Before turning to the 2029 deadline, it is worth understanding what is at stake. Quantum computing is advancing quickly, and its growing power could one day break the encryption that keeps our online data, messages, and payments private. Making a system quantum-safe means upgrading it to new encryption that even a quantum computer cannot break.
Some deadlines are not about a single event on a fixed day. They are about how long it takes to prepare before that day arrives, and Google’s 2029 quantum-safe target is one of them. Google set out this target in a blog post in March 2026. The message was clear. Google said it will migrate Chrome, Android, and Google Cloud to Post-Quantum Cryptography (PQC) by 2029, so they stay protected against future quantum computers.
The obvious question is why act now, when such computers do not yet exist. The answer is that preparation takes years, and Google believes the clock is already running. Google has effectively set a firm marker for the wider technology sector.
In this blog, we will break down Google’s 2029 quantum-safe goal, explain why organizations need to begin preparing for post-quantum cryptography now, explore the risks of harvest now, decrypt later (HNDL), understand the role of NIST’s new PQC standards, and discuss the practical steps businesses can take to plan their migration journey.
What Quantum Computers Can Break
Almost everything you do online is locked up by encryption. Think of it as a digital lock. Today’s locks are strong because even the fastest normal computers would need thousands of years to break them.
A quantum computer is a fundamentally different kind of machine. It does not simply run faster; it solves certain problems in an entirely new way. Using Shor’s algorithm, it can solve the integer factoring and discrete logarithm problems that underpin RSA and elliptic curve cryptography (ECC). RSA and ECC are the public-key systems behind most of today’s encryption. A sufficiently powerful quantum computer could break them in days rather than centuries.
That machine doesn’t exist yet. It may be closer than people thought.
Why Google Moved Its Deadline to 2029
So, what does “moving the deadline” actually mean? Google changed its own target date and decided to be quantum-safe sooner than it first planned. Nothing was attacked, and no quantum computer suddenly appeared. Its research just showed the threat arriving faster than expected, so it pulled the date forward. Think of it like spotting storm clouds rolling in early and choosing to fix the roof now instead of waiting until next year.
A few years ago, experts thought you’d need a quantum computer with about 20 million “qubits” (its building blocks) to crack common encryption. In May 2025, a research estimated that it might take under a million of them and a 2048-bit RSA integer could be factored in less than a week. That is a roughly 20-fold reduction, achieved without any change to the underlying hardware. People just found smarter ways to do it. When the company building these quantum computers states that the threat is closer than expected, it requires serious attention.
This shift is striking because the threat moved closer with no new hardware, only better algorithms. And because such breakthroughs build on one another, Google prefers to prepare against an earlier timeline rather than risk being caught unprepared.
For the official view: NIST, the U.S. standards agency, recommends deprecating RSA and ECC by 2030 and disallowing them by 2035. This guidance, IR 8547, is still a draft. Google deliberately chose 2029 in order to stay a step ahead of these standards.
Two Threats on Two Different Timelines
This is the most insightful part of Google’s post, and one that most news coverage overlooked. Quantum computers threaten two things, but not at the same time.
Your Data Is at Risk Today
One such attack is known as harvest now, decrypt later. Someone copies your scrambled data today, even though they can’t read it yet, and waits. When quantum computers arrive, they unlock it. So, anything that must stay secret for years, like health records or trade secrets, is already at risk if it’s only behind today’s locks. In short, data that must stay private for years is the most exposed, and it should be the first to move to quantum-safe protection.
Forged Signatures Are a Future Threat
A digital signature is how your device checks that something is real, like making sure an app update truly came from the company and not a hacker. Here’s what makes this a future threat and not a danger today: unlike harvested data, a signature can’t be forged in advance. An attacker would need a working quantum computer available at the moment of forgery, so there is nothing to capture or store in advance today, and the risk remains dormant until such a machine actually exists.
But signatures are built deep into app stores, websites, and the software inside your devices, and changing all that takes years. So, you have to start early. That’s why Google is making signatures a priority now.
What Google Is Already Doing About It
What makes Google’s promise believable? It isn’t starting from zero. Google has been adding this quantum-safe protection for a while, and it’s already switched on in places you use every day.
| Product | What it secures | Algorithm (NIST standard) | Status |
|---|---|---|---|
| Chrome | Web connections | Hybrid X25519 + ML-KEM-768 (FIPS 203) | Live |
| Android | Software authenticity | ML-DSA (FIPS 204) | Live (Android 17) |
| Google Cloud | Signing & key encapsulation | ML-DSA / SLH-DSA (FIPS 204/205) + ML-KEM (FIPS 203) | Live (GA) |
The tricky part is size. The new quantum-safe pieces are bigger than the old ones, so they take up more room in every connection. This is manageable for everyday traffic, but it becomes a significant burden for digital signatures. A post-quantum signature such as ML-DSA is around 3.3 KB at the ML-DSA-65 level, against roughly 70 bytes for today’s ECDSA, and hash-based SLH-DSA signatures can exceed 17 KB. Those larger signatures must still pass through certificate chains, TLS handshakes, and firmware and code-signing pipelines, so every check and every device carries the extra weight. That’s why the move to quantum-safe signatures is widely seen as the hardest part of the transition.
What This Means for Your Organization
Google can meet its 2029 target because of its scale, its control over most of its own systems, and years of preparation. Most companies don’t have that head start. Google’s migration approach offers a practical template for any organization starting its own transition.
In 2024, NIST approved the new quantum-safe standards: ML-KEM (FIPS 203) for secure connections and ML-DSA (FIPS 204) for signatures, both lattice-based, meaning they are built on the hard geometry of high-dimensional grids that quantum computers cannot solve efficiently, plus the hash-based SLH-DSA (FIPS 205) as an alternative signature scheme. For national security systems, the NSA’s CNSA 2.0 suite sets even tighter deadlines, running from 2025 to 2035. Even so, the transition cannot be completed overnight because of the size constraints described above. And it’s not just Google saying this. Gartner stated that “by 2029, advances in quantum computing will make conventional asymmetric cryptography unsafe to use,” which is the same year Google chose for its deadline.
Want to start? Here’s the short list:
- Begin by finding where you use encryption, because you can’t protect what you can’t see. Build an inventory of the cryptography across your applications, servers, and devices, and flag the systems that still depend on RSA and ECC. This inventory becomes the baseline for everything that follows.
- Protect your most sensitive data first because long-lived secrets such as health records, financial data, and trade secrets are the most exposed to HNDL. An attacker can copy this data today and decrypt it once quantum computers arrive, so it should move to quantum-safe protection ahead of anything with a shorter shelf life.
- Enable hybrid encryption wherever possible. A hybrid scheme runs a classical algorithm and a post-quantum one together in the same exchange, so the connection stays secure as long as either algorithm holds.
- Stay crypto-agile. Crypto-agility means building systems so you can switch from one algorithm to another through configuration, without rebuilding the application, so future changes stay low-effort.
NIST’s NCCoE has also published a draft practice guide, SP 1800-38, Migration to Post-Quantum Cryptography, which walks through the migration process step by step. It is a useful starting point even in draft form.
How Encryption Consulting Can Help
If you are wondering where and how to begin your post-quantum journey, Encryption Consulting is here to support you. You can count on us as your trusted partner, and we will guide you through every step with clarity, confidence, and real-world expertise.
We begin with a Cryptographic Discovery and Inventory, scanning your entire environment to identify certificates, keys, algorithms, and protocols across endpoints, applications, APIs, and infrastructure. This builds the baseline you need before any migration can begin.
From there, we conduct a PQC Assessment to evaluate your exposure to quantum threats, identify RSA- and ECC-dependent systems, and deliver a prioritized report of vulnerable assets with risk severity ratings.
With that clarity, we develop a PQC Strategy and Roadmap, a phased migration plan aligned to your risk appetite, regulatory requirements, and long-term security goals, including cryptographic agility so your systems can adapt as standards evolve.
We then support Vendor Evaluation and Pilot Testing, helping you select the right tools, run proof-of-concept tests, and validate interoperability before any full-scale rollout.
Finally, we manage Full Implementation, deploying hybrid classical and quantum-safe models, rolling out PQC across your PKI and infrastructure, and setting up monitoring for long-term cryptographic health.
Together, these steps make the 2029 deadline a well-planned, manageable transition rather than a serious risk, and starting early makes it simpler to complete.
Conclusion
Google’s 2029 deadline is not a prediction of when quantum computers will arrive. It’s an honest estimate of how long the cleanup takes, from a company that understands the threat well. The real message for businesses is that the time to act is the period before 2029, while the change can still be made in a planned and orderly way. Three things to remember:
- Google moved early because its own research showed the number of qubits needed to break RSA encryption had dropped roughly 20-fold from earlier estimates.
- There are two separate timelines to consider. Your data is at risk now, while forged signatures come later but still need an early start.
- The transition is already underway. Quantum-safe protection runs in Chrome, Android, and Google Cloud today.
The takeaway from Google’s announcement is direct: start now. Find your encryption, make a simple plan, and migrate before 2029.
