Google Targets 2029 to Replace Quantum-Vulnerable Encryption
Google has set a 2029 deadline to complete its transition to post-quantum cryptography. As a result, it aims to replace encryption methods that future quantum computers could break. Moreover, the company emphasized that the wider tech industry must act quickly to avoid long-term security risks.
This urgency stems from the “harvest now, decrypt later” threat. In other words, attackers may already be collecting encrypted data today, intending to decrypt it once quantum capabilities mature. Therefore, delaying action could expose sensitive information in the future. Earlier, Kent Walker and Hartmut Neven had already urged governments and industries to accelerate adoption of quantum-resistant systems.
Android 17 as a Key Implementation Step
To move forward, the company is introducing major updates in Android 17. Specifically, it has begun testing post-quantum features in the upcoming beta, while a broader rollout will follow in the final release.
Android 17 will integrate ML-DSA into Android Verified Boot. Consequently, this ensures that software loaded during startup remains protected by quantum-resistant signatures. In addition, Remote Attestation will shift to a PQC-compliant structure by updating KeyMint certificate chains.
At the same time, Android Keystore will support ML-DSA directly within secure hardware. This allows applications to generate and verify quantum-safe signatures more efficiently. Furthermore, developers will gain access to ML-DSA-65 and ML-DSA-87 through the SDK. Alongside these changes, Google Play will begin issuing quantum-safe signing keys for both new apps and those that opt in.
Industry Pressure and Competing Timelines
While these steps advance internal adoption, the broader industry faces a significant transition challenge. The company has worked on post-quantum cryptography since 2016, and it has already migrated internal key exchanges to ML-KEM. As a result, its services now default to quantum-resistant key exchange.
However, timelines vary across organizations. For example, Microsoft plans partial adoption by 2029, yet it expects full migration to extend to 2033. Meanwhile, federal agencies are targeting a 2030–2035 window under NIST guidance. Similarly, the European Commission has encouraged member states to secure critical infrastructure by 2030.
Because of its dual role in quantum research and global infrastructure, the company views its position as a responsibility. Therefore, it has committed to setting an ambitious example while encouraging faster industry-wide adoption.
