Google Sets 2029 Deadline for Post-Quantum Migration
Google accelerates its post-quantum cryptography timeline to 2029, deploying ML-DSA in Android 17 and urging the industry to follow suit.
Last week Google announced it is targeting 2029 to complete its migration to post-quantum cryptography, a full year ahead of the timeline most organizations have been loosely tracking since NIST published its first PQC standards in 2024. If you’re still treating quantum readiness as a someday problem, someday is now three years away.
Why Google moved the date forward
Quantum hardware is advancing faster than mainstream forecasts suggested even two years ago. Improvements in error correction and qubit stability mean that a cryptographically relevant quantum computer, one capable of breaking RSA-2048 or ECDSA in practical time, looks less distant than it used to. The Global Risk Institute’s 2026 Quantum Threat Timeline now rates such a machine as “quite possible” within ten years.
The harvest-now-decrypt-later threat is already active, too. Nation-state actors and sophisticated criminal organizations are collecting encrypted traffic today, banking on the assumption that future quantum hardware will let them decrypt it. Every day you delay migration is another day of data exposure you cannot claw back.
And the supply chain for cryptographic change is slow. Migrating an organization’s entire stack, from TLS certificates and VPN tunnels to firmware signing and code-signing pipelines, takes years of planning, testing, and rollout. Google knows this firsthand. The company has been deploying PQC across its infrastructure since 2016 when it first experimented with post-quantum key exchange in Chrome.
What Google is actually shipping
This was not just a policy statement. Google backed the timeline with real technical work already underway.
Android 17, expected later this year, will ship with ML-DSA (Module-Lattice-Based Digital Signature Algorithm) protection in Android Verified Boot. The boot process, the chain of trust that ensures a device has not been tampered with, will be resistant to quantum attack from the moment a phone powers on. Remote attestation and KeyMint certificate chains are also moving to PQC-based architectures.
On the application side, Google Play now generates ML-DSA signing keys for new applications and offers existing developers the option to opt in. A mandatory two-year signing key upgrade cycle keeps the ecosystem from stagnating. Chrome has supported hybrid post-quantum key exchange (X25519MLKEM768) since 2024, and Google’s cloud services are steadily enabling PQC for data in transit and at rest.
VP of Security Engineering Heather Adkins and Senior Staff Cryptology Engineer Sophie Schmieg wrote that Google is sharing its timeline publicly to provide “the clarity and urgency needed to accelerate digital transitions.”
The industry is not ready
The gap between Google’s posture and everyone else is wide. A recent Trusted Computing Group study found that 91 percent of businesses lack a formal quantum-safe migration roadmap. Many organizations haven’t even completed a cryptographic inventory, which is the baseline step of identifying where and how they use vulnerable algorithms.
This isn’t only an enterprise problem. China announced this month that it expects to finalize its own national PQC standards within three years, prioritizing finance and energy sectors with distinct technical approaches including structureless lattice algorithms. Organizations that delay migration risk falling out of compliance with emerging regulations on both sides of the Pacific.
Meanwhile, Cloudflare reported in early March that over 60 percent of human-generated traffic on its network already uses post-quantum encryption via hybrid key exchange. The infrastructure is increasingly ready. The bottleneck is organizational will.
What you should do this quarter
If your organization hasn’t started PQC planning, now is the time.
Conduct a cryptographic inventory. You cannot migrate what you haven’t mapped. Identify every system, protocol, and certificate that relies on RSA, ECDSA, or classical Diffie-Hellman.
Prioritize authentication and signing. Google’s approach, starting with digital signatures and boot integrity before tackling bulk encryption, reflects a sound risk hierarchy. Authentication failures are harder to recover from than confidentiality breaches.
Plan for cryptographic agility. The NIST standards are not the final word. HQC, a code-based key encapsulation mechanism selected as the fifth NIST PQC algorithm, is still working toward a draft standard expected later this year. Your architecture should accommodate algorithm swaps without requiring a full rebuild.
Google plans to be ready by 2029. The question for every other organization is whether they’ll be ready too, or still planning when the threat arrives.