Google’s 2029 Post-Quantum Push Puts a Real Clock on Bitcoin’s Security Upgrade

Google just drew a line in the sand: its entire stack will transition to post-quantum cryptography (PQC) by 2029. That’s not a prediction that cryptography fails that year—it’s a readiness target. For Bitcoin, the message isn’t doom; it’s a timeline problem. Centralized firms can mandate upgrades. A decentralized monetary network has to earn them.

What Google is changing now - The company is rolling PQC across Google Cloud and internal comms, and plans to ship post-quantum digital signatures in Android 17 using ML-DSA—the newly standardized NIST algorithm derived from Dilithium. - Leadership framed the schedule as necessary given faster-than-expected gains in quantum hardware, error correction, and resource estimates for factoring. - The date tracks with IBM’s roadmap toward fault-tolerant quantum systems around 2029. And 2025 marked a noticeable shift: improved error correction, fresh processor designs, and a Caltech experiment that trapped 6,000+ atomic qubits in one go moved the discussion from “if” to “when.”

Two active threat channels - Harvest-now-decrypt-later is already live: adversaries can store today’s encrypted traffic and unlock it later once cryptosystems fall. - Digital signatures underpin identity and authorization on the internet. Those must be swapped out before a cryptographically relevant quantum computer (CRQC) arrives.

Where Bitcoin is exposed Bitcoin uses ECDSA, which Shor’s algorithm can target. Hand a sufficiently capable quantum machine your public key, and deriving the private key becomes a practical exercise rather than a multi-century task.

The surface area is not trivial: - Project Eleven estimates more than 6.8 million BTC—over $470 billion—sit in address types that a future quantum attacker could prioritize, including early-era coins. - Analysis from Ark Invest and Unchained suggests roughly 35% of total supply is in address formats theoretically vulnerable. - Google researchers recently argued RSA may require 20x fewer quantum resources to break than previously modeled, pulling security horizons forward for similar math classes. - Old estimates put a Bitcoin break at ~20 million qubits; Iceberg Quantum now floats a scenario near ~100,000. Over the last five years, aggregate quantum performance has jumped roughly 10x.

Don’t confuse urgency with inevitability This isn’t a sell-everything moment. Google is getting ahead of the curve, not calling the top on classical crypto. And Bitcoin developers have started laying tracks. BIP 360—adding a quantum-resilient address format dubbed Pay-to-Merkle-Root—has been merged into the improvement repository. It doesn’t switch anything on, but it formalizes a path.

The real constraint: coordination, not computation The binding risk for Bitcoin is the migration window, not tomorrow’s qubit count. Even if a CRQC is many years out, redesigning address formats, rolling out wallet support, upgrading exchange infrastructure, coordinating miners, and moving user funds is a five-to-ten-year lift on its own. Jameson Lopp has made that point repeatedly: even under linear, steady progress in quantum, we’re likely a decade-plus away from a CRQC—but the protocol and users can easily need that long just to migrate safely.

Why this asymmetry matters: - Technology: PQ signatures (e.g., ML-DSA) are heavier. On-chain, you need formats and fee economics that won’t cripple usability. A careful introduction—opt-in outputs, new address types, and staged wallet defaults—reduces breakage. - Business: Custodians and exchanges face operational liability. They’ll get judged on how quickly they can re-sign reserves, rotate deposits, and support new scripts. This is board-level risk, not a niche feature. - Behavior: Users delay upgrades until there’s a visible fire. That inertia collides with harvest-now-decrypt-later incentives and with old outputs where public keys are already exposed. - Ethics: Early, vulnerable coins (including dormant holdings) create a perverse target list. A transparent, widely communicated migration path limits selective predation by well-resourced attackers.

What I’d watch from here - Wallet roadmaps shifting defaults toward quantum-resistant outputs as soon as practical. - Exchange deposit/withdrawal policies that encourage—or require—PQC-aware formats once standardized. - Miner signaling on soft-forkable constructs like Pay-to-Merkle-Root once the ecosystem proves tooling and fees are workable. - Android 17’s ML-DSA rollout as a bellwether for mainstream PQ signatures at scale.

Google can set 2029 and execute. Bitcoin can’t dictate a calendar, which is exactly why Google’s move functions as an external clock. If the network wants a smooth, value-preserving transition, it needs to start treating migration as product work today—not as an emergency patch the year a CRQC shows up.