Google Sets 2029 Deadline for Quantum-Safe Cryptography
Summary
Google has announced a company-wide goal to migrate systems, products and services to post-quantum cryptography (PQC) by the end of 2029. The timeline, described in a Google blog post by Heather Adkins and Sophie Schmieg, follows NIST’s 2024 PQC standards and focuses on crypto agility, securing critical shared infrastructure, and enabling ecosystem shifts.
Google is prioritising authentication and digital-signature migrations to address both immediate “store-now-decrypt-later” risks and future threats posed by Cryptographically Relevant Quantum Computers (CRQCs). The company has already started rolling out PQC protections across internal infrastructure and products, including Android 17 (ML-DSA signatures), Chrome and Google Cloud.
Content summary
The announcement underlines that quantum-capable adversaries could break many current encryption and signature schemes. Google recommends other engineering teams prioritise PQC for authentication services and build crypto agility so systems can adapt as standards evolve. NIST continues to push for PQC adoption, and experts advise organisations to inventory cryptography use, engage third-party providers about their migration plans, and apply pragmatic mitigations today (for example, strong salting) while preparing for a full migration.
Context and relevance
This move by Google is a clear signal to the industry: large cloud and platform providers are preparing for a post-quantum world and expect the broader ecosystem to follow. Organisations that protect long-lived sensitive data, or that rely on third-party services, should take note — failing to prepare can create security and interoperability headaches down the line.
Key Points
- Google aims to complete PQC migration across its systems and services by the end of 2029.
- Priority areas are crypto agility, securing shared infrastructure, and facilitating ecosystem shifts.
- Authentication and digital signatures are being prioritised to mitigate future signature-forgery risks; encryption faces immediate “store-now-decrypt-later” exposure.
- Android 17 will include ML-DSA post-quantum digital signature protections; Chrome and Google Cloud have earlier PQC work underway.
- NIST’s 2024 PQC standards are the roadmap many vendors are following; organisations should track evolving standards and vendor timelines.
- Practical steps for organisations: inventory crypto usage, engage service providers about their PQC plans, build crypto agility and apply interim mitigations such as robust salting.
Why should I read this?
Short version: if you care about keeping data and identities safe beyond the next few years, this matters. Google just set a public deadline and is moving its massive ecosystem — that influences clouds, mobile and browsers. Read this so you know what to tell your tech teams and vendors without panicking: plan, inventory, prod your suppliers, and start small fixes now.
Author style
Punchy: Google’s timeline sharpens the industry deadline — this isn’t theoretical anymore. If you handle long-lived secrets or rely on third-party platforms, the detail is worth your time.