Google Moves Q-Day Estimate to 2029 – Industry Experts Say the Clock Is Already Ticking
Google accelerates post-quantum cryptography migration to 2029 amid faster quantum computing progress.
Summary
Google announced a 2029 target date for completing its migration to post-quantum cryptography (PQC), significantly ahead of prior NSA (2031) and US government (2035) timelines, citing accelerated progress in quantum hardware, error correction, and factoring estimates. The company highlighted the immediate 'Harvest Now, Decrypt Later' threat where nation-state actors are already exfiltrating encrypted data to decrypt once quantum computers mature, and urged organizations to prioritize PQC for authentication and digital signatures before a cryptographically relevant quantum computer (CRQC) arrives. Industry experts largely affirmed the urgency, emphasizing that the operational risk window is already open and legacy systems, multi-cloud environments, and edge devices pose significant challenges to enterprise migration efforts.
Full text
Google has officially set 2029 as its target date for completing a full migration to post-quantum cryptography (PQC), in what the company describes as a necessary acceleration driven by faster-than-expected advances in quantum computing hardware, error correction and factoring resource estimates. The announcement, published on Google’s blog yesterday, has sent shockwaves through the cybersecurity community, pushing what was once considered a distant theoretical threat squarely into the realm of near-term operational planning. The 2029 timeline is considerably more aggressive than existing government benchmarks. The NSA had previously set a 2031 target for implementing PQC, while broader US government guidance pointed to 2035 for full agency readiness. Google’s announcement effectively blows past both. For their part, Google’s security engineers cited progress on three specific fronts: quantum computing hardware development, quantum error correction, and quantum factoring resource estimates. A key milestone underpinning the concern is a report showing that a 2,048-bit RSA integer could theoretically be factored in under a week using a quantum computer equipped with one million so-called ‘noisy’ qubits, a far more achievable specification than the billion precise qubits that 2012-era estimates had demanded. The practical implication is stark: what once seemed an almost impossibly large engineering challenge is beginning to look like an engineering problem with a foreseeable solution. Harvest Now, Decrypt Later: The Threat That Is Already Here Google’s announcement was careful to distinguish between two distinct categories of quantum threat. The first and most immediately pressing is the so-called ‘Harvest Now, Decrypt Later’ or ‘Store Now, Decrypt Later’ attack model. Adversaries, including nation-state actors, are believed to already be systematically harvesting encrypted data today, with the intention of decrypting it once a cryptographically relevant quantum computer (CRQC) becomes available. Under this model, the threat is not abstract or future-tense but actively unfolding right now. The second risk relates to digital signatures: the mechanisms underpinning secure websites, software updates, device identity and authentication. These are future threats, but ones that require action before a CRQC arrives, because retroactive protection is not possible once trust hierarchies have been compromised. Google said it has adjusted its own threat model accordingly, prioritising PQC migration for authentication services, and urged other engineering teams to do the same. Android 17, due for release in June, will integrate PQC digital signature protection using ML-DSA, the NIST-aligned algorithm, embedded directly into the operating system’s hardware root of trust. Industry Reaction: Alarm, Affirmation and a Call to Act Now The announcement drew immediate commentary from security professionals across the industry, who broadly welcomed Google’s willingness to set a specific date while stressing that for most organisations, the real danger window has already begun. Simon Pamplin, Chief Technology Officer at Certes, said, “Google’s revised Q-Day estimate of 2029 is a significant wake-up call, but for many organisations, the most dangerous window isn’t when quantum computers arrive, it’s right now. Adversaries are already running Harvest Now, Decrypt Later campaigns: exfiltrating encrypted data today with the intention of unlocking it once a cryptographically relevant quantum computer exists. If your organisation is still relying on RSA, TLS, or standard PKI to protect sensitive data in transit, that data is already at risk, regardless of whether Q-Day lands in 2029 or 2035. “Organisations should focus on when the threat arrives, but what deserves equal attention is the question of what happens to the data being harvested right now. Post-quantum migration is a multi-year project for most organisations, and with Gartner predicting a cryptographically relevant quantum computer could arrive by 2029, the gap between where most businesses are and where they need to be is closing fast. Action should be taken today. “Challenges such as legacy systems that may not be able to be natively upgraded to PQC, multi-cloud environments creating security confusion due to different security models, and the end user and edge being the most vulnerable part of any organisation’s data security posture, mean that firms need to look at end-to-end PQC solutions that are able to protect data across any app, any infrastructure, anywhere. Quantum readiness isn’t about predicting a date. It’s about eliminating a long-term exposure before that date becomes irrelevant.” Kieran B, Head of Security Engineering at Bridewell, echoed the sentiment that Google’s move is less a change to the nature of the threat and more a tightening of the window in which organisations can act responsibly. He said, “Google’s decision to set a 2029 deadline for completing its migration to post-quantum cryptography is a significant signal to the wider market. It does not reflect a fundamental change in the nature of the quantum threat, but rather that progress in quantum computing hardware, software and error correction is accelerating faster than previously anticipated. As one of the organisations most deeply involved in both quantum research and large-scale cryptographic engineering, Google is effectively signalling that the window for preparation is narrowing. “For businesses, the key point is understanding what is at stake. Today’s public-key cryptography underpins almost every digital interaction: secure websites, software updates, device identity, digital signatures and authentication. A cryptographically relevant quantum computer would be capable of breaking widely used algorithms such as RSA and elliptic-curve cryptography, undermining these trust mechanisms. “One of the biggest risks with post-quantum security is assuming there will be a clear, visible moment when the threat arrives. In reality, ‘Q-day’ is likely to be quiet, sudden, and only obvious in hindsight. Google’s timeline makes it clear that the transition to post-quantum cryptography is now a multi-year change programme — and organisations that begin in earnest today will be far better placed to manage it in a controlled, risk-based way.” Bridewell’s own research into post-quantum readiness has highlighted a concerning gap: many organisations report confidence in their preparedness, yet a significant proportion have not yet fully assessed their cryptographic exposure or engaged with existing guidance. Kieran B noted this suggests the challenge is not just technical, but a fundamental misunderstanding of the scale and complexity of the transition ahead. A Race Against Embedded Encryption and Legacy Infrastructure One of the most persistent obstacles to rapid PQC migration is the extent to which encryption is embedded deep within legacy systems, supply chains, and multi-cloud architectures, often invisibly. Peter Jones, cyber security specialist at Conscia UK, described how dramatically the narrative has shifted in just a few years. “If we go back to 2022, the narrative was that quantum computers would be able to outperform traditional computers in 15 or 20 years’ time. The NSA and NCSC initially issued guidance to critical infrastructure providers to implement quantum-resistant cryptography by 2035. However, they are now both encouraging the adoption of the new standards faster than originally thought. “For many organisations, encryption is embedded into devices, processes and supply chains, making it difficult to understand the dependence on specific algorithms, but it’s now time to take action. Start by engaging with senior leadership to ensure they understand the challenge and drive the initiative company-wide. Create a team to discover and identify all sensitive data in the organisation, especially any data that will remain sensitive for an ext