Quantum Unfiltered #13 — Your Quantum Threat Model Will Have a Blind Spot
When the frontier becomes unobservable, your migration plan had better not depend on watching it.
In this edition: Quantum cryptanalysis is entering a disclosure endgame. I trace the three responsible-disclosure experiments of 2026 and explain why the published literature will soon stop tracking actual CRQC capability, with consequences for every Q-Day model including my own. I also lay out the case for Harvest Now, Decrypt Later as concretely as I can: what agencies have put in writing, what $800 and a rooftop dish can do, the storage math that should end the debate, and an uncomfortable question I put to every board I brief. On the ECC attack frontier, a public leaderboard is compressing the cost of breaking Bitcoin's curve toward its arithmetic floor near 500 logical qubits. Vendors invoking Shannon's name to sell short-key encryption get the five-question test they deserve. Forescout published the first large-scale field data on PQC adoption, and it confirms the obvious. FINMA became the latest financial regulator to issue quantum guidance. Microsoft set its own PQC migration deadline for 2029. And post-quantum email encryption finally has an RFC.
The Coming CRQC Blackout
In recent weeks, the same rumor reached me from unconnected directions: that at least a couple of the companies at the center of quantum cryptanalysis are sitting on results they have chosen not to publish. I cannot verify a word of it, and nothing in the argument that follows depends on the rumor being true. What it did was send me back through the public record, where the verifiable evidence points in the same direction.
The field ran three disclosure experiments in the first half of 2026.
Oratomic chose full openness. Their 10,000-qubit Shor’s paper published complete resource estimates for Shor’s algorithm at cryptographic scale, paired with a formal responsible-disclosure statement. And buried inside that statement was the sentence I keep returning to: Oratomic warned that progress toward a cryptographically relevant quantum computer “may not be externally visible,” because the remaining distance is covered by incremental gains in architecture, control, and compilation rather than by dramatic, observable hardware scale-ups. A hardware company at the frontier told us, in its own words, that the frontier is becoming unobservable.
Google chose the middle path. Their ECDLP-256 resource estimate published the headline numbers (fewer than 500,000 physical qubits, minutes-scale runtime) while locking the circuits inside a zero-knowledge proof. The company briefed Washington before publication and urged other teams to adopt the same practice. Verification without weaponization, in theory.
The middle path failed on both fronts, and quickly. André Schrottenloher at Inria independently reconstructed the circuits in 63 days, matching Google on qubits and beating them on gates. Trail of Bits forged a proof by exploiting bugs in Google’s prover code. Craig Gidney, who designed the original circuits, conceded the experiment plainly on his blog. Announcing that a solution exists is itself powerful information. The exact resource numbers told everyone what target to hit.
Where Institutions Will Land
Gidney’s conclusion, publish openly, is correct as science and correct as security policy for defenders. But general counsels, export-control officers, and national security staff will study the same 63 days and draw a different lesson: partial disclosure does not work, and of the two stable equilibria, full openness and full silence, every institutional pressure I can identify pushes toward silence.
This is not speculation. Washington has built the machinery and tested it. Quantum technology already sits under US export controls via the September 2024 BIS interim final rule, which applies deemed-export licensing to the disclosure of controlled quantum technology and information. On June 22, the White House signed two companion executive orders that accelerate both quantum development and PQC migration. Note the asymmetry in information flows: covered contractors will be required to run disclosure programs that report cryptographic vulnerabilities inward to the government, while quantum capability information moves outward only through licensed channels. And in June, the Commerce Department ordered Anthropic to shut off its most capable AI models worldwide, citing national security, effective within hours. A government that can switch off a deployed frontier model by dinner can tell a quantum lab that a cryptanalysis result is not going on arXiv.
None of this would be a new regime. It would be a reversion to the historical norm. James Ellis conceived non-secret encryption at GCHQ around 1970; Clifford Cocks devised what the world later called RSA in 1973. GCHQ kept all of it classified until December 1997. IBM researchers discovered differential cryptanalysis in 1974 and, at the NSA’s request, kept the technique secret for 16 years. Open publication of cryptanalytically significant research is a roughly 50-year anomaly, sustained while the stakes were academic prestige and commercial products. The stakes are reverting to the state level. I expect the norms to follow.
What This Does to My Own Scorecard
I have to be honest about what the coming blackout does to my own work. My CRQC Readiness Benchmark fits growth rates to published milestones and scores current capability from published demonstrations. Every public Q-Day model, mine included, carries a hidden assumption that the published frontier approximates the actual frontier. That assumption is now degrading, and it degrades in one direction only: actual capability can only meet or exceed what is published.
Three adjustments follow. Published capability becomes a floor, and I will say so explicitly. Government behavior, what BIS restricts, what agencies mandate, and when, starts to outweigh published papers as a signal. And the conclusion I have been pushing for years becomes stronger rather than weaker: if the threat is about to become unobservable, calibrating your migration to observed capability is no longer a coherent strategy. You cannot time your exit to a signal that will not arrive.
Full analysis on PostQuantum.com
Is Harvest Now, Decrypt Later Real? What I Can and Can’t Prove
A few times a month, in a board briefing or a closed session with a security team, someone interrupts me with a version of the same question. It arrives right after I explain Harvest Now, Decrypt Later (HNDL): a foreign service copies encrypted traffic today and warehouses it to read once quantum computers mature. The question: is this actually happening, or is the quantum industry manufacturing fear?
It is a fair question. My honest answer: nobody can show you a specific quantum-motivated harvest, and nobody needs to.
What a Dozen Governments Have Put in Writing
Over the past five years, the intelligence and cybersecurity agencies of most of the Western world have converged on the same warning. ANSSI’s cautious 2022 formulation (”cannot be ruled out”) has become June 2026’s Executive Order 14412, which states that ongoing cyber activity presents the risk of adversaries collecting United States information now and decrypting it later. Canada calls HNDL an “immediate threat.” Germany’s BSI and more than a dozen EU member states call store-now-decrypt-later the “most imminent threat” from quantum computing. Several of the bodies issuing these warnings are signals intelligence agencies: organizations whose own mission includes intercepting communications. When they warn about harvesting, they are describing a technique they understand because they practice it.
The Storage Math That Should End the Debate
The skeptic’s economic objection dissolves on contact with the numbers. A 100 Gbps backbone link at typical utilization generates roughly 540 terabytes per day. At current enterprise HDD prices ($15-20 per TB), storing a full year costs roughly $2-4 million. A metadata-filtered version retaining 1-10% of the stream: $30,000-$400,000. Archiving the encrypted traffic of a single large organization for a year: $5,000-$70,000, less than the salary of one junior intelligence analyst.
The question I put to every board: imagine you run an intelligence service. For less than $100,000 a year you can passively copy the encrypted communications of a major foreign defense contractor. The collection requires no network intrusion and carries minimal detection risk. Your government’s quantum program gives you a credible chance of reading it within 10 years. The data (diplomatic strategy, weapons programs, economic policy) will still be valuable in that timeframe. Would you authorize the collection?
I have not found a good answer for declining. I doubt the adversary has either.
Full evidence, with the $800 satellite dish, Operation Ivy Bells, and the London mega-embassy
The Quantum Attack on ECC Is Approaching Its Arithmetic Floor
On a public leaderboard called ecdsa.fail, researchers and AI agents are competing to shrink the quantum circuit for breaking secp256k1, the elliptic curve under every Bitcoin and Ethereum signature. The peak qubit count for a point addition, the operation at the heart of the attack, has dropped from 2,330 under the 2017 academic baseline into the high 1,100s, and the descent has not stopped.
2026 is the year that rebalanced algorithmic work from RSA to ECC. Three major ECDLP papers in a single quarter, from France and China as much as from Google, delivered roughly half the qubits and one-third the gates of the best prior estimates. The leading width constant fell from 9n to approximately 4.355n for an n-bit prime.
The data-register floor sits near 512 qubits (two 256-bit field coordinates for a curve point), and the gap between today’s circuits and that floor is almost entirely ancilla scratch space that the RSA side has already learned to shed. A circuit nearer the floor is not a closer threat, though: a leaner circuit runs longer, raising the bar on continuous operation and real-time decoding, two capabilities furthest from being demonstrated. The uncertainty in Q-Day for ECC now sits almost entirely on the hardware curve, not the algorithm.
Full analysis on PostQuantum.com
Forescout’s Field Data Confirms What Everyone Suspected
Forescout published the first large-scale empirical data on PQC adoption in 2026, drawing from their device-intelligence platform. The picture it paints will surprise nobody who has been tracking this space, but putting field numbers behind the conventional wisdom is useful. Enterprise PQC deployment remains in early pilot stages. Most organizations have not completed cryptographic inventories. The gap between regulatory timelines and actual readiness is large and widening.
The bottom line for CISOs: if your organization has not begun its cryptographic inventory, you are behind the median, and the median is behind the deadline. The first agency migration plans under OMB M-26-15 are due in October. Start from the PQC Migration Framework and the PQC Readiness Self-Assessment Scorecard.
FINMA Joins the Regulators Setting Quantum Deadlines
Switzerland’s financial regulator FINMA issued quantum guidance instructing supervised institutions to assess their quantum-cryptographic exposure and develop transition plans. For Swiss banks and insurers, the message is now consistent across jurisdictions: the ECB’s recent supervisory letter on AI and cyber risks flagged emerging technology threats including quantum; the EU’s coordinated PQC roadmap sets milestones for 2030 and 2035; and FINMA adds Switzerland to the list.
Financial regulators move slowly, and when they all start pointing the same direction, the organizations they supervise follow. If you operate in financial services across multiple jurisdictions, the binding deadline is whichever regulator moves first. For confidentiality-critical data flows, that clock is already running.
Microsoft Sets a 2029 PQC Migration Deadline
Microsoft publicly committed to completing its own PQC migration by 2029. Google set the same date earlier this year. When the two largest platform companies in the world independently converge on the same internal deadline, three years ahead of the federal mandate for high-value assets, the signal is worth reading carefully. These companies have access to their own resource estimates and hardware roadmaps. Their internal assessment of the threat timeline runs ahead of the public record. A 2029 deadline on a migration of that scale, spanning Azure, Windows, Office 365, and every service that touches TLS, means engineering work started years ago.
If your organization depends on Microsoft or Google infrastructure, their migration will eventually force yours. When the platforms deprecate classical-only cipher suites, everything that connects to them will need to support PQC. Better to be ready than to discover it on a deprecation notice.
Post-Quantum Email Encryption Gets an RFC
RFC 9580 brings post-quantum cryptography into the OpenPGP standard. The specification adds ML-KEM and ML-DSA composite key types to OpenPGP, meaning encrypted email can now use hybrid post-quantum key establishment within a standardized, interoperable framework. GnuPG and several other implementations are tracking the standard.
OpenPGP adoption has always been modest outside specific communities (journalism, open-source development, privacy-conscious organizations), but the standard’s influence exceeds its user base. The pattern of PQC standards propagating through protocol specifications, from TLS 1.3 hybrid key exchange to Signal’s PQXDH to OpenPGP, is the migration happening one protocol at a time.
Quantum Flapdoodle: The Shannon Hustle
I have seen the pitch at least a dozen times in the past two years. A vendor presents an encryption product. Somewhere between slides seven and twelve, the word “Shannon” appears. The claim takes different forms, but the structure is identical: the product uses keys far shorter than the messages it encrypts, and Shannon’s name is invoked to imply information-theoretic security. Shannon’s 1949 theorem says that is impossible under his definition. One of these two things is wrong. It is always the vendor.
I documented five distinct patterns of Shannon abuse in vendor marketing: qualifier insertion (”operational perfect secrecy”), entropy confusion (conflating key-space size with per-operation entropy), domain switching (proving security for quantum ciphertext, selling to classical networks), direct claims of “overcoming” Shannon, and the entropic-security bait-and-switch (omitting the min-entropy caveat that eliminates most enterprise use cases).
The five-question test that exposes the hustle: (1) Is the key consumed per operation at least as long as the plaintext? (2) Is the key from a full-entropy source, not expanded from a seed? (3) Is each key used exactly once? (4) Which published theorem, in which model, provides the security guarantee? (5) Who outside the vendor tried to break it?
A “no” at any of the first three means the scheme provides computational security, which can be strong, but calling it “Shannon” is wrong. The irony: schemes claiming the stronger guarantee (information-theoretic) typically rest on weaker evidence (no independent cryptanalysis, no standardization). Full breakdown and vendor evaluation framework on PostQuantum.com.
The Complete US Federal PQC Mandate Reference
Since Quantum Unfiltered #12 covered the executive order, I published a comprehensive reference guide that consolidates all five June 2026 policy documents into a single analysis: NSPM-12 (governance foundation), EO 14412 (civilian mandate), the DoW PQC Strategy (defense mandate), OMB M-26-15 (implementation playbook), and EO 14413 (quantum innovation). The guide includes the full obligation matrix by system type, the complete key-dates timeline, and the contractor cascade analysis showing how the FAR rule will propagate PQC requirements down every tier of the federal supply chain. If you need one URL to send your compliance team, that is the one.
From the Applied Quantum Desk
Applied Quantum is running board briefings for organizations navigating the new US federal PQC mandate. We walk boards through the five-document architecture, help identify which deadlines bind their specific systems, and scope the migration program using the PQC Migration Framework. If your organization sells to, contracts with, or operates systems on behalf of the US federal government, the first agency migration plans are due in October. Reach out if you want help.
I also published a comprehensive update to Quantum Computing for Cybersecurity Professionals, the eleven-part deep dive series I wrote for the security professionals in my own mentoring circle. The entire series is now available as a free 114-page ebook. More on that in the next edition.
If this edition was useful, forward it to a colleague who should be paying attention. If I got something wrong, hit reply. I read everything and correct publicly.
— Marin


