Quantum Computing Pushes Post-Quantum Cryptography Deadlines Forward to 2029

The conversation about quantum computing has shifted in 2026. What was once a long-term research concern has become a near-term planning issue for anyone responsible for digital trust.

Recent research from Google Quantum AI suggests that breaking Elliptic Curve Cryptography (ECC) may require far fewer physical qubits than previously estimated. Google has responded by moving its post-quantum cryptography target forward to 2029.

This change matters for every organization that uses SSL Certificates, Transport Layer Security (TLS), or any system built on public key cryptography. The cryptographic foundations underpinning modern internet security were designed under assumptions that no longer hold, and the migration path to post-quantum-ready trust infrastructure now needs to begin in earnest.

Trustico® works closely with Sectigo® to monitor these developments and prepare for the architectural changes ahead. Learn About The Sectigo® Certificate Authority Partnership 🔗

Recent Research Behind the Updated Quantum Timeline

Earlier estimates suggested that breaking Elliptic Curve Cryptography (ECC) at the 256-bit level would require millions of stable physical qubits. That number always sounded comfortable.

Quantum hardware was nowhere close to producing that many qubits with the error correction needed for sustained computation. Most security planners treated post-quantum migration as a problem for the next decade.

Newer research has changed those numbers significantly. Researchers have demonstrated techniques that use optical tweezers to physically move atoms during computation, allowing for a far more efficient form of error correction known as Quantum Low Density Parity Check (QLDPC).

With approximately 10,000 physical qubits applying this technique, breaking 256-bit Elliptic Curve Cryptography (ECC) becomes theoretically possible within roughly three years of continuous computation. Scaling that hardware to 26,000 qubits could reduce the time to a matter of days.

The drop from millions of qubits to tens of thousands is the part that has changed the conversation. It moves a cryptographically relevant quantum computer from a distant theoretical concept into a near-term engineering target.

Hardware development is still required, but the goalposts are now within reach of well-funded research programs rather than sitting in some indeterminate future.

Google's Accelerated 2029 Target for Post-Quantum Cryptography

Google has responded to the new research by accelerating its post-quantum cryptography roadmap. Full post-quantum support across Google services is now targeted for 2029, several years earlier than previous public commitments.

The shift signals that Google considers quantum risk to be a practical concern rather than a long-term research topic. Quantum risk is now treated as something that needs current attention, not future planning.

Alongside the schedule change, Google has issued public warnings to the cryptocurrency ecosystem about Elliptic Curve Cryptography (ECC) vulnerabilities. The warnings are framed in the same way that traditional security teams treat real-world vulnerabilities, using responsible disclosure practices rather than publishing attack mechanics.

The implication is straightforward. Google is treating quantum risk like a software vulnerability that has not yet been weaponized but soon could be.

The decision to move the target to 2029 reflects two practical realities. Cryptographic systems are deeply embedded in software, hardware, and protocols, and replacing them takes years of coordinated work.

The "harvest now, decrypt later" risk also means encrypted data captured today could be decrypted retroactively once a sufficiently powerful quantum computer exists. The migration therefore needs to be well underway before the first cryptographically relevant quantum computer comes online.

What Elliptic Curve Cryptography Vulnerability Means for SSL Certificates

SSL Certificates use public key cryptography to establish trust between browsers and servers. The two algorithms most commonly used today are Rivest Shamir Adleman (RSA) and Elliptic Curve Cryptography (ECC).

Elliptic Curve Cryptography (ECC) has been gaining ground because it offers comparable security to Rivest Shamir Adleman (RSA) with much smaller key sizes. The smaller keys improve performance for Transport Layer Security (TLS) handshakes and reduce bandwidth use.

The recent research focuses specifically on Elliptic Curve Cryptography (ECC) at the 256-bit level, which is the size used in most modern SSL Certificate deployments that rely on this algorithm. If a quantum computer with the right characteristics becomes available, that algorithm would no longer provide meaningful security against an attacker with quantum capabilities. Discover Our RSA DSA ECC Encryption Information 🔗

Rivest Shamir Adleman (RSA) faces the same theoretical threat under Shor's algorithm, but at much higher qubit counts than Elliptic Curve Cryptography (ECC). The two algorithms will need to be replaced together as part of the broader transition to post-quantum cryptography, but Elliptic Curve Cryptography (ECC) is now the more immediate concern given the lower qubit threshold required to attack it.

Merkle Tree Certificates (MTC) as the Post-Quantum Path Forward

Replacing the cryptographic algorithms used in SSL Certificates is harder than it sounds. Post-quantum signature algorithms produce signatures that are dramatically larger than what Rivest Shamir Adleman (RSA) or Elliptic Curve Cryptography (ECC) produces today.

Embedding those signatures into every SSL Certificate, transmitting them in every Transport Layer Security (TLS) handshake, and storing them across the global SSL Certificate infrastructure would create serious performance and bandwidth problems for the web.

Merkle Tree Certificates (MTC) are the architecture being developed to solve this problem. Rather than embedding a large signature into every SSL Certificate, Merkle Tree Certificates (MTC) use a cryptographic structure called a Merkle tree to allow many SSL Certificates to share verification data efficiently.

A relying party such as a browser can verify a single SSL Certificate without downloading or processing a massive signature for each connection.

Google has publicly endorsed Merkle Tree Certificates (MTC) as its primary strategy for post-quantum SSL Certificates within Chrome. Given Chrome's market share and influence over Web Public Key Infrastructure (WebPKI) policy, that endorsement effectively positions Merkle Tree Certificates (MTC) as the leading industry path forward.

The specification is currently progressing through the public commentary process at the Internet Engineering Task Force (IETF), which is the standards body responsible for most internet protocols.

Merkle Tree Certificates (MTC) are designed for real deployment rather than purely theoretical work. While additional post-quantum algorithms may emerge from ongoing research, Merkle Tree Certificates (MTC) is the only practical implementable architecture that aligns with the accelerated timelines now being discussed publicly.

Architectural Changes Across the SSL Certificate Ecosystem

Adopting Merkle Tree Certificates (MTC) is not a drop-in replacement for the current SSL Certificate model. It represents a wholesale change to how trust is managed online.

The new architecture introduces operational roles that do not exist in the current Web Public Key Infrastructure (WebPKI), most notably co-signers and mirrors. Co-signers participate in producing the cryptographic structure that allows efficient verification, while mirrors distribute the data that browsers need to validate SSL Certificates.

The way SSL Certificates are issued, validated, and distributed across the ecosystem will need to be rethought. Certificate Authorities (CA) will continue to play a central role, but the supporting infrastructure around them will look different.

Browser vendors will need to implement support for the new verification model, and server operators will need software updates to handle the new SSL Certificate format. Find Out More About Root Certificates in SSL TLS 🔗

Trustico® expects this transition to happen in stages rather than as a single switchover. Existing Rivest Shamir Adleman (RSA) and Elliptic Curve Cryptography (ECC) SSL Certificates will continue to be issued and trusted for some time, while Merkle Tree Certificates (MTC) infrastructure is built out and tested in parallel.

The 2029 target is the point at which Google expects the transition to be substantially complete for Chrome, not the point at which the transition begins.

Practical Implications for Trustico® Customers

Most Trustico® customers do not need to take immediate action, but they do need to understand what is coming. The first practical implication is that cryptographic agility matters more than it used to.

Organizations that have built their security architecture around the assumption that algorithms never change will find the post-quantum transition harder than those that have planned for change.

Working with an established Certificate Authority (CA) that participates in the Web Public Key Infrastructure (WebPKI) standards process is now more important than buying SSL Certificates from whichever provider is cheapest.

Sectigo® is one of the Certificate Authorities (CA) actively contributing to the post-quantum transition, including ongoing research and participation in the standards bodies that will define the future of digital trust. Discover the Leading Certificate Authority That Trustico® Works With 🔗

The shift to shorter SSL Certificate validity periods is also relevant here. Industry-mandated reductions to 200 days, then 100 days, and eventually 47 days by 2029 mean that customers will be reissuing SSL Certificates much more frequently than they do today.

Frequent reissuance is what makes algorithm transitions practical at all. An SSL Certificate that lives for 398 days is hard to update mid-cycle, but an SSL Certificate that is reissued every 47 days picks up new algorithms naturally as part of normal operations. Explore Our SSL Certificate Validity Period Information 🔗

Preparation by Trustico® for the Post-Quantum Transition

Trustico® is preparing for the post-quantum transition through ongoing work with Sectigo® on post-quantum cryptography research. Sectigo® has already developed private post-quantum cryptography offerings for enterprise environments.

Public SSL Certificate post-quantum support will follow the timelines set by the CA/Browser Forum and the major browser vendors, but the underlying capability and expertise are being built now.

Trustico® Certificate as a Service (CaaS) is the practical mechanism by which customers will absorb the upcoming changes without disruption. Automated SSL Certificate management means that algorithm updates, validity period changes, and eventual migration to Merkle Tree Certificates (MTC) can happen without manual intervention from customers.

Without automation, the combination of shorter validity periods and the post-quantum transition would be operationally overwhelming for most organizations. View Our Certificate as a Service Information 🔗

Customers who continue to manage SSL Certificates manually will face increasing operational burden as the post-quantum migration progresses. Those who adopt automation now will be in a much better position to handle the transitions ahead.

The architectural changes coming to the Web Public Key Infrastructure (WebPKI) are significant, but they are also predictable, and customers who plan for them have time to prepare. Find Out More About Reasons to Choose Trustico® 🔗

Looking Ahead at Post-Quantum Migration

The 2029 target is now public, the algorithms are being standardized, and the architecture for post-quantum SSL Certificates is taking shape through the Internet Engineering Task Force (IETF). Quantum hardware development continues, and the timeline could move forward or backward depending on engineering progress, but the direction is clear.

Post-quantum cryptography is no longer optional preparation for a distant future. It is foundational work for maintaining digital trust over the next several years.

Trustico® will continue to track these developments and work with Sectigo® to ensure that customer SSL Certificates remain trusted and secure through the transition. The combination of automated Certificate management through Certificate as a Service (CaaS), shorter validity periods, and an established Certificate Authority (CA) partnership gives Trustico® customers a workable path forward without requiring them to become quantum cryptography experts themselves.