The Coming CRQC Blackout: Why the Papers Will Stop Before the Progress Does
Table of Contents
In recent weeks, the same rumor has reached me from unconnected directions: that at least a couple of the companies at the center of quantum cryptanalysis are sitting on results they have chosen not to publish. Nobody offered proof. Nobody could have, for reasons that will become clear. I want to be upfront that this is corridor talk, that I cannot verify a word of it, and that nothing in the argument below depends on it being true. What the whispers did was send me back through the public record of the past few months, looking for whether the story they tell is even plausible. It is, and the verifiable record points in the same direction.
Start with what is public. On March 31, 2026, the two most consequential quantum cryptanalysis papers of the year appeared within hours of each other, and both teams did something that nobody bothered to do for the landmark resource estimates of 2019, 2021, or 2025: they explained why they were publishing at all. Oratomic paired its 10,000-qubit Shor’s paper with a formal responsible disclosure statement. Google consulted the US government before releasing its resource estimates for the 256-bit elliptic curve discrete logarithm problem (ECDLP-256) and locked the underlying circuits inside a zero-knowledge proof. When researchers start justifying the act of publication, the default has already moved.
Both teams acted in good faith, I think, and I covered both results in depth at the time: the Google paper here and the Oratomic paper here. But I read their disclosure statements less as policy positions than as artifacts of a transition. My argument in this piece is simple: breakthroughs on the path to a cryptographically relevant quantum computer (CRQC) will keep accelerating over the next few years, and the announcements will not. Within a year, or a few, critically reading the published literature, the method behind my CRQC scorecard and behind every serious public Q-Day assessment, will no longer be a reliable way to track how close anyone actually is to breaking deployed cryptography.
If the rumors are right, it already has.
Three Responsible Disclosure Experiments, One Survivor
The field effectively ran three disclosure experiments in the first half of 2026.
Oratomic chose full openness. The team published complete resource estimates showing Shor’s algorithm running at cryptographic scale on roughly 10,000 to 26,000 reconfigurable neutral atom qubits, and defended the decision in plain terms: withholding the results would slow the entire field, and credible numbers give researchers, industry, and governments a shared reference point instead of speculation. I agree with every word of that reasoning. The same statement, though, buries the sentence I keep returning to. Oratomic warned that progress toward a cryptographically relevant machine “may not be externally visible,” because the remaining distance is covered by incremental gains in architecture, control, and compilation rather than by a dramatic, observable scale-up. A hardware company at the frontier told us, in its own disclosure statement, that the frontier is becoming unobservable.
Google chose the middle path. The 57-page whitepaper with the Ethereum Foundation and Stanford published the headline numbers (fewer than 500,000 physical qubits, minutes-scale runtime for ECDLP-256) while withholding the circuit constructions behind an SP1/Groth16 zero-knowledge proof (ZKP). The company engaged Washington before publication and urged other research teams to adopt the same practice. Verification without weaponization, in theory.
The third experiment is the one nobody announces. I will come back to it.
Google’s Middle Path Lasted 63 Days
It failed on both fronts, and quickly.
On the secrecy front, André Schrottenloher at Inria independently reconstructed the circuits in two months, matching Google’s qubit counts and beating its Toffoli counts by roughly 10%, with code published openly on Inria’s GitLab. Craig Gidney, who designed the original circuits, confirmed the match on his blog the same day and conceded the experiment plainly: “We should just publish openly.” His autopsy identified the failure modes I had expected. Announcing that a solution exists is itself powerful information. The exact resource numbers told everyone what target to hit. And Google’s own prior papers contained the technical breadcrumbs; Schrottenloher read them and put two and two together.
On the verification front, the cryptographic wrapper fared no better. Trail of Bits forged a proof in April by exploiting bugs in Google’s prover code; the forged proof claimed zero Toffoli gates and fewer qubits than Google’s own circuits. The underlying science was never in question, but the episode showed that a ZKP shifts trust from domain expertise to software implementation quality, and the software had holes.
I wrote the post-mortem in June: publishing the resource estimates a circuit achieves while concealing the circuit is a contradiction. Sixty-three days settled it.
The Lesson Institutions Will Draw Is Not the One Gidney Drew
Here is where I part ways with the comfortable reading of that episode.
Gidney’s conclusion, publish openly, is correct as science and correct as security policy for defenders. The cryptography community will cite the Schrottenloher reproduction for years as proof that secrecy does not work in a field built on shared mathematics. But general counsels, export-control officers, and national security staff will study the same 63 days and conclude something different: partial disclosure does not work. Google’s secret unraveled because there was something public to work back from, an existence claim, precise numbers, a trail of prior papers, and a named team to pressure. A lab that publishes nothing offers none of those. No Streisand effect, no proof to forge, no breadcrumbs, nobody to congratulate. Of the three experiments, full openness and full silence are the stable ones, and every institutional pressure I can identify pushes toward silence.
The transition will also be invisible while it happens, which is what makes it dangerous. An announced publication ban would be a global news story and a market signal. What we will get instead is selective non-publication: fewer papers on cryptanalysis-adjacent compilation, fewer resource estimates from the labs closest to the hardware, longer and less explainable gaps between roadmap milestones and supporting evidence. From the outside, a lab that found nothing and a lab that is no longer permitted to say what it found produce identical literatures. Nobody will send a memo that the blackout began.
Washington Has Built the Valve and Tested It
Anyone who considers this speculative has not been reading the Federal Register.
Quantum technology has sat under US export controls since the Bureau of Industry and Security’s (BIS) September 2024 interim final rule, which applies deemed-export licensing to the disclosure of controlled quantum technology and information to nationals of certain countries, with a presumption of denial. Sharing certain quantum knowledge with the wrong passport holder, inside your own lab, on US soil, already requires a license. On June 22, 2026, the White House signed two companion executive orders, one accelerating the federal transition to post-quantum cryptography (PQC) (“Securing the Nation Against Advanced Cryptographic Attacks”) and one accelerating quantum development (“Ushering in the Next Frontier of Quantum Innovation”). Note the asymmetry in the information flows they construct: covered contractors will be required to run disclosure programs that report cryptographic vulnerabilities inward to the government, while quantum capability information moves outward only through licensed channels.
Google’s decision to brief the government before publishing its ECDLP paper was voluntary. I expect that pattern to harden. The soft version is a courtesy call from Mountain View to Fort Meade; the hard version is a directive, and we have now watched the directive machinery operate at full speed. On June 12, the Commerce Department ordered Anthropic to shut off its two most capable AI models for every customer worldwide, citing national security, effective within hours of a letter arriving. I wrote then that the same machinery applies to quantum, and I meant capability access. It applies equally to capability information. A government that can switch off a deployed frontier model by dinner can certainly tell a US quantum lab that a cryptanalysis result is not going on arXiv.
And frankly, from a national security standpoint, the government’s logic is not hard to follow. Once a result meaningfully shortens the path to breaking deployed cryptography, publishing it helps adversaries calibrate their own programs. I find the case for openness stronger on balance, because defenders worldwide calibrate their migrations from the same papers, but I am not going to pretend the other side of the argument is empty. It will win more arguments the closer the hardware gets.
We Have Run This Experiment Before, for Decades
None of this would be a new regime. It would be a reversion to the historical norm, and those precedents involve the same institutions now building the machines.
The most consequential cryptographic discovery of the twentieth century was made in secret and stayed there for a generation. James Ellis conceived non-secret encryption at GCHQ around 1970, Clifford Cocks devised what the world later called RSA in 1973, and Malcolm Williamson worked out Diffie-Hellman-style key exchange shortly after. GCHQ kept all of it classified until December 1997, 24 years, while the academic world reinvented the field from scratch and built the modern internet on the reinvention. Ellis died a month before he was allowed to be acknowledged.
An even closer precedent sits inside the industry itself. IBM researchers discovered differential cryptanalysis in 1974 while designing DES, hardened the S-boxes against it, and then, at the NSA’s request, kept the technique secret. The open cryptographic community did not learn what differential cryptanalysis was until Eli Biham and Adi Shamir independently rediscovered it in the late 1980s, and Don Coppersmith only confirmed the history in 1994. A major American technology company sat on a fundamental cryptanalytic capability for 16 years because its government asked it to. IBM has taken this exact phone call before. So has the industry’s muscle memory.
Open publication of cryptanalytically significant research is a roughly 50-year anomaly, sustained while the stakes were academic prestige and commercial products. The stakes are reverting to the state level. I expect the norms to revert with them.
China Never Ran the Open Experiment
For one major quantum power, none of this is a forecast. When I assessed China’s quantum computing hardware in April, I had to build the entire analysis on an epistemic caveat that Western coverage rarely needs: the published record is a floor, and the distance between publication dates may say little about the distance between capabilities. Chinese quantum scientists work under institutional constraints with no Western parallel. MERICS documented that institutions hold the passports of strategic scientists; quantum encryption technology went onto China’s export restriction list back in 2020; and the US-China Economic and Security Review Commission stated in its November 2025 report that it assumes China is pursuing a CRQC aggressively while deliberately obscuring where its most advanced programs sit. Analysts have suggested Chinese publications may trail actual capability by 18 to 24 months. I could not verify that figure then and cannot now, but the conditions that would produce such a lag are documented and undeniable.
The uncomfortable part is what this does to the comparison. The posture I had to adopt for Hefei, treat the papers as a lower bound and reason about the gap you cannot see, is the posture the coming disclosure regime will force on Mountain View and Yorktown Heights too. A race in which both sides publish selectively is a race nobody outside a small number of classified programs can score.
The Improvements That Leave No Trace
Even a motivated outside observer would struggle, because the remaining gaps to a CRQC are precisely the kind that leave no external signature.
When I built the CRQC scorecard on top of my CRQC Quantum Capability Framework, the analysis showed the binding constraint across every modality was the logical operations budget, with decoder performance and continuous operation close behind. Those are error-correction engineering, control software, and compilation problems. They are solved inside a lab, on machines that already exist, and their solution changes nothing a supply-chain analyst can count. Physical qubit growth leaks: you can track cryostat orders, laser procurement, fab capacity, and facility construction. Decoder latency does not leak. A 10x improvement in magic state throughput does not show up in customs data. Oratomic’s warning about externally invisible progress describes exactly this territory, and Google’s whitepaper went a step further, allowing that early CRQCs might be “detected on the blockchain rather than announced.”
So, do I think Google or IBM are already holding results beyond what they have published? I want to be precise here, because this is the territory where Q-FUD breeds. Some gap is guaranteed by ordinary publication lag, which ran 6 to 18 months between internal result and paper even in the open era. Some is suggested by observable behavior: Google announced its 2029 internal PQC migration deadline before it published the ECDLP estimates that justify the urgency, which tells you the internal assessment runs ahead of the public record. And some may already be withheld by choice or by direction; the DES history shows corporate labs will do this for years when asked. I cannot distinguish among those three from outside, and neither can you. Routine lag and deliberate silence produce the same published record, one that trails reality by a margin no reader can measure. The rumors that prompted this piece live inside that unmeasurable margin: consistent with everything above, and proof of nothing.
What Happens to the Scorecard
I have to be honest about what this does to my own work. The CRQC Readiness Benchmark fits growth rates to published milestones and scores current capability from published demonstrations. Every public Q-Day model, mine included, carries a hidden assumption that the published frontier approximates the actual frontier. That assumption held tolerably well for a decade. It is now degrading, and it degrades in only one direction: actual capability can only meet or exceed what is published, never trail it.
Three adjustments follow, and I will be applying them to my own tracking.
First, published capability becomes a floor, and I will say so explicitly. In benchmark terms, the current-capability inputs are lower bounds, and growth rates fitted to publication dates will understate real progress by an unknown and growing margin. Readers running the estimator should stress-test scenarios where the frontier sits one to two years ahead of the literature, which is the lag range already suggested for China’s program.
Second, the signals that leak through the physical world start to outweigh announcements. Procurement, hiring, cryogenics and control-electronics supply chains, and facility construction still leak. So does government behavior, which functions as disclosure in reverse: what BIS restricts, what agencies mandate, and when, encodes a classified assessment you are not otherwise allowed to read. When the NSA walked away from elliptic curves in 2015, years before PQC standards existed, the move said more than any paper that year. CNSA 2.0’s 2030 to 2033 migration window is the same category of signal, and so is a hardware builder like Google imposing a 2029 deadline on itself.
Third, watch for capability leakage through markets rather than journals: cyber-insurance repricing of cryptographic risk, sovereign procurement patterns, and the migration deadlines that regulators, insurers, and large buyers keep pulling forward.
The Vacuum Will Not Stay Empty
There is one more downside to the blackout, and I have been fighting its precursor for years. Even in the open era, with every real result a click away, the quantum snake oil and Q-FUD peddlers’ claims kept coming: companies predicting imminent RSA breaks, or even claiming that they themselves already cracked RSA-4096, vendors hinting at capabilities too sensitive to show, and a steady genre of announcements that a quantum computer had cracked strong encryption. The record, which I have documented repeatedly, is that quantum computers have publicly factored numbers like 15 and 21, that the distance between the largest genuine demonstrations and RSA-2048 has not meaningfully closed, and that no claimed cryptographic break has ever survived scrutiny. The debunking worked because publication was the norm. A claim could be measured against a paper, and the absence of a paper was itself the verdict.
The blackout inverts that. Once “the best results are being withheld” becomes common knowledge, and this article is evidence the idea is spreading, every peddler in the quantum panic industry inherits an unfalsifiable cover story. We broke RSA-4096, but export controls prevent us from publishing. Our benchmarks are classified. If you knew what we know. Secrecy stops being a red flag and starts functioning as a credential, and the louder the suppression narrative grows, the better the grift works. I am aware that a piece arguing the papers will stop hands ammunition to exactly this crowd, which is why the line has to be drawn precisely.
The test is simple, and it survives the blackout. A genuine cryptanalytic capability can always prove itself without explaining itself. Factor a public RSA challenge number. Produce a valid signature from a key you were never given. Google’s whitepaper gestured at the same test from the other direction with its blockchain-detection scenario: real capability leaves verifiable artifacts even when the method stays sealed. Method secrecy is defensible and, as this piece argues, probably coming. A capability claim without a demonstration is something else: an absence of evidence wearing a national security costume. When the papers dry up and someone claims a break anyway, the demand on them does not change. Demonstrate on a public instance, or join the long list of claims that never survived contact with one.
Planning Against a Threat You Cannot Watch
For defenders, the practical conclusion is one I have been pushing for years, and the coming blackout strengthens it rather than changing it. If the threat is about to become unobservable, then calibrating your migration to observed capability stops being a coherent strategy at all. You cannot time your exit to a signal that will not arrive. Forget Q-Day predictions; the deadlines are already set by regulators, insurers, investors, and clients, and those deadlines were never derived from the open literature in the first place. Harvest Now, Decrypt Later collection does not wait for an announcement, and neither does its signature-side twin, Trust Now, Forge Later. Complete your cryptographic inventory, migrate key establishment first, and hold your program to the external deadlines rather than to your favorite lab’s next paper, because there may not be a next paper.
For policymakers, I will make the same request I made after the Anthropic shutdown: if governments are going to gate quantum cryptanalysis disclosure, and they are, then do it through a predictable, rule-bound process rather than ad hoc directives. The United States already operates a Vulnerabilities Equities Process for deciding when to disclose software flaws it discovers; quantum cryptanalytic capability deserves an equivalent, with published criteria and a bias toward the disclosure that defenders need to time their migrations. Unpredictable secrecy corrodes the threat models of every allied CISO who is trying to do the right thing on a budget.
The March 31 statements will read differently in a few years. Oratomic and Google disclosed results, and along the way they documented, in real time, that publication had become a decision requiring a defense. The teams that reach the next milestones may file no statement, because they may file nothing. When the papers thin out, the temptation will be to read the quiet as a stall, the way quantum denialists read every gap between announcements. Read it the other way, and then check whether your migration plan ever depended on the papers at all. Mine no longer does.