“Google’s introducing a 2029 timeline to secure the quantum era with post-quantum cryptography (PQC) migration.
“Last month, we called to secure the quantum era before a future quantum computer can break current encryption. This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction and quantum factoring resource estimates.”
In a related and more detailed Google blog on the topic of safeguarding cryptocurrencies that was released on March 31, they elaborated:
“Google has led the responsible transition to post-quantum cryptography since 2016. In a new whitepaper, we show that future quantum computers may break the elliptic curve cryptography that protects cryptocurrency and other systems with fewer qubits and gates than previously realized. We want to raise awareness on this issue and are providing the cryptocurrency community with recommendations to improve security and stability before this is possible, including transitioning blockchains to post-quantum cryptography (PQC), which is resistant to quantum attacks.
“To share this research responsibly, we engaged with the U.S. government and developed a new method to describe these vulnerabilities via a zero-knowledge proof, so they can be verified without providing a roadmap for bad actors. We urge other research teams to do the same to keep people safe. We look forward to continuing our work across the industry following our 2029 timeline alongside others working on responsible approaches, like Coinbase, the Stanford Institute for Blockchain Research, and the Ethereum Foundation.”
CYBER IMPLICATIONS OF PQC
Commenting on these announcements, DigiCert CEO Amit Sinha, who just moderated a PQC conversation on this topic at the RSA Conference, said this:
“Google’s updated 2029 timeline is indeed a wake-up call, but it’s not new information. Gartner identified 2029 as a critical milestone back in 2024, and the industry has already lost valuable time. What’s changing now is that when a company like Google reinforces that urgency, more organizations may finally start to act.
“At RSA Conference last week, I had the opportunity to moderate a panel with leaders like Michele Mosca, Bruno Couillard and Taher Elgamal on the future of PKI in a post-quantum world. One thing was clear: The conversation has shifted from if quantum disruption is coming to how quickly organizations can adapt their trust models.
“But we’re already seeing early movement: Roughly 40 percent of the most popular websites now support hybrid post-quantum key exchange. But that progress hasn’t translated into enterprise readiness. Most organizations still lack visibility into where cryptography is used across their environments.
“What’s often overlooked is that the same steps required for quantum readiness (i.e.: cryptographic inventory, automation and crypto agility) are also critical as certificate lifespans move toward 47 days. So the challenge isn’t awareness anymore; it’s execution before these pressures collide.”
Drew Todd wrote this piece on the same PQC timeline topic for SecureWorld:
“The announcement is not without precedent. Google has been investing in post-quantum security across its product stack for several years. Chrome has supported PQC key-exchange mechanisms, Google Cloud has offered PQC capabilities to enterprise customers, and internal communications infrastructure has already transitioned to quantum-safe protocols.
“The latest concrete milestone: Android 17 will integrate PQC digital signature protection using ML-DSA, aligned with the U.S. National Institute of Standards and Technology’s (NIST) published post-quantum standards. This brings PQC protections directly to end-user devices at scale — a significant deployment milestone given Android’s global footprint. …
“For enterprise security practitioners, the 2029 horizon is close enough to warrant immediate planning. PQC migrations are not lift-and-shift operations; they require cryptographic inventory, dependency mapping, algorithm selection aligned with NIST standards, and integration testing across complex, often legacy infrastructure. At the same time, organizations preparing for 47-day certificate lifecycles are already building the automation and certificate management pipelines that PQC transitions will also require. …”
DIGGING DEEPER ON PQC
I’ve been covering the coming reality of Q-Day on this blog for several years now. Michael McLaughlin said this in an interview back in 2023, which seems even more important today:
“First, on Q-Day, networks secured using traditional encryption methods will be vulnerable to compromise by a nation-state. Given the recent breaches attributed to Chinese cyber actors, such as Marriott-Starwood, Equifax and the Office of Personnel Management, it is clear that there exists a capable nation-state that is currently developing a quantum computer and motivated to steal massive amounts of data from private companies.
“Second — and this is critically important — any data that has been compromised at any point leading up to Q-Day, whether encrypted or not, will become readable. Unless companies are securing their networks and data using quantum-resistant cryptography, they will be opening themselves and their customers up to compromise. This is everything from the blueprints for next-generation fighter jets to protected health information to financial information — each of which can carry significant penalties in the event of a breach.
“To mitigate both of these eventualities, companies should be migrating their network architecture to quantum-resistant cryptography and methods. Fortunately, there are several commercial solutions that exist on the market today available for adoption.”
FINAL THOUGHTS
As I described last week in my RSA Conference summary, the term “AI” has become the ubiquitous “pixie dust” that every company now markets in their new products and services. It was difficult, but not impossible, at RSAC to hear about products focusing on PQC and road maps to get that resolved.
But Google’s recent announcements, along with other supporting quantum stories, are like to cause the top 2026 security industry predictions on PQC to become a reality. As a reminder, I wrote this as a top industry trend for this year:
“The Shift to Post-Quantum Security: Organizations must accelerate the transition to post-quantum cryptography to defend against ‘harvest now, decrypt later’ strategies from sophisticated adversaries.”
