Dear QF Community,
Just when we thought we might take a short break from the post-quantum cryptography migration saga, Scott Aaronson, one of the most widely respected voices in quantum computing, published a striking new blog post (here).
The part that drew most of our attention was Aaronson’s remark that some highly reputable people in quantum hardware and quantum error correction are now telling him that a fault-tolerant quantum computer capable of breaking deployed cryptosystems could be possible around 2029. Interestingly, he also says plainly that the people making this estimate may be too optimistic, that the timeline may slip, and that he is not the person to treat as an oracle on timing. What he does insist on, however, is that the companies trying to build fault-tolerant quantum computers are not going to pause their work so that cybersecurity teams can finish their migration plans at a comfortable pace. In his view, that makes the warning unavoidable. Organisations should start moving towards quantum-resistant encryption, and companies, blockchains, and standards bodies should stop treating the migration as something that can safely be pushed into the distant future.
A cynic might add that some of the most advanced quantum hardware companies, including firms with quantum processing units already in commercial use, are public companies, with IonQ being an obvious example. Their executives, including technical leaders, have strong incentives to sound optimistic about timelines, since a company’s stock would hardly benefit from its leadership saying that useful fault-tolerant quantum computing is still thirty years away, while a timeline of less than a decade is far more attractive to investors.
For that reason, we should be careful not to treat every aggressive timeline as neutral scientific judgement, since market incentives and investor narratives are also part of the picture. At the same time, the existence of financial incentives does not automatically make the technical warning false, just as scepticism about timelines does not remove the need to prepare. The better response is not to swallow every optimistic forecast, but to recognise that enough credible people are now discussing shorter timelines for responsible organisations to stop treating post-quantum migration as a distant administrative exercise.
Why are so many cybersecurity executives at companies reluctant to migrate?
At this point, and as a welcome to our Substack members who recently joined us from a US military background, let us use an analogy that may feel closer to home.
Imagine a US Marines infantry commander who has spent years relying on a fleet of battle-tested infantry fighting vehicles (IFVs). They are not perfect, and he knows that better than anyone. Some parts are ageing, some systems are awkward, and the vehicles were not designed for every threat that may appear on tomorrow’s battlefield. Yet they have been used under pressure, the crews know them, the mechanics know them, the supply chain knows them, and the commander has built a practical sense of where they perform well and where they need caution.
Now suppose a new model IFV arrives. On paper, it is superior. Better sensors, better armour, better mobility, improved digital systems, and stronger protection against the kinds of threats expected in the next conflict. The case for upgrading is not silly. In fact, ignoring the new vehicle would itself be irresponsible.
But would the commander replace the entire fleet overnight?
Almost certainly not, because the issue is not whether the new IFV model is promising. The issue is whether it has been tested under enough real conditions to justify total dependence. A system can pass formal trials and still behave differently when it meets mud, heat, bad visibility, tired crews, field repairs, logistics pressure, electronic interference, and the confusion of real operations.
In our view, that is the position many security executives feel they are in with post-quantum cryptography. They are not necessarily dismissing the quantum threat, and many of them understand perfectly well that today’s widely deployed public-key systems, including RSA, finite-field Diffie–Hellman, elliptic-curve key exchange such as X25519, and elliptic-curve signatures such as ECDSA, cannot be assumed safe forever. Their hesitation often comes from the other side of the risk equation. Migrating cryptography across a large organisation is not like changing a password policy or updating a software package. It touches protocols, certificates, hardware security modules, browsers, APIs, embedded devices, procurement contracts, compliance requirements, vendor dependencies, customer integrations, and old systems that nobody fully wants to touch unless they have to.
This is why the reluctance should not always be read as denial. In many cases, it is the reluctance of someone who knows that a rushed migration can create new security failures while trying to solve an old one. A mathematically strong post-quantum algorithm still has to survive implementation, integration, interoperability, side-channel analysis, operational mistakes, and the sheer complexity of being deployed across real infrastructure.
The commander’s answer is not to ignore the new vehicle, but neither is it to scrap the whole fleet in one dramatic gesture. He trials it, trains with it, introduces it where the risk justifies early adoption, studies the failure modes, and expands the rollout as confidence grows.
That is the kind of mindset companies need now. Post-quantum migration should not be treated as a panic exercise, but it should not be filed away as a problem for some distant future either. The more measured pragmatic path sits between those two instincts. Companies should start the inventory, test hybrid modes where appropriate, protect long-lived sensitive data first, push vendors for clear roadmaps, and build internal experience before the transition becomes an emergency.
Side note: Cryptographers Filippo Valsorda and Matthew Green are reportedly finalising a $5,000 bet over which primitive fails first, ML-KEM-768, one of the new post-quantum key-encapsulation standards, or X25519, one of today’s widely used elliptic-curve key-agreement methods. You can read the full article here.
The AI-narrated podcast version of this post will also be uploaded to Spotify (here) and YouTube (here).
Wishing you a wonderful weekend ahead.
Quantum Formalism (QF) team
