How Quantum Hardware Is Outrunning a Civilization-Scale Migration
From the exposed boot chains of a billion personal computers to $74 billion in permanently vulnerable Bitcoin, the mathematical assumptions underlying global digital security are collapsing faster than the infrastructure built upon them can be replaced.
// BLUF — Bottom Line Up Front
Every public-key cryptographic system protecting modern digital infrastructure — HTTPS, firmware authentication, code signing, encrypted communications, and cryptocurrency — rests on mathematical problems believed to be computationally hard but never proven so. Peter Shor's 1994 algorithm demonstrated that a sufficiently capable quantum computer solves integer factorization and elliptic-curve discrete logarithms in polynomial time, rendering RSA and ECDSA cryptographically void.
Quantum hardware is advancing faster than previously modeled. A March 2026 Google Quantum AI study reduced the estimated qubit requirement to break 256-bit elliptic-curve cryptography by approximately 10×, to fewer than 500,000 physical qubits. A concurrent Caltech–Berkeley–Oratomic preprint estimates Shor's algorithm could run on 10,000–20,000 atomic qubits. Microsoft's Majorana 2 topological chip, unveiled June 2026, claims 1,000× reliability improvement over its 2025 predecessor. NIST finalized post-quantum standards in August 2024 (FIPS 203/204/205). NSA's CNSA 2.0 mandates full migration of National Security Systems by 2035. The migration pipeline requires 5–10 years. The arithmetic is uncomfortable.
The immediate, concrete manifestation of this structural vulnerability is the collapse of the 2011-era Microsoft UEFI certificate infrastructure, with the KEK CA expiring June 24, 2026, and the UEFI CA signing Linux shim on June 27 — a crisis previewed destructively in August 2024 when a flawed SBAT update rendered Linux unbootable on tens of thousands of dual-boot systems. The cryptographic vulnerability is not merely theoretical; it is already expressing as operational infrastructure failure.
- 6.9M BTC Bitcoin with public keys permanently exposed on-chain (~34% of supply)
- ~500K Qubits Revised Google estimate to break 256-bit ECC (March 2026, down ~10×)
- 2035 Deadline NSM-10 / CNSA 2.0 full PQC migration for all U.S. National Security Systems
- 5–10 Years Estimated enterprise migration time to post-quantum cryptography
- 32× Overhead ML-DSA certificate chain size increase vs. classical Ed25519
I. The Mathematical Foundation That Was Never Proven Secure
The RSA cryptosystem, introduced by Rivest, Shamir, and Adleman in 1977, and the elliptic-curve cryptography that supplanted it in efficiency-sensitive applications, share a common epistemological status: their security is assumed, not proven. Both rest on the conjecture that integer factorization and discrete logarithm computation are computationally intractable problems — that no polynomial-time classical algorithm exists to solve them. This is believed to be true. It has never been demonstrated to be necessarily true. The relationship between P and NP, the complexity-theoretic question on which this assumption ultimately depends, remains one of the most significant unsolved problems in mathematics.
For four decades, this gap between assumption and proof was considered practically irrelevant. RSA-2048 requires factoring a 617-digit number, and the best known classical algorithms — the General Number Field Sieve — would require computational resources exceeding the energy budget of current civilization to execute in any reasonable time. The assumption of hardness was operationally indistinguishable from proven hardness.
In 1994, Peter Shor at Bell Labs published an algorithm that changed the computational model rather than attacking the mathematical problem directly. Running on a quantum computer — a device that exploits superposition and entanglement to represent and manipulate exponentially many states simultaneously — Shor's algorithm finds the prime factors of an integer in polynomial time. The exponential wall that protected RSA does not exist in the quantum computational model. The same mechanism applies to elliptic-curve discrete logarithms. The entire public-key cryptographic infrastructure, including every certificate, every signed firmware binary, every HTTPS connection, and every cryptocurrency transaction authorization, becomes trivially solvable given sufficient quantum hardware.
The Harvest Now, Decrypt Later Threat Is Active
The critical asymmetry distinguishing the quantum threat from past cryptographic transitions is temporal. An adversary need not wait for quantum capability to capture the data. [1] Joint guidance from CISA, NSA, and NIST explicitly warns that adversaries may be conducting harvest-now, decrypt-later operations against critical infrastructure, with the cautious phrasing reflecting intelligence sensitivity regarding the extent of ongoing collection activities, though policy responses from the United States, the European Union, and allied governments uniformly treat HNDL as an active threat requiring countermeasures rather than a hypothetical future concern.
"Attackers do not need quantum computers to create quantum-era risk. They only need access to encrypted data that will still be valuable when quantum decryption becomes practical."
— Palo Alto Networks Unit 42 Research, 2026
The implication is that any data encrypted today using RSA or ECC and transmitted over a monitored channel — classified communications, medical records, financial transactions, intellectual property — that retains value beyond the estimated quantum horizon is already compromised in a deferred sense. The breach has occurred. The decryption is pending hardware delivery.
II. The Hardware Timeline Is Accelerating
Practical estimates of the quantum threat timeline have historically been conservative and have consistently been revised downward as hardware and algorithmic advances compounded.
Google Willow and the Quantum Echoes Breakthrough
[2] Google's Willow quantum processor, announced in late 2024, achieved a landmark in error correction: as qubit count scaled up, error rates decreased rather than increased — crossing what researchers describe as the below-threshold regime that had challenged quantum computing for nearly 30 years. In October 2025, Google demonstrated the Quantum Echoes algorithm on Willow, achieving a 13,000× speedup over the best classical supercomputer on a physics simulation task, with verifiable and reproducible results — the first time a quantum advantage claim had received independent scientific validation of that character.
More consequentially for cryptographic security, [3] in March 2026, Google's Quantum AI team published a detailed study showing that far fewer resources than previously estimated may be needed to attack elliptic-curve cryptography. The study suggests a quantum computer with fewer than 500,000 physical qubits — approximately one-tenth of earlier estimates — may be able to crack 256-bit ECC in minutes. A concurrent preprint from a Caltech–Berkeley–Oratomic collaboration estimated that Shor's algorithm could be implemented with as few as 10,000–20,000 atomic qubits, with a 26,000-qubit system potentially cracking Bitcoin's 256-bit ECDSA keys within days.
Microsoft Majorana 2: Topological Scaling
[4] In February 2025, Microsoft unveiled the Majorana 1 processor, claiming the world's first topological qubits based on Majorana zero modes in semiconductor-superconductor heterostructures — a fundamentally different approach from Google's superconducting transmon architecture, designed to achieve intrinsic error protection at the hardware level rather than through software error correction. The announcement generated significant scientific controversy; a concurrent Nature paper fell short of definitively demonstrating a topological qubit, and physicists at the American Physical Society's March 2025 Global Physics Summit expressed broad skepticism about the claims.
[5] In June 2026, Microsoft unveiled Majorana 2, reporting 1,000× reliability improvement over its predecessor, with average qubit lifetimes of 20 seconds — some lasting up to one minute — and targeting a scalable fault-tolerant system by 2029. The company noted that AI-assisted research tools had accelerated materials discovery and fabrication optimization in the development process. Independent verification of topological qubit claims remains ongoing in the physics community.
▸ Quantum Hardware Milestones Relevant to Cryptographic Security
OCT 2024
Shanghai University: 22-bit RSA factored via quantum annealing
Team led by Wang Chao used D-Wave Advantage to factor a 22-bit RSA integer using quantum annealing, beating the prior 19-bit record. Experts noted the technique does not scale directly to 2048-bit keys; RSA co-inventor Adi Shamir assessed practical RSA breaks as 30 years distant. Nonetheless, the work demonstrated that quantum annealing can transform cryptographic attacks into solvable optimization problems.
DEC 2024
Google Willow: Below-threshold error correction demonstrated
105-qubit Willow chip demonstrates that error rates fall as qubits scale — crossing the threshold that had blocked practical quantum error correction for three decades.
FEB 2025
Microsoft Majorana 1: Topological qubit claim
First claimed topological qubit processor; design targets 1 million qubits per chip. Scientific community disputes whether topological protection was actually demonstrated in accompanying Nature paper. APS conference session draws standing-room audience and substantial skepticism.
OCT 2025
Google Quantum Echoes: 13,000× verifiable quantum advantage
First independently verifiable quantum advantage demonstrated in physics simulation. Results reproducible on other quantum platforms meeting minimum qubit threshold.
APR 2026
Project Eleven Q-Day Prize: 15-bit ECC key broken
Researcher Giancarlo Lelli breaks a 15-bit elliptic-curve key using publicly accessible quantum hardware, claiming a 1 BTC bounty. Represents a 512-fold improvement over the September 2025 record. Bitcoin uses 256-bit keys; the gap remains enormous but the trajectory is notable.
MAR 2026
Google / Oratomic: ECC resource estimates reduced ~10×
Two landmark papers substantially lower estimated qubit requirements to break 256-bit ECC, accelerating expert Q-Day projections.
JUN 2026
Microsoft Majorana 2: 1,000× reliability improvement claimed
Lead-based topological superconductor replaces aluminum design. Average qubit lifetime 20 seconds. Microsoft targets fault-tolerant scalable quantum computer by 2029.
III. The Immediate Manifestation: UEFI Secure Boot and the Certificate Infrastructure
While the full quantum threat remains years from practical exploitation, the fragility of the cryptographic infrastructure it threatens is already expressing as operational failure — most visibly in the concurrent collapse of the 15-year-old UEFI Secure Boot certificate ecosystem.
Architecture and the Microsoft Certificate Monopoly
Secure Boot, introduced as part of the UEFI specification in the early 2010s, requires that all software in the boot chain carry a valid cryptographic signature traceable to a trusted root certificate. On the overwhelming majority of personal computers sold globally, that root is controlled by Microsoft. [6] Microsoft's status as the de facto certificate authority for PC boot firmware was not legislated or standardized through neutral process — it was established by Microsoft's decision to make Secure Boot a requirement for Windows 8 hardware certification in 2012. OEMs that declined to pre-enroll Microsoft certificates forfeited certification and with it access to volume licensing and marketing support. The market structure left no practical alternative.
[7] In 2013, Hispalinux, an 8,000-member Spanish open-source organization, filed an antitrust complaint with the European Commission describing Microsoft's UEFI Secure Boot implementation as "an obstruction mechanism" and "a de facto technological jail for computer booting systems." The European Commission responded that it was monitoring the situation but found no evidence of antitrust violations. The complaint was not pursued further. The architecture remained intact.
Linux distributions navigated this environment through a component called shim — a thin first-stage bootloader signed by Microsoft's UEFI CA that then loads the actual Linux bootloader using distribution-specific keys. [8] When Secure Boot became mandatory on Windows 8 certified hardware in 2012, Linux had no path to Secure Boot compatibility that did not involve Microsoft signing every bootloader. Shim was an engineering workaround for a structural subordination.
The August 2024 SBAT Incident
On August 13, 2024, Microsoft released Windows update KB5041585, intended to deploy Secure Boot Advanced Targeting (SBAT) revocations blocking older, vulnerable shim versions associated with the BlackLotus UEFI bootkit (CVE-2023-24932). Microsoft's documentation stated the update would not apply to dual-boot systems. The dual-boot detection logic failed.
[9] On systems running both Windows and Linux, the SBAT revocation list was applied despite the presence of Linux installations. Firmware subsequently refused to load now-revoked shim versions. Affected users — running Ubuntu, Debian, Linux Mint, and other distributions — encountered the error message: "Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed." Their Linux installations became unbootable. Microsoft provided a registry-based workaround within days but did not release a permanent fix — corrected detection logic — until [10] the May 13, 2025 Patch Tuesday update (KB5058405), nine months after the incident. The episode required tens of thousands of users to manually intervene in their firmware configuration to restore functionality.
"This known issue only occurs with the installation of the August 2024 security and preview updates. The September 2024 security update and later updates do not contain the settings that caused this issue."
— Microsoft Windows Release Health Dashboard, May 2025
The incident demonstrated concretely what critics had warned since 2012: a unilateral decision by a single company, pushed through an automated update mechanism to hundreds of millions of machines, could render competing operating systems non-functional without advance notice, user consent, or legal accountability.
The June 2026 Certificate Expiration
The certificates Microsoft deployed when Secure Boot was first mandated in 2011 are now expiring. [11] Three certificates on a staggered schedule define the transition:
▸ Microsoft UEFI Certificate Expiration Schedule
| Certificate | Expiration | Function | Impact of Expiry |
|---|---|---|---|
| Microsoft KEK CA 2011 | June 24, 2026 | Authorizes Windows Update to push DB/DBX changes | No new Secure Boot revocations deliverable via Windows Update; frozen security posture |
| Microsoft UEFI CA 2011 | June 27, 2026 | Signs third-party bootloaders including Linux shim | New shim binaries cannot be signed with old key; new installations may fail on systems with only 2023 certs |
| Microsoft Windows PCA 2011 | October 19, 2026 | Signs the Windows bootloader itself | Windows boot chain signing transitions to 2023 PCA |
A critical clarification that has been obscured in popular reporting: [12] Secure Boot firmware does not enforce certificate expiration dates at boot time. The firmware has no reliable access to a verified clock during the pre-OS boot sequence, so machines with already-installed shim binaries signed by the 2011 key will continue to boot after June 27. What expires is Microsoft's ability to sign new binaries with the old key. The operational impact falls on new installations, on machines whose OEMs never deploy the 2023 certificate set, and on the long-term ability to receive boot-level security revocations.
[13] Red Hat released dual-signed shim packages — carrying both 2011 and 2023 certificate signatures — for RHEL 9 and 10 in May 2026 and for RHEL 8 in June 2026. Ubuntu, Fedora, and Debian have followed parallel release schedules. The approach of dual-signing provides backward compatibility across hardware generations but depends on older UEFI firmware implementations correctly processing multiple Authenticode signatures in a single binary — a behavior not universally implemented in firmware from the 2012–2015 era.
The post-quantum dimension of the certificate transition adds a layer the current migration does not address. [14] The 2023 Microsoft UEFI CA replacement certificates use the same RSA-based cryptography as the 2011 certificates they replace. The current transition rotates keys; it does not change the underlying algorithm. A future post-quantum migration of the UEFI certificate infrastructure faces the physical constraints discussed in Section V — NVRAM capacity, early-boot compute budgets, and the bootstrapping problem of signing the migration itself using the algorithm being replaced.
IV. Cryptocurrency: The Permanent Harvest
The "harvest now, decrypt later" threat that intelligence agencies describe as an active operation against encrypted communications has a structural analogue in cryptocurrency that is simultaneously simpler and more severe: the harvest is already complete, permanent, and publicly accessible to any future attacker.
Bitcoin's security model for transaction authorization rests on ECDSA over the secp256k1 elliptic curve. When a wallet spends funds, it reveals the public key corresponding to the signing address as part of the transaction broadcast. That revelation is permanent and immutable — recorded in every copy of the Bitcoin blockchain worldwide. Any future entity possessing a cryptographically relevant quantum computer can take any revealed public key, run Shor's algorithm against the elliptic-curve discrete logarithm, recover the private key, and authorize arbitrary transactions from the corresponding wallet.
[15] Project Eleven, a post-quantum security research organization, estimates that approximately 6.9 million BTC — roughly one-third of total supply — sit in addresses where the public key is already exposed on-chain. This includes every Pay-to-Public-Key (P2PK) output from Bitcoin's first two years, approximately 1.7 million BTC believed to include coins mined by Satoshi Nakamoto, and every address that has sent at least one transaction, thereby revealing its public key in the spending signature.
[16] A May 2026 Citi Research report identified Bitcoin as more exposed than Ethereum to the quantum threat, citing Bitcoin's slower governance and upgrade process. Proof-of-stake networks such as Ethereum may adapt more quickly because protocol upgrades do not require the same conservative consensus process. Ethereum targets quantum resistance via its Strawmap roadmap by 2030; Ripple has published a four-phase quantum-proofing plan targeting 2028.
BIP-360 and BIP-361: The Migration Debate
[17] BIP-360, proposed in February 2026, introduces Pay-to-Merkle-Root (P2MR), a new Bitcoin output type using NIST-approved ML-DSA signatures that provides quantum resistance for newly created addresses. The proposal establishes the technical foundation for a migration path but deliberately scopes itself narrowly — it does not address the 6.9 million BTC with already-exposed public keys.
[18] BIP-361, proposed in April 2026, extends the framework to address legacy exposure through a structured multi-year migration with legally and philosophically unprecedented features. Phase A, three years after activation, stops the network from accepting new deposits to legacy vulnerable address types. Later phases contemplate freezing or eventually burning coins that have not migrated — including, if Satoshi's coins remain unmoved, approximately 1.7 million BTC currently valued at approximately $74 billion. The authors cite Satoshi Nakamoto's own writings about the network's capacity to adapt, but the proposal would constitute the first instance in Bitcoin's history of the community deliberately nullifying property rights by protocol consensus.
⚠ Critical Technical Constraint: Short-Exposure Attacks
BIP-360 addresses "long-exposure" attacks — quantum derivation of private keys from public keys sitting permanently on-chain. It does not address "short-exposure" attacks, where a quantum computer fast enough to derive a private key from the public key revealed during the mempool window before transaction confirmation could authorize a competing spend. Protection against short-exposure requires post-quantum signature schemes at the transaction level, work that remains in early proposal stages. A sufficiently fast quantum computer could, in principle, intercept and redirect any Bitcoin transaction in flight even after BIP-360 deployment.
V. The Post-Quantum Migration: Standards, Mandates, and Physical Constraints
NIST FIPS 203/204/205: The New Standards
[19] On August 13, 2024, NIST released the first three finalized post-quantum cryptographic standards after a six-year international competition involving 82 candidate algorithms:
▸ NIST Post-Quantum Cryptography Standards (August 2024)
| Standard | Algorithm | Basis | Application |
|---|---|---|---|
| FIPS 203 | ML-KEM (CRYSTALS-Kyber) | Module Lattice (MLWE problem) | Key encapsulation / general encryption |
| FIPS 204 | ML-DSA (CRYSTALS-Dilithium) | Module Lattice (MLWE problem) | Digital signatures, certificates |
| FIPS 205 | SLH-DSA (SPHINCS+) | Hash-based (stateless) | Digital signatures (conservative fallback) |
These algorithms replace the P≠NP hardness assumption with different mathematical structures: lattice problems (finding the shortest vector in a high-dimensional lattice) and hash function collision resistance. Neither has been proven unconditionally hard; both are believed resistant to known quantum algorithms. The epistemological status is improved — the problems are less well-studied by attackers and the lattice hardness literature is deeper — but the fundamental posture remains assumption rather than proof.
The size penalty of the transition is substantial. [20] An ML-DSA-65 signature is 3,309 bytes against 64 bytes for classical Ed25519 — a 52× increase. A depth-2 certificate chain with ML-DSA-65 reaches approximately 17,500 bytes of overhead, a 32× increase over classical Ed25519. For UEFI firmware, where certificate databases live in non-volatile RAM chips with fixed capacity, this is not an abstract inefficiency — it is a physical barrier that cannot be overcome by software update on existing hardware.
The Government Mandate Architecture
The U.S. regulatory framework for post-quantum migration is unusually specific by historical standards of cryptographic policy. [21] National Security Memorandum 10 (NSM-10), signed by President Biden in May 2022, directs all Federal Civilian Executive Branch agencies, Department of Defense components, Intelligence Community agencies, and federal contractors to complete migration to quantum-resistant cryptography by 2035. The Quantum Computing Cybersecurity Preparedness Act, signed December 2022, codified this requirement in statute — making it resistant to executive reversal. The Trump administration's June 2025 executive order streamlined certain procurement mandates while explicitly preserving NSM-10 as the foundational document, a rare piece of bipartisan continuity in cybersecurity policy.
[22] NSA's CNSA 2.0 framework translates NSM-10 into operational specificity: ML-KEM-1024 for key establishment, ML-DSA-87 for digital signatures. New National Security System acquisitions must support CNSA 2.0 by January 2027. Legacy systems unable to support CNSA 2.0 must complete transition by December 31, 2030. All covered systems must exclusively use CNSA 2.0 algorithms by December 31, 2031, with full quantum resistance required by 2035.
For organizations in the defense-industrial base, the planning phase is operationally over. RFPs written today for systems with 18–36 month development timelines must incorporate CNSA 2.0 requirements to avoid delivering non-compliant systems into a 2027 mandate environment.
The Firmware Bootstrapping Problem
The deepest technical challenge in post-quantum migration at the firmware level has no clean solution within the constraints of existing hardware. To upgrade UEFI firmware to support post-quantum cryptographic verification, the upgrade package itself must be signed and verified using the existing RSA-based trust chain — because there is no other trust chain available on existing hardware. The transition to post-quantum verification is necessarily signed with the algorithm it is replacing. The first machine that is genuinely quantum-safe at the boot layer is one that was manufactured with post-quantum-capable verification hardware from the start.
[23] The UEFI Forum has published a white paper on post-quantum cryptography specification updates, describing the Forum's approach to incorporating PQC considerations into future UEFI specifications. The operative framing is forward-looking: future hardware, future specifications, future OEM implementations. Machines manufactured before approximately 2028–2030 will almost certainly lack the NVRAM capacity and early-boot compute resources needed to implement a post-quantum Secure Boot chain. The current 2023 certificate rotation — the one expiring this week — is migrating from one quantum-vulnerable RSA infrastructure to another quantum-vulnerable RSA infrastructure. It solves the expiration problem. It does not touch the quantum problem.
VI. Structural Assessment: The Emperor and the Infrastructure
Examined together, the UEFI certificate crisis, the cryptocurrency exposure, and the post-quantum migration deadline share a common structural signature: large-scale infrastructure optimized for present performance has accumulated future liability at a rate that exceeds the capacity of governance and engineering to address it before the liability becomes acute.
The Microsoft UEFI certificate monopoly was not a conspiracy. It was the natural downstream consequence of market power in operating systems, deployed through hardware certification leverage, producing a structural position whose implications were warned about clearly in 2012 and are expressing as operational failure fourteen years later. The institutions that could have regulated this arrangement — the European Commission in 2013, the U.S. Department of Justice — declined on the grounds that no evidence of current harm existed. The harm was deferred, not absent.
The cryptocurrency quantum exposure was not an oversight. It was a known property of ECDSA that the Bitcoin community has discussed for years. The blockchain's permanent, public record of exposed keys is a feature — transparency and immutability are central to the value proposition — that doubles as an unlimited-duration attack surface against any future adversary with sufficient quantum capability. The migration path requires consensus from a deliberately decentralized and conservative governance structure operating against a hardware timeline it does not control.
The post-quantum migration itself faces a version of the same problem. [24] A realistic enterprise migration timeline is 42–54 months from initiation to compliance. With full quantum resistance required for national security systems by 2035, and with most expert estimates placing cryptographically relevant quantum computers in the 2030–2035 range, the margin is narrow and not uniformly distributed across the global infrastructure that depends on the same mathematical assumptions.
"Quantum computing is not a forecast — it is an ongoing operation. The breach may already have occurred, the data may already be in adversarial hands, and the organization may not know it until years from now."
— Cloud Security Alliance, AI Infrastructure and Post-Quantum Research, May 2026
The post-quantum cryptographic standards finalized in August 2024 represent a genuine engineering achievement. The NIST process, spanning six years and engaging cryptographers globally, produced algorithms that are more robustly analyzed against quantum attacks than any predecessor. The lattice-based problems underlying ML-KEM and ML-DSA are harder to attack with known quantum algorithms than integer factorization is for Shor's. The transition, if executed, improves the security posture materially.
What the transition does not resolve is the epistemological condition. The new standards rest on different mathematical assumptions, not on proven hardness. The history of cryptography suggests that this is the best available posture rather than a remediable condition: information-theoretically secure cryptography exists (one-time pads) but is operationally impractical at civilizational scale. Computational hardness assumptions are what make practical cryptography possible. The quantum transition moves those assumptions to a different class of mathematical problems. The emperor has new clothes. They are better clothes. The emperor is still not naked. And the question of what the next Shor — the next computational model change that sidesteps the hardness assumption entirely — might look like remains genuinely open.
For the practicing engineer, the actionable conclusion is straightforward even if the philosophical condition is not: migrate to post-quantum standards now, before the migration becomes urgent. Conduct cryptographic inventories. Update UEFI firmware where OEM support permits. Move cryptocurrency holdings to address types that do not expose public keys and monitor BIP-360 deployment for migration to quantum-safe addresses. Plan system acquisitions around CNSA 2.0 requirements. The 2035 deadline is not distant when the migration pipeline is 5–10 years long and the hardware timeline is accelerating faster than models predicted.
The emperor's wardrobe is not empty. But the tailors are working faster than the weavers.
References and Verified Sources
-
"Quantum-Readiness: Migration to Post-Quantum Cryptography."
CISA Advisory, 2023. Cited in: Cloud Security Alliance, "AI
Infrastructure Post-Quantum Harvest-Now-Decrypt-Later," May 2026.
https://labs.cloudsecurityalliance.org/research/ai-infrastructure-post-quantum-harvest-now-decrypt-later-v1/ -
"Meet Willow, our state-of-the-art quantum chip."
Google Blog, December 2024; Quantum Echoes algorithm paper, October 2025.
https://blog.google/innovation-and-ai/technology/research/google-willow-quantum-chip/
https://blog.google/technology/research/quantum-echoes-willow-verifiable-quantum-advantage/ -
"Quantum computers are coming to break our codes faster than anyone expected."
April 12, 2026. Covers Google Quantum AI ECDLP-256 paper and Oratomic/Caltech preprint.
https://theconversation.com/quantum-computers-are-coming-to-break-our-codes-faster-than-anyone-expected-280303 -
"Microsoft unveils Majorana 1, the world's first quantum processor powered by topological qubits."
February 19, 2025.
https://azure.microsoft.com/en-us/blog/quantum/2025/02/19/
Scientific skepticism: https://link.aps.org/doi/10.1103/Physics.18.68 -
"Microsoft Reveals '1,000x More Reliable' Quantum Chip as Bitcoin Threat Draws Nearer."
June 2026. Covers Majorana 2 announcement.
https://decrypt.co/369811/microsoft-1000x-more-reliable-quantum-chip-bitcoin-threat-draws-nearer -
"The Certificate Nobody Checked: Secure Boot's Fifteen-Year Blind Spot."
April 24, 2026.
https://dev.to/isms-core-adm/the-certificate-nobody-checked-145c -
"Red Hat engineer renews attack on Windows 8-certified secure boot."
September 26, 2011. Hispalinux antitrust complaint, March 27, 2013.
https://www.theregister.com/2011/09/26/uefi_linux_lock_out_row_latest/
https://www.theregister.com/2013/03/27/hispalinux_microsoft_antitrust_suit/ -
"The Certificate Nobody Checked."
April 2026. On shim architecture and Microsoft signing dependency.
https://dev.to/isms-core-adm/the-certificate-nobody-checked-145c -
"Windows patch prevents Linux from booting on dual-boot systems."
August 21, 2024.
https://www.techzine.eu/news/devices/123609/windows-patch-prevents-linux-from-booting-on-dual-boot-systems/ -
"Microsoft fixes Linux boot issues on dual-boot Windows systems."
May 14, 2025.
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-linux-boot-issues-on-dual-boot-windows-systems/ -
"Microsoft Secure Boot Certificate Expiration 2026."
2026.
https://kb.wisc.edu/159935
Eclypsium analysis: https://eclypsium.com/blog/microsoft-secure-boot-certificates-expire-2026/ -
"No, your Secure Boot certificate is not expiring in June."
June 2026. Clarification of firmware expiration behavior.
https://ciq.com/blog/secure-boot-uefi-ca-key-rotation-2026 -
"Secure Boot Certificate Changes in 2026: Guidance for RHEL Environments."
Updated May–June 2026.
https://access.redhat.com/articles/7128933
https://developers.redhat.com/articles/2026/02/04/secure-boot-certificate-changes-2026-guidance-rhel-environments -
"Secure Boot playbook for certificates expiring in 2026."
May–June 2026.
https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235 -
"Bitcoin is going quantum-proof. Inside BIP-360 and the migration."
Crypto News, June 2026. On 6.9M BTC exposure estimate.
https://cryptonews.net/news/bitcoin/32981892/
https://phemex.com/blogs/bitcoin-quantum-resistant-address-bip-360 -
"Bitcoin more exposed to quantum risks than Ethereum, Citi says."
May 18, 2026.
https://www.coindesk.com/tech/2026/05/18/bitcoin-faces-outsized-quantum-threat-as-computing-breakthroughs-accelerate-citi-says -
"BIP 360: Pay-to-Merkle-Root (P2MR)."
February 2026.
https://bip360.org/
https://daic.capital/blog/bip-360-bitcoin-quantum-safe -
"Bitcoin Developers Propose BIP-361: Quantum-Proof Migration That Would Freeze Millions of Legacy Coins."
April 19, 2026.
https://quasa.io/media/bitcoin-developers-propose-bip-361-quantum-proof-migration-that-would-freeze-millions-of-legacy-coins -
"NIST Releases First 3 Finalized Post-Quantum Encryption Standards."
August 13, 2024. FIPS 203, FIPS 204, FIPS 205.
https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
Holland & Knight analysis: https://www.hklaw.com/en/insights/publications/2024/08/nist-releases-three-post-quantum-cryptography-standards -
"Merkle Tree Certificate Post-Quantum PKI for Kubernetes and Cloud-Native 5G/B5G Core."
arXiv:2604.04191, 2026. On ML-DSA certificate size overhead.
https://arxiv.org/pdf/2604.04191 -
"Why federal IT leaders must act now to deliver NIST's post-quantum cryptography transition."
September 22, 2025.
https://cyberscoop.com/why-federal-it-leaders-must-act-now-to-deliver-nists-post-quantum-cryptography-transition-op-ed/
NSM-10 text: https://qtonicquantum.com/nsm-10 -
"CNSA 2.0: Complete Guide to NSA's PQC Requirements."
Updated June 2026.
https://postquantum.com/cnsa-2-0/complete-guide/
Original CNSA 2.0 advisory: https://postquantum.com/quantum-policy/nsa-cnsa-2-0-pqc/ -
"Post-Quantum Cryptography: UEFI Specification Updates."
White paper, 2025–2026.
https://uefi.org/
Hardware constraint analysis: https://eprint.iacr.org/2024/1345.pdf -
"CNSA 2.0 and NIST PQC Deadlines 2026–2035."
May 2026. On 42–54 month migration timeline.
https://axelspire.com/business/pqc-timeline-mandates/
NIST IR 8547 (Transition to Post-Quantum Cryptography Standards): https://csrc.nist.gov/pubs/ir/8547/ipd - "Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage." Chinese Journal of Computers, October 2024. Expert response: https://www.techtarget.com/searchsecurity/news/366613737/Experts-slam-Chinese-research-on-quantum-encryption-attack
-
"Q-Day Just Got Closer: Three Papers in Three Months Are Rewriting the Quantum Threat Timeline."
March 31, 2026.
https://thequantuminsider.com/2026/03/31/q-day-just-got-closer-three-papers-in-three-months-are-rewriting-the-quantum-threat-timeline/ -
Written question E-002247/2013 on UEFI Secure Boot and Microsoft as single point of trust.
March 2013.
https://www.europarl.europa.eu/doceo/document/E-7-2013-002247_EN.html -
"Harvest Now Decrypt Later: Examining Post-Quantum Risks to Cryptocurrency."
FEDS Working Paper 2025-093.
https://www.federalreserve.gov/econres/feds/files/2025093pap.pdf -
"Securing Cryptography in the Age of Quantum Computing and AI: Threats, Implementations, and Strategic Response."
arXiv:2603.06969, March 2026.
https://arxiv.org/pdf/2603.06969 -
"Microsoft answers what you must do as Windows 11 Secure Boot deadline hits in days."
June 8, 2026. Coverage of Microsoft AMA session with Arden White, Scott Shell, et al.
https://www.windowslatest.com/
