Cryptography — March 27, 2026
Google Says Encryption Breaks by 2029.
Digital Signatures Are More Urgent Than You Think.
Google moved its post-quantum cryptography migration deadline to 2029, two years ahead of NSA’s 2031 target. Digital signatures are the more urgent problem than encrypted data in transit. Here is why and what ML-DSA means for Android 17.
Sources: Google Security Blog; NIST PQC standards (ML-DSA, ML-KEM); NSA Commercial National Security Algorithm Suite 2.0; Android 17 changelog; March 2026.
Google set a 2029 target for migrating its entire infrastructure to post-quantum cryptography (PQC), the company announced on March 25, 2026. The timeline is more aggressive than the U.S. federal government’s NIST guideline of 2035. Google cited three converging developments: faster-than-expected progress in quantum computing hardware, advances in quantum error correction, and updated resource estimates for quantum factoring. Vice President of Security Engineering Heather Adkins and Senior Staff Cryptology Engineer Sophie Schmieg wrote that the company has “adjusted its threat model to prioritize PQC migration for authentication services” and recommended that other engineering teams follow suit.
The announcement is not a prediction that quantum computers will break encryption by 2029. It is a statement that the migration itself takes years, and organizations that wait until the threat is confirmed will not finish in time. Google began preparing for post-quantum cryptography in 2016, a decade of lead time. Most organizations have not started. The Trusted Computing Group found that 91% of businesses do not have a formal roadmap for migrating to quantum-safe algorithms.
What the Quantum Threat Actually Is
Current public-key cryptography (RSA, elliptic curve) relies on mathematical problems that classical computers cannot solve in reasonable time. A sufficiently powerful quantum computer running Shor’s algorithm could factor large numbers and compute discrete logarithms efficiently, breaking both RSA and ECC. The threshold for this capability is called a Cryptographically Relevant Quantum Computer (CRQC). No CRQC exists today. The question is when one will, and whether organizations can complete a migration that touches every layer of their infrastructure before it arrives.
The “store now, decrypt later” attack makes the timeline problem worse. Adversaries (state-level intelligence agencies, primarily) are already harvesting encrypted data with the expectation of decrypting it once quantum computers mature. Diplomatic communications, trade secrets, medical records, and classified intelligence encrypted today using RSA or ECC could be readable in the future. The data captured in 2026 does not expire. The encryption protecting it will. For data with a secrecy requirement measured in decades (government secrets, health records, financial data), the threat window has already opened.
What Google Is Actually Doing
Google is replacing cryptographic algorithms across its entire product surface with NIST-standardized PQC algorithms. NIST finalized the first set of PQC standards in 2024 after a decade-long selection process: ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures. These algorithms are designed to resist both classical and quantum attacks. Google is deploying them across Android, Chrome, Cloud services, and internal infrastructure.
The company’s approach centers on “crypto agility,” the ability to swap cryptographic algorithms without disrupting services. Google has built its systems so that replacing one algorithm with another requires configuration changes rather than architectural rewrites. This agility is what makes a 2029 migration feasible for Google specifically. Most organizations lack this flexibility because their cryptographic implementations are hardcoded into applications, embedded in hardware, and tangled with legacy systems that were never designed to be updated.
Why 2029 and Not 2035
NIST’s guidelines suggest completing PQC migration by 2035. Google moved the target six years earlier for three reasons. First, Google is both a quantum computing developer (its Willow chip demonstrated below-threshold quantum error correction in 2024) and a provider of infrastructure that billions of people rely on. It has direct visibility into the pace of quantum progress. Second, Chinese labs have achieved breakthroughs across several quantum computing fields over the past two years, accelerating the timeline estimates for when a CRQC might exist. Third, Google’s updated threat model prioritizes digital signatures (used for authentication, software integrity, and identity verification) over bulk encryption. A compromised digital signature system is an immediate, catastrophic failure, not a future decryption risk.
What This Means for Everyone Else
The Crypto Industry Implications
The quantum threat extends beyond traditional IT infrastructure. Blockchain networks rely on the same public-key cryptography that quantum computers threaten. The Ethereum Foundation launched a “Post-Quantum Ethereum” resource hub on March 25, 2026, targeting protocol-level quantum-resistant solutions by 2029. Solana developers created a quantum-resistant vault using hash-based signatures. Bitcoin’s BIP-360 proposes a new output type (Pay-to-Merkle-Root) to protect addresses from quantum attacks. Blockstream CEO Adam Back argues quantum risks are “widely overstated” and that no action is needed for decades. The disagreement tracks the broader debate: is the threat imminent enough to justify the cost and disruption of migration?
For cryptocurrency specifically, the risk depends on key exposure. Wallets with publicly visible public keys (such as those that have previously sent transactions) are theoretically vulnerable to quantum attack. Wallets where the public key has never been exposed (only the address, which is a hash of the public key) have an additional layer of protection. The practical timeline depends on when a CRQC can factor the specific key sizes used in Bitcoin (256-bit ECDSA) and Ethereum (secp256k1), which current estimates place at 2035 to 2040 with optimistic quantum hardware progress.
The Real Question
Google’s 2029 timeline is not a prediction about when quantum computers will break encryption. It is a prediction about how long migration takes. The company began in 2016, built crypto agility into its infrastructure over a decade, and still needs three more years to complete the transition. Organizations that have not started face a migration that will take 5 to 10 years with full engineering commitment. If Q-Day arrives in 2035 (the NIST estimate) and you start migrating in 2030, you finish in 2040. Five years too late. The data harvested during those five years is permanently compromised.
The question is not whether quantum computers will break current encryption. They will. The question is whether the migration machinery of governments, enterprises, and infrastructure providers can move fast enough to complete the transition before it matters. Google is betting the answer is yes for itself, and hoping the rest of the industry follows. The 91% without a roadmap suggests that hope is, at the moment, unfounded.
Sources: Google Security Blog, March 25, 2026; CyberScoop; PYMNTS; Help Net Security; The Quantum Insider; SiliconANGLE; PC Gamer; Slashdot discussion; BeInCrypto (blockchain PQC implications); TradingView/Cointelegraph (Ethereum PQC hub); Trusted Computing Group survey.