Twenty-Three Days, Eleven Signals: The Post-Quantum Window Compressed Faster Than Most Enterprise Plans Assumed

Between March 25 and April 17, the research community, the infrastructure layer of the internet, Meta, the federal government, and the public markets all moved in the same direction. That is coordinated acceleration across the stack.

Any one of these signals, taken alone, would warrant attention from a serious security team. Together, they represent an unusually fast compression of the planning window for every organization that depends on public-key cryptography. Which is nearly every organization. Below is what happened, in order, and what it means.

Phase One: The Research Compression (March 25 to April 5)

On March 25, Google's VP of Security Engineering published a call for every organization to complete its post-quantum cryptography migration by 2029. Not 2035, the NIST disallowance deadline. Not 2030, the deprecation date. 2029. Google has been preparing for this transition since 2016 with what the company calls “crypto agility.” A decade of preparation, and Google still needs three more years.

Five days later, Google Quantum published a paper with new resource estimates indicating that elliptic curve cryptography at the 256-bit level may require far fewer qubits than previous estimates suggested. Under stated superconducting architecture assumptions, the paper describes circuits executing with fewer than 500,000 physical qubits and a runtime of approximately nine minutes on a primed cryptographically relevant quantum computer. That represents roughly a 20x reduction over the prior best estimate for ECDLP-256. Google validated the improved algorithm through a zero-knowledge proof but did not publish the algorithm itself.

The same day, Caltech and Oratomic, a stealth startup, published a preprint describing a neutral-atom architecture that could break ECC-256 with roughly 26,000 physical qubits and a 10-day runtime. Cloudflare's own assessment of that paper: “only about 3-4 physical neutral atom qubits per logical qubit,” far below typical surface code requirements.

On April 5, IQM and Germany's Fraunhofer FOKUS compiled Shor's algorithm gate by gate at RSA-2048 scale for the first time. Not a theoretical resource estimate. An actual gate-by-gate assembly with an exact qubit budget. The research community treats that as a qualitatively different milestone from any prior estimate.

Phase Two: The Infrastructure Response (April 7)

On Monday, April 7, Cloudflare published a revised post-quantum roadmap targeting full platform security, including authentication, by 2029. Cloudflare processes roughly 20% of all web traffic on Earth. Over 65% of human-generated traffic through their network already uses post-quantum key agreement. What they had not yet addressed at scale was authentication.

Cloudflare's roadmap is specific. ML-DSA support for origin connections by mid-2026. Post-quantum end-user connections via Merkle Tree Certificates by mid-2027. Cloudflare One SASE platform upgraded by early 2028. Full post-quantum security by 2029. The point is operational scope: Cloudflare is treating post-quantum coverage as platform infrastructure, not a niche add-on.

The same week, Ray Harishankar, CTO of IBM Quantum Safe, stated publicly that quantum “moonshot attacks” on high-value targets cannot be ruled out as early as 2029. IBM is not a company given to alarmism about quantum computing timelines. They build quantum computers.

Both Google and Cloudflare adjusted their threat models to prioritize authentication migration over harvest now, decrypt later mitigation. That is the most important interpretive shift in the cycle. The world's most sophisticated infrastructure teams are now worried about forged digital signatures, impersonated identities, and quantum-enabled attackers walking through the front door of live systems in real time. A compromised authentication key does not just leak old secrets. It grants full access now.

Phase Three: The Industry Playbook (April 14 to April 16)

On Tuesday, April 14, World Quantum Day, NVIDIA launched Ising. The first family of open-source models built specifically for quantum computing. Two products. Ising Calibration uses a vision-language model to automate quantum processor setup, cutting calibration time from days to hours. Ising Decoding uses 3D convolutional neural networks for real-time quantum error correction, running 2.5x faster and 3x more accurate than the current open-source standard. Jensen Huang framed the strategic implication as model systems becoming the control plane and operating system of quantum machines.

The adoption list spanned multiple quantum hardware modalities and major research institutions. Atom Computing. Infleqtion. IonQ. IQM. Harvard. Cornell. Sandia National Labs. Fermi National Lab. Lawrence Berkeley National Lab. UC San Diego. UC Santa Barbara. University of Chicago. UK National Physical Laboratory. That breadth of early adoption across neutral-atom, trapped-ion, and superconducting platforms is unusual for a launch-day announcement.

Classical control has been cited by researchers as one of the engineering bottlenecks on the path to a cryptographically relevant quantum computer. Making open-source tools available for those workloads, running on commodity GPU infrastructure, moves a subset of that work out of vendor-internal engineering and into a shared ecosystem.

The Senate Commerce Committee unanimously advanced reauthorization of the National Quantum Initiative Act on World Quantum Day. New provisions include a quantum manufacturing institute, public-private partnerships for near-term applications, and a mandate that the White House Office of Science and Technology Policy coordinate a national strategy for migrating federal systems to post-quantum cryptography. Federal PQC migration has moved from published guidance to formal national strategy.

On Thursday, April 16, Meta published its post-quantum cryptography migration framework on Engineering at Meta. This was not a status report. It was a full engineering playbook.

Meta published a six-step migration strategy: prioritization, build a cryptographic inventory, address external dependencies, implement PQC components, implement PQC guardrails, integrate PQC components. The very first step after prioritization is build a cryptographic inventory. Meta calls it “a critical prerequisite for the completion of the work.” Meta's own cryptographers co-authored HQC, one of the NIST-selected algorithms, as well as BIKE and Classical McEliece. The company has been deploying PQC across its internal traffic for years using a hybrid Kyber plus X25519 approach through its Fizz TLS library.

Meta just published the PQC migration playbook for the world. And step one, before any cryptographic migration work begins, is cryptographic inventory.

Phase Four: The Capital Markets Response (April 14 to April 16)

The capital markets responded the way they respond when a thesis confirms.

On Tuesday, April 14, IonQ closed up roughly 18 to 21 percent depending on source. D-Wave Quantum gained roughly 15 to 23 percent. Rigetti Computing rose roughly 12 to 13 percent. Quantum Computing Inc. posted double-digit gains. By Thursday, week-to-date gains for IonQ and D-Wave reached approximately 50 percent according to CNBC. NVIDIA itself posted its longest winning streak since 2023. TD Cowen analyst Krish Sankar called NVIDIA Ising a “critical catalyst” that could speed up commercialization of the quantum industry. D-Wave's trading volume spiked well above its three-month average, and Korean post-quantum cryptography stocks hit their daily trading limits following the launch.

More capital moved in the same week. Chad Rigetti, who founded and previously led Rigetti Computing, announced Sygaldry Technologies with $139 million in combined funding. A $105 million Series A led by Breakthrough Energy Ventures, Bill Gates' climate and technology fund, plus a $34 million seed backed by Initialized Capital. The company's focus is quantum hardware for Intelligence Model data centers.

The QED-C State of the Global Quantum Industry 2026 report dropped on April 14. It confirmed $4.9 billion in private quantum venture capital in 2025, more than double the prior record. Public funding commitments now total $56.7 billion globally. The pure-play quantum workforce grew 14% in a single year. Revenue at quantum companies is expected to double by 2028 to $3 billion.

The Pattern

These are not eleven isolated events. They are a coherent pattern across four phases, confirmed independently by research teams, infrastructure providers, Meta's engineering organization, the federal legislative branch, and the capital markets, all within twenty-three days.

The Citi GPS report published in January 2026 modeled the consequences of a quantum-enabled attack on a top-five US bank's Fedwire access for a single day. Citi estimated up to $2 to $3.3 trillion in GDP at risk and put the probability of quantum computers breaking current public-key encryption at up to 34% by 2034. Those figures sat in the background of the April cycle. None of the April signals reduced the force of that estimate.

What This Means for Your Organization

The most important commercial signal in the entire cycle is the Meta framework. Meta just told the world that post-quantum readiness is a five-level maturity problem. Most enterprises today sit at level one or level two. The very first operational step, before anything else happens, is a cryptographic inventory.

That step is not optional. Every subsequent decision, which systems to prioritize, which vendors to pressure, which certificates to rotate, which APIs to deprecate, depends on knowing where quantum-vulnerable cryptography lives in the environment. Without that inventory, there is no migration plan. Without a migration plan, there is no 2029 deadline. There is only exposure.

The organizations that will finish their migration before the window closes are the ones that start step one this quarter.