Google sets 2029 deadline for quantum-safe encryption, years ahead of government targets

Skye Jacobs

Posts: 2,000   +58
Staff
TL;DR: Google has dramatically accelerated its timeline for securing its infrastructure against quantum computing threats, setting a 2029 deadline for full readiness – years ahead of most government and industry targets. The announcement has surprised cryptography experts, representing the company's clearest signal yet that it anticipates the arrival of "Q Day" – when quantum machines could break current encryption standards – sooner rather than later.

The announcement came this week in a blog post detailing Google's migration plan to post-quantum cryptography, a new generation of algorithms designed to withstand attacks from quantum computers.

"As a pioneer in both quantum computing and PQC, it's our responsibility to lead by example and share an ambitious timeline," wrote Heather Adkins, Google's vice president of security engineering, and Sophie Schmieg, a senior cryptography engineer. "By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but across the industry."

Until now, most organizations had relied on milestones set by the US government and defense agencies, which generally target 2030 to 2033 for full quantum readiness. "That is certainly a significant acceleration/tightening of the public transition timelines we've seen to date, and is accelerated over even what we've seen the US government ask for," said Brian LaMacchia, a cryptography engineer who led Microsoft's post-quantum transition between 2015 and 2022 and now works at Farcaster Consulting Group, in an interview with Ars Technica. "The 2029 timeline is an aggressive speedup but raises the question of what's motivating them."

Google did not specify the reasons behind the shorter deadline. However, the company's research has repeatedly revised expectations for how soon current cryptographic systems could fail under quantum attacks.

Last year, Google scientists led by Craig Gidney published findings suggesting that a 2,048-bit RSA key could be broken in under a week by a quantum computer with one million noisy qubits. That estimate sharply reduced the previously accepted threshold, which in 2019 was believed to require roughly 20 million qubits.

Alongside its broader announcement, Google outlined its first comprehensive plan to make Android quantum-resistant. According to a separate post, the company will add support for ML-DSA – a digital signature algorithm standardized by the US National Institute of Standards and Technology – starting with the Android 17 beta release. ML-DSA will integrate into Android's hardware root of trust, allowing developers to use post-quantum cryptography keys for app signing and verification.

Google said ML-DSA has already been added to the Android Verified Boot library, ensuring that the operating system's startup sequence cannot be tampered with. Engineers are also transitioning Android's remote attestation – a mechanism for proving device integrity to corporate or cloud servers – to PQC.

Future updates will extend ML-DSA support to the Android Keystore, enabling secure on-device key generation, and eventually to the Play Store and its app-signing processes.

That migration will require significant changes for developers, who will need to update signing, verification, and authentication workflows. For Google, these efforts are part of what it calls a necessary shift to "prioritize PQC migration for authentication services – an important component of online security and digital signature migrations."

For cryptographers, Q Day has been a moving target for decades. Since mathematician Peter Shor revealed in the 1990s that a sufficiently powerful quantum computer could factor large integers exponentially faster than classical systems, the timeline for breaking RSA encryption has fluctuated, with the required quantum resources steadily decreasing over the years.

Despite the uncertainty, cybersecurity planners have treated the quantum threat as urgent. The NSA currently aims to transition national security systems to post-quantum cryptography (PQC) algorithms by 2033, with earlier deadlines for specific applications set for 2030 and 2031. Software vendors such as Signal, Cloudflare, and Apple have already begun incorporating NIST-approved PQC algorithms, including CRYSTALS-Kyber and ML-KEM-768, into their products, albeit often in a limited scope.

Google framed its internal timeline as both an engineering directive and a public warning. Whether the rest of the industry shares Google's assessment of the timeline remains uncertain. By setting a firm 2029 deadline, however, Google has effectively signaled that the race to outpace Q Day is no longer theoretical.

Permalink to story:

 
They've been working very hard to make sure it happens so it makes sense for them to have an increased awareness. There are massive advantages to moving established workloads to evermore complex and expensive hardware: It raises the barrier and cost for entry, consolidates control. In short, Google is working to make sure that when this happens, the first solution to the problem will be to pay Google.
 
Is this in the same ballpark as nuclear fusion? "It's coming in 5 years"?

At this stage I take all news as shareholder fondling. Saying stuff to make them give more money/buying more stocks.
 
They've been working very hard to make sure it happens so it makes sense for them to have an increased awareness. There are massive advantages to moving established workloads to evermore complex and expensive hardware: It raises the barrier and cost for entry, consolidates control. In short, Google is working to make sure that when this happens, the first solution to the problem will be to pay Google.
While that's probably also true, I think the real problem is that quantum computers than can break encryption will be here some day and the bigger problem is that some state level actor could destroy any other countries, say, banking system. They could have access to all healthcare documents of ever citizen, leak all identifying information on the citizens from a nation and suddenly, everyone in Canada can have their identies stolen.

While I think Google definitely wants to profit about this, I think lowering the barrier of entry for quantum encryption is good for everyone. There ARE people who still won't be ready for the first quantum attacks, but the less people we leave vulnerable, the better. The longer we go without being ready for it, the worse it will get.
 
While that's probably also true, I think the real problem is that quantum computers than can break encryption will be here some day and the bigger problem is that some state level actor could destroy any other countries, say, banking system. They could have access to all healthcare documents of ever citizen, leak all identifying information on the citizens from a nation and suddenly, everyone in Canada can have their identies stolen.
I think there’s a bigger risk of that by using new cryptographic algorithms that haven’t been tested in the public domain for years. RSA is old but also well understood as a result, meaning its limitations are well understood too. You should see the list of broken algorithms that were once thought of as more advanced than RSA. That’s why RSA uses specially created padding, designed to make it invulnerable to attacks (ie. PSS and OAEP).
 
Google is working to make sure that when this happens, the first solution to the problem will be to pay Google.
Golly ... you mean forward thinking and creating solutions to problems in advance gives one a competitive business advantage? Whodda' thunk it?

I much prefer the old Soviet system. No matter how obvious the looming disaster is, wait until it strikes, then write your reaction into the next five-year plan. This methodology is what gave them by far the world's largest economy.
 
Last edited:
Back