, smaller organizations cannot casually assume this is a 2040 problem.

Yes. Google is affected because everyone is affected.

Google runs systems that depend on cryptography at massive scale:

But Google is also one of the companies most visibly preparing.

Google says it has worked on post-quantum cryptography since 2016. It says Chrome and Cloud have post-quantum work underway. It says Android 17 is integrating post-quantum digital signature protection using ML-DSA.

That is the right framing: Google is not asleep at the wheel. The point is that even Google now thinks the timeline is urgent.

There is also a business angle.

Google benefits from this transition because it is both helping push the quantum frontier forward and helping sell the migration path. Google Quantum AI advances the field. Google Cloud, Chrome, Android, and Google's security teams can help define the post-quantum future.

The spicy but fair version:

Google is helping create the quantum future that forces everyone to upgrade, and it is also positioning itself as one of the companies that can help sell and standardize the upgrade.

That does not mean it is cynical. If the threat is real, someone has to build the migration path. Google is one of the few companies big enough to do it at internet scale.

One of the most interesting pieces is that AI may help accelerate quantum computing.

Google DeepMind and Google Quantum AI introduced AlphaQubit, an AI-based decoder designed to identify quantum computing errors with state-of-the-art accuracy.

That matters because quantum computers are extremely fragile. Qubits are noisy. They make errors constantly. To build a useful quantum computer, you need quantum error correction, which is basically the art of protecting quantum information from noise long enough to do useful work.

AlphaQubit does not break encryption by itself. But it helps with one of the hardest problems between today's noisy quantum chips and a future fault-tolerant machine that could run Shor's algorithm at scale.

So AI is not just competing with quantum. AI may become part of the quantum acceleration stack.

The full stack looks like this:

That is why the story gets weird. AI may help build the quantum computers that force a rewrite of internet cryptography.

Google Research recently published a post called "Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly".

The key claim: future quantum computers may be able to break elliptic curve cryptography, including systems used in cryptocurrency, with fewer qubits and gates than previously realized.

Google says one compiled circuit uses fewer than 1,200 logical qubits and 90 million Toffoli gates. Another uses fewer than 1,450 logical qubits and 70 million Toffoli gates. Under certain assumptions, Google estimates these circuits could run on a superconducting cryptographically relevant quantum computer with fewer than 500,000 physical qubits in a few minutes.

Google says that represents roughly a 20x reduction in the number of physical qubits required to solve ECDLP-256, the elliptic curve discrete logarithm problem used in many systems.

The important part: Google says it did not fully publish the attack details. It used a zero-knowledge proof to disclose the vulnerability responsibly.

In plain English, that means Google wanted to prove it found a real weakness without handing bad actors the complete lock-picking manual.

It is like saying: we can prove this lock is weaker than people thought, but we are not going to publish the exact instructions for exploiting it.

The most affected organizations are the ones that depend on long-term public-key trust.

Governments and intelligence targets are obvious. If a secret needs to stay secret for 10, 20, or 30 years, it is vulnerable to harvest-now-decrypt-later attacks. An adversary can record encrypted traffic today, store it, and decrypt it later if the encryption is quantum-vulnerable.

Banks and financial infrastructure are exposed through payment systems, authentication systems, certificates, software signing, and transaction security.

Healthcare systems are exposed because medical records and genetic data have long-term privacy value.

Critical infrastructure is exposed because power grids, telecom networks, satellites, industrial control systems, and embedded devices are hard to upgrade quickly.

Software supply chains are a sleeper issue. If digital signatures can be forged, attackers may be able to impersonate trusted software updates or sign malicious code as if it came from a legitimate vendor.

The cleanest line is this:

The first quantum threat is reading yesterday's secrets. The bigger quantum threat is forging tomorrow's trust.

Not everyone is equally exposed.

Data that only needs to stay secret for a short time is less affected. Strong symmetric encryption like AES-256 is less affected. Strong hash-based protections are less affected. Systems already moving to post-quantum cryptography are less affected.

Some crypto wallets are also less exposed if their public key has not yet been revealed on-chain. But that protection can disappear when coins are spent, depending on the address type and system.

The key phrase is "less affected," not "safe forever."

If a system still relies on RSA, Diffie-Hellman, or elliptic curve signatures anywhere in its trust chain, it needs a migration plan.

Crypto is one of the most politically explosive parts of the story.

Blockchains are public. Blockchains are permanent. Many cryptocurrencies use elliptic curve signatures.

If a wallet's public key is exposed on-chain, a future quantum computer may be able to derive the private key. If the private key can be derived, the coins can be stolen.

Bitcoin uses elliptic curve digital signatures. Not every Bitcoin address exposes the public key immediately. Some address types reveal only a hash of the public key until coins are spent. But once coins are spent from an address, the public key may become visible. Reusing addresses can increase exposure.

Ethereum also relies on elliptic curve signatures and faces related problems across account signatures, validator keys, smart contracts, bridges, wallets, and custody infrastructure.

The truly ugly issue is abandoned assets.

What happens to old wallets that never migrate? What happens to dormant coins if their public keys are exposed and future quantum attackers can derive their private keys?

There are only two broad choices:

That is why crypto's quantum problem is not just technical. It is constitutional.

Who gets to change the rules when the old locks stop working?

Apple is already part of this story too.

Apple introduced PQ3 for iMessage, which it described as a major post-quantum cryptographic upgrade for end-to-end secure messaging.

The point of PQ3 is to help protect iMessage against future quantum attackers, especially harvest-now-decrypt-later attacks.

That does not mean the entire Apple ecosystem is quantum-proof. Apple ID, iCloud, app signing, device certificates, enterprise systems, and other infrastructure are separate questions.

But it does mean one of the largest consumer messaging systems has already started changing the locks.

That is a useful contrast: for consumers, post-quantum crypto may arrive quietly inside products. For companies, the migration will be a messy inventory, compliance, vendor, and infrastructure project.

The post-quantum transition will create a real business category.

Not just installing post-quantum cryptography. Proving it.

Companies will need to prove to customers, regulators, insurers, vendors, and governments that their cryptography can survive Q-Day.

That creates several businesses:

The first big pain is simple: companies do not know where all their cryptography lives.

They have certificates, SSH keys, VPNs, APIs, signing systems, old devices, cloud configs, vendor dependencies, internal services, and forgotten legacy systems.

The quantum migration problem is not just math. It is inventory.

You cannot replace the locks if you do not know where the locks are.

The real story is not that quantum computers instantly destroy the internet.

The real story is that quantum computing is turning cryptography into a migration race.

The world has to move from old public-key systems to post-quantum systems before the cryptographically relevant quantum computer exists. That is hard because the internet is not one system. It is billions of systems, devices, keys, vendors, certificates, protocols, wallets, browsers, clouds, APIs, and forgotten dependencies.

The internet has changed locks before. But it has never had to change this many locks, across this many systems, because of a future computer that does not fully exist yet but may arrive soon enough to matter.

That is why Aaronson's warning matters.

It is not a prediction that everything breaks in 2029. It is a warning that if organizations wait until the break is visible, the migration window may already be gone.

Quantum computers do not break everything. But a large enough fault-tolerant quantum computer can break the public-key cryptography that protects internet identity, crypto wallets, secure connections, and software signatures.

Scott Aaronson is warning that serious people now think that machine could plausibly arrive around 2029. Google and Cloudflare are already treating 2029 as a serious post-quantum migration target. Apple has already moved iMessage into the post-quantum era with PQ3.

The internet does not need to panic.

It needs to change the locks before the quantum locksmith shows up.