Google published a blog post on March 25, 2026, setting 2029 as its target for migrating to post-quantum cryptography across its infrastructure. The announcement, signed by VP of Security Engineering Heather Adkins and Senior Staff Cryptography Engineer Sophie Schmieg, is the first time Google has put a specific year on its PQC transition. Three years to overhaul the encryption underpinning one of the world's largest technology platforms. That is either admirably aggressive or exactly the kind of deadline that gets quietly pushed back.
The post follows a February call to action from Kent Walker and Hartmut Neven, Google's global affairs president and Quantum AI lead respectively, which urged governments and industry to stop treating the quantum threat as a distant concern. That earlier blog post was notable for its directness: a cryptographically relevant quantum computer, they wrote, is not "forever a decade away."
The threat that doesn't need a quantum computer
Here's what caught my attention. Google's blog frames two distinct problems, and they are not equally distant. The first, store-now-decrypt-later attacks, is already happening. Adversaries vacuum up encrypted data today, bank it, and wait for quantum hardware capable of breaking the encryption to materialize. When it does, everything collected becomes readable. This is not speculative. Intelligence agencies have been warning about it for years, and Google's own security blog has discussed it since at least 2024.
The second threat targets digital signatures, the cryptographic proof that software updates are authentic, that your bank's website is actually your bank's website, that the person who signed a contract is who they claim to be. Forging those requires a working quantum computer. But you need to have replaced your signature algorithms before that machine exists, because there is no retroactive fix.
Google's response has been to adjust its threat model to prioritize authentication services. Which makes sense, if you think about it. Encrypted data stolen today is a problem whenever quantum arrives. But compromised digital signatures are an immediate, real-time catastrophe the day a capable machine spins up. You want your locks changed before the lockpick exists.
What Google is actually shipping
Concrete deliverables matter more than timelines. The most tangible piece here is Android 17, which will integrate ML-DSA, the Module-Lattice-Based Digital Signature Algorithm that NIST standardized in August 2024 as FIPS 204. According to Google's Android security blog, the upgrade touches two specific systems: Android Verified Boot gets ML-DSA signatures to protect the boot chain, and Remote Attestation migrates to a PQC-compliant architecture.
Google Play will also begin generating quantum-safe ML-DSA signing keys for new apps, with existing apps able to opt in. That is a meaningful move. It means the cryptographic chain of trust from boot to app installation gets quantum-resistant protection before most people have heard of ML-DSA.
This builds on earlier work. Chrome has supported post-quantum key exchange since 2024, and Google Cloud has been rolling out PQC solutions for internal communications. Google claims it has been working on post-quantum cryptography since 2016, which tracks with the company's early experiments with New Hope, a key exchange algorithm it tested in Chrome years ago.
The Willow question
Google is in an unusual position here. It is simultaneously building quantum computers and urging the world to defend against them. The company's Willow chip, announced in December 2024, has 105 qubits and demonstrated below-threshold quantum error correction for the first time in a superconducting system. That is a genuine milestone for the field, even if Willow is still orders of magnitude away from cracking RSA-2048.
But the 2029 timeline is not about Willow specifically. It is about the trajectory. Google's blog cites progress in quantum hardware, error correction, and (this is the interesting bit) updated "quantum factoring resource estimates." That last phrase is doing a lot of work. It implies that researchers are finding more efficient ways to use quantum computers for breaking encryption, which means the machine you need might be smaller and arrive sooner than previously thought.
A Google security blog post on tracking quantum factoring costs supports this. The February call to action noted that over the last decade, research has reduced by orders of magnitude the estimated resources required to break 2048-bit RSA. That is a trend line worth paying attention to, even if the absolute numbers are still large.
Can everyone else keep up?
Google can set a 2029 deadline because Google controls its own infrastructure. It builds the chips, writes the operating system, runs the cloud, ships the browser. For everyone else, the math is harder.
The Ethereum Foundation published its own PQC roadmap this week, also targeting 2029, though its researchers don't expect quantum computing to be cryptographically relevant for another eight to twelve years. They are being cautious, which is the right call when billions of dollars in value depend on elliptic curve cryptography holding up.
But consider the organizations that haven't started. Banks running legacy systems from the 1990s. Healthcare networks. Government agencies. NIST finalized its PQC standards in August 2024. Not everyone has read them yet, let alone begun migrating. Google's deadline is useful as a signal, but it could also create a false sense of security. If Google says 2029, maybe I have until 2030? That is not how store-now-decrypt-later works.
And there is a subtler problem. Prior to this announcement, Google was aligned with NIST's general guidance, which pointed roughly toward 2030. Moving the target a year earlier is a statement, but it is also a company that builds quantum computers telling you to hurry up. I'm not sure what to make of the incentive structure there. Google sells cloud services. Cloud migration is part of its PQC advice. That does not make the advice wrong, but it is worth noting.
What comes next
The Android 17 beta will be the first public test of Google's PQC signature integration. That is where the 2029 deadline either starts to feel real or starts to feel aspirational. Google Play's move to generate ML-DSA keys for new apps is arguably the piece with the widest immediate impact, since it touches every Android developer whether they are thinking about quantum computing or not.
NIST, for its part, continues evaluating additional algorithms. HQC was selected in March 2025 as a backup key encapsulation mechanism, and a second round of additional digital signature candidates is underway. The standards are still being built out, which makes any fixed migration deadline somewhat provisional.
Google's 2029 target is the most specific commitment any major tech company has made on PQC migration. Whether the rest of the industry treats it as a wake-up call or a press release will determine how much it actually matters.
