Google, Quantum Attacks, and ECDSA: Why There’s No Need to Panic and Why Preparation Matters Now

By Scott Best

April 6, 2026

Over the past several weeks, we’ve seen growing discussion across the industry about Google’s latest publications on quantum computing and cryptography. In some corners, those discussions have quickly escalated into claims that widely deployed elliptic curve cryptography (ECC), including ECDSA, is on the verge of collapse.

Customers are understandably asking questions: Has ECDSA been broken? Are today’s systems suddenly at risk? Do migration timelines need to change?

At Rambus, our view is clear and measured: there is no need to panic, but there is every reason to prepare thoughtfully and deliberately for the post‑quantum transition already underway.

What Google Has Actually Published

To put recent claims into context, it’s important to separate what has been said from what has been inferred.

In November 2025, Google published an academic paper outlining its perspective on the state and trajectory of quantum computing. This work reinforced a view shared by many in the research community: progress is steady and meaningful, but not sudden or magical.

More recently, in March 2026, Google made two notable public moves. First, it announced plans to migrate its cryptographic infrastructure to post‑quantum cryptography (PQC) by 2029, one of the most aggressive migration timelines publicly stated by a major technology provider. Shortly thereafter, Google and academic collaborators published a white paper analyzing the impact of quantum attacks on cryptocurrencies, including an improved theoretical attack against ECDSA.

That white paper, in particular, has drawn significant attention well beyond the cryptocurrency ecosystem.

Has ECDSA Been “Broken”?

No. Despite some dramatic headlines, ECDSA has not been broken. The improved attack described in the paper is still estimated to require hundreds of thousands of physical qubits. Today’s quantum systems are typically well below 10,000 physical qubits, and scaling reliably to that level remains a substantial technical challenge.

In practical terms, there is still a wide gap between theoretical cryptanalysis and a cryptographically relevant quantum computer capable of threatening 256‑bit ECC in the real world.

How Credible Is the Claimed Attack Improvement?

The honest answer is that it deserves attention, but also scrutiny.

Many technical details have been withheld for responsible disclosure reasons, which limits independent evaluation. At the same time, the authors include highly respected researchers, and Google has deep expertise across quantum algorithms, hardware, and systems engineering.

History provides useful caution here. Previous claims of improved quantum attacks have sometimes failed under close review, often because they underestimated the cost of classical computation moved outside the quantum portion of the attack. Proper validation typically requires interdisciplinary teams spanning quantum theory, hardware constraints, and classical cryptanalysis.

From our perspective, it would be unwise to dismiss the work outright. When an organization with Google’s depth of quantum expertise commits publicly to an accelerated PQC migration timeline, the signal is worth taking seriously, even as the details continue to be reviewed by the broader community.

Putting Google’s Migration Timeline in Context

A 2029 target is aggressive, but not wildly out of step with other guidance.

For example, CNSA 2.0 mandates migration completion around 2030 or 2033 depending on application class. Several European national security organizations operate with timelines in the 2030–2035 range. While the difference between 2029 and 2030 may seem small, the pace implied by Google’s announcement is notable.

It’s also important to remember that national security organizations continuously reassess timelines as new research emerges. Migration plans typically include buffer to absorb unexpected breakthroughs. Whether Google’s claimed improvements exceed those buffers remains to be seen—but this is precisely the kind of development such buffers are designed for.

What PQC Migration Timelines Really Mean

One common misunderstanding is that a migration deadline reflects when a quantum break is expected to occur. In reality, migration must be completed years before any such break is anticipated.

The required lead time depends on how long protected data must remain secure:

• TLS key exchange has a long vulnerability window due to “store‑now, decrypt‑later” attacks.
• TLS handshake signatures have a very short window; once a session is established, the signature no longer matters.
• Digital signatures on contracts may need to remain valid for decades, covering employment agreements, mortgages, retirement savings, or long‑term commercial obligations.
• A timeline without a concrete migration plan offers little value. Effective planning requires knowing where cryptography is used across hardware and software, how systems interact, what natural replacement cycles look like, and which assets are business‑critical.

This is where cryptographic bills of materials (CBOMs and SBOMs) become essential. Without visibility into which algorithms are used where, it is impossible to prioritize migration effectively.

How Far Away Is a Cryptographically Relevant Quantum Computer?

No one knows with certainty. Public forecasts estimate how many logical qubits would be required to threaten RSA or ECC, but translating that into physical qubits depends heavily on error rates, error‑correction overhead, and system architecture. Multiple quantum computing technologies are still competing, and it remains unclear which will scale fastest.

Key challenges—error rates, error‑correction overhead, and interconnect scalability—remain significant. Progress continues, but additional breakthroughs are still required before quantum systems pose a direct threat to deployed cryptography.

Beyond Cryptocurrencies: Broader PQC Challenges

While cryptocurrencies have attracted attention, they are far from unique.

Some cryptographic applications go beyond basic encryption, key exchange, or signatures and require special consideration in a post‑quantum world. Protocols based on elliptic curve pairings, for example, currently lack mature, standardized PQC replacements. Certain group and threshold signature schemes may also require careful reevaluation.

The good news is that many widely used primitives, such as AES, SHA‑2, and SHA‑3, are already considered quantum‑resistant. And for RSA and ECC, standardized PQC replacements now exist, with defined migration paths.

At Rambus, our security IP portfolio is designed with this transition in mind, supporting quantum‑resilient symmetric cryptography today and standardized PQC algorithms as replacements for public‑key mechanisms, along with clear roadmaps for adoption.

Explore Cryptography IP:

• Poly1305 Crypto Accelerator
• SHA-3, SHA-2, SHA-1, SM3, MD5, Hash Accelerators
• Fast Quantum Safe Engine for ML-KEM (CRYSTALS-Kyber) and ML-DSA (CRYSTALS-Dilithium)

The Bigger Picture

The real takeaway from Google’s announcements is not that catastrophe is imminent. It’s that the industry has entered a more serious phase of post‑quantum transition.

Cryptography underpins nearly every digital system. Migrating it is complex, slow, and deeply interconnected with hardware lifecycles, software ecosystems, standards, and operational reality. Cryptocurrencies may face unique governance challenges, but every global digital infrastructure faces similar technical hurdles.

So no, there is no need to panic. But there is every reason to inventory, plan, prioritize, and execute.

In the post‑quantum era, preparedness, not fear, will define resilience.