Post-Quantum Cryptography: Google’s Willow and the new 2029 Quantum Deadline

Quantum computing was long considered to be part of a distant future. However, it is quickly becoming a reality. Google’s late 2024 announcement of its Willow quantum computing chip was a breakthrough that generated significant media attention and raised pressing questions about the implications for cybersecurity, and recent developments suggest those questions have become more urgent than ever.

Google’s Willow advancements were significant because of two major breakthroughs critical to the commercialization and adoption of useful quantum computers. The first is that Willow reduces errors as it scales up to more qubits. Historically, the major challenge with quantum computing has been that adding more qubits causes the error rate to increase, rendering the quantum computer impractical for solving complex problems. The second major achievement is the speed of Willow’s computations. Using the random circuit sampling (RCS) benchmark, Willow completed a computation in under five minutes that would take a classical supercomputer 10 septillion years.

Although impressive, random circuit sampling (RCS) has limited real-world utility and essentially zero commercial relevance. At the time of Willow’s release, quantum computers remained unable to outperform classical supercomputers in commercially relevant applications. While Willow laid the foundation for a future where quantum computers could revolutionize computing, significant additional work remained. Global efforts to develop commercially viable quantum computers are accelerating rapidly, particularly in China where the first open-source operating system was published in February 2026. A month later, Google announced it is targeting 2029 for full PQC migration, underscoring that the quantum threat is no longer a matter of distant speculation.

The Accelerating Quantum Deadline: Google’s 2029 Target

On March 25, 2026, Google’s VP of Security Engineering and Senior Staff Cryptography Engineer published a landmark post titled “Quantum frontiers may be closer than they appear,” announcing that the company is setting a 2029 deadline for completing post-quantum cryptography migration. This announcement reflects progress across three interconnected areas: quantum hardware development, quantum error correction, and quantum factoring resource estimates — the last of which directly informs how many physical qubits would be required to break widely used encryption schemes like RSA.

Google’s post makes an important distinction about which threats are immediate versus future. The “harvest now, decrypt later” threat, where adversaries capture encrypted data today and store it for decryption once a sufficiently powerful quantum computer exists, is a current and active risk for any organization handling sensitive, long-lived data. The threat to digital signatures, while real, is a future risk that must be addressed before a Cryptographically Relevant Quantum Computer (CRQC) is operational. In response, Google has updated its own threat model to prioritize PQC migration for authentication services and recommends that other engineering teams do the same.

The announcement also highlighted a concrete product milestone: Android 17 is integrating PQC digital signature protection using ML-DSA (the implementation name for CRYSTALS-Dilithium / FIPS 204), in alignment with NIST standards. This continues Google’s pattern of embedding PQC technology directly into products used by billions of people, building on earlier PQC support in Chrome and Google Cloud.

For organizations evaluating when to begin their PQC programs, Google’s 2029 target should serve as a concrete planning horizon. Given that large enterprises typically require three to five years to complete major cryptographic infrastructure overhauls, organizations that have not yet started risk missing the window entirely.

The Looming Quantum Threat to Cybersecurity?

As mentioned above, commercially useful quantum computers are still thought to be years away. At the same time, concerted efforts are underway to prepare for the post-quantum age in cybersecurity and other relevant domains. Cybersecurity is poised to be one of the areas most impacted by quantum computing for one reason: algorithms. Many of today’s widely used encryption algorithms, such as RSA and ECC (Elliptic Curve Cryptography), rely on mathematical problems that are computationally difficult for classical computers to solve. However, quantum computers, leveraging the principles of quantum mechanics, can potentially break these algorithms with algorithms like Shor’s algorithm. This could render sensitive data, secure communications, and digital identities vulnerable to attacks.

Which aspects of cybersecurity are vulnerable to quantum computing?

It is expected that commercially viable and accessible quantum computers will have widespread impacts across cybersecurity. The most heavily impacted systems will be those that rely on algorithms that are vulnerable to quantum attacks.

Quantum Cryptography Impacts on Public Key Infrastructure

PKI, the backbone of digital trust, is fundamental for issuing digital certificates used to secure websites, emails, and online transactions. Current PKI implementations rely heavily on RSA and ECC, both of which are vulnerable to quantum attacks. A sufficiently powerful quantum computer could forge certificates or decrypt communications, enabling attackers to impersonate legitimate entities, conduct man-in-the-middle attacks, and undermine the integrity of the broader digital ecosystem.

Solution: Transitioning PKI systems to support NIST’s quantum-resistant standards, such as FIPS 203 (derived from CRYSTALS-Kyber for encryption), FIPS 204 (derived from CRYSTALS-Dilithium for digital signatures) and FIPS 205 (derived from SPHNICS+ for digital signatures), will prove essential for maintaining security in the quantum computing age.

Quantum Cryptography Impacts on Hardware Security Modules (HSMs)

HSMs are dedicated hardware devices that form a critical part of robust PKI systems. HSMs are designed to securely generate, store, and manage cryptographic keys. Today, HSMs typically use a combination of algorithms that are vulnerable and resistant to quantum attacks. Three prominent algorithms vulnerable to quantum computers include RSA, ECC, and Diffie-Hellman — all used for asymmetric encryption and key exchange. Conversely, symmetric encryption such as AES and hashing algorithms like SHA-256 are considered more quantum-resistant.

Solution: Leading HSM providers, including Thales and Entrust, provide support for a wide range of algorithms, including quantum resistant algorithms like those proposed by NIST. Upgrading HSMs to support NIST’s post-quantum algorithms ensures they remain effective in securing sensitive data. Choosing a HSM that has crypto agility by allowing you to easily adopt new algorithms will be key to future-proofing your cryptographic framework against the risk of quantum attacks.

Quantum Cryptography Impacts on Certificate Lifecycle Management (CLM)

CLM systems automate the issuance, renewal, and revocation of digital certificates. As quantum-resistant cryptographic algorithms become standardized, CLM systems must adapt to handle certificates that use these new algorithms. This transition presents both challenges and opportunities for organizations.

Challenges and Adaptations:

• Managing certificates with larger key sizes: Quantum-resistant algorithms often have larger key sizes than traditional algorithms, requiring adjustments to storage and processing capabilities.
• Handling different expiration criteria: Quantum-resistant certificates may have different lifecycles and require more frequent renewals.
• Ensuring backward compatibility: During the transition period, CLM systems must support both traditional and quantum-resistant certificates to ensure interoperability with existing systems.
• Algorithm agility: CLM systems need to be flexible enough to adapt to new algorithms and standards as they emerge.

Integrating NIST’s post-quantum standards into CLM systems will be crucial for organizations to streamline certificate management and transition securely to quantum-resistant cryptography. This will involve updating certificate templates, validation rules, and automation workflows to accommodate the new algorithms. Leading certificate lifecycle management solutions, such as Keyfactor, AppViewX and CyberArk, provide a shortcut to implementing both crypto agility and certificate authority (CA) agility. Having both crypto and CA agility enables your organization to quickly adopt certificates backed by quantum resistant algorithms and switch between CAs in the event of a major distrust event or vulnerability.

Quantum Cryptography Impacts on Data Encryption

Data encrypted using current algorithms — whether at rest or in transit — could be vulnerable to decryption by future quantum computers. The “harvest now, decrypt later” threat underscores the urgency of transitioning to quantum-resistant encryption methods as soon as possible. Adversaries are already capturing encrypted data with the intention of decrypting it once quantum computing technology is sufficiently advanced. As Google noted in its March 2026 announcement, this threat is active today, not a future concern.

Solution:

Organizations must proactively adopt quantum-resistant encryption methods to protect their sensitive data. This includes:

• Transitioning to NIST-approved algorithms: Utilizing CRYSTALS-Kyber (FIPS 203) for key encapsulation and encryption.
• Exploring alternative encryption methods: Investigating other quantum-resistant approaches, such as code-based cryptography or multivariate cryptography.
• Implementing a hybrid strategy: Combining classical and post-quantum encryption to provide layered protection during the transition.
• Prioritizing long-lived and sensitive data: Focusing first on high-value data that retains sensitivity beyond the expected 2029 horizon.

By adopting quantum-resistant encryption, organizations can ensure the long-term confidentiality and integrity of their data, even in the face of evolving quantum threats.

Quantum Impacts on Identity and Access Management (IAM)

IAM systems often rely on cryptographic protocols to authenticate users and authorize access to systems and data. Quantum computers could potentially break these protocols, jeopardizing the security of sensitive information and systems. Google’s updated threat model specifically calls out authentication services as a priority for PQC migration, given the role digital signatures play in verifying identity.

Solution:

IAM systems must transition to quantum-safe authentication methods. This might involve:

• Integrating post-quantum cryptographic algorithms: Adopting NIST-standardized algorithms such as CRYSTALS-Dilithium (FIPS 204) for digital signatures.
• Exploring alternative authentication methods: Investigating quantum-resistant approaches like lattice-based cryptography or hash-based signatures.
• Implementing hybrid approaches: Combining traditional and post-quantum cryptographic techniques to provide a layered defense during the transition period.

Upgrading IAM systems to incorporate quantum-resistant mechanisms is essential to maintain robust security and protect against unauthorized access in the post-quantum era.

NIST’s Quantum Resistant Cryptographic Algorithms

Recognizing the urgent need for quantum-resistant cryptography, the National Institute of Standards and Technology (NIST) initiated a standardization process in 2016. After years of rigorous analysis, NIST published its four quantum-resistant algorithm standards in August 2024, providing a crucial roadmap for organizations beginning their PQC transitions.

FIPS 203 — CRYSTALS-Kyber (ML-KEM)

Designed for general encryption and key encapsulation mechanisms, used to securely establish cryptographic keys between parties. Based on lattice-based cryptography, believed to be resistant to attacks from both classical and quantum computers.

FIPS 204 — CRYSTALS-Dilithium (ML-DSA)

Designed for digital signatures, used to verify the authenticity and integrity of digital documents and messages. Also based on lattice-based cryptography. ML-DSA is the algorithm Google has implemented in Android 17 for PQC digital signature protection.

FIPS 205 — SPHINCS+ (SLH-DSA)

Also designed for digital signatures. Based on hash functions and considered highly secure, though it has larger key sizes compared to CRYSTALS-Dilithium.

FIPS 206 — FALCON (FN-DSA)

Finalized by NIST in August 2024 alongside the other three standards, FALCON is particularly valuable in applications where smaller signature sizes are required, such as bandwidth-constrained environments and embedded systems.

Preparing for the Post-Quantum Era

With Google targeting 2029 for its own PQC migration and NIST’s standards now finalized, organizations can no longer treat post-quantum readiness as a horizon-scanning exercise. The time to plan and act is now. Enterprise cryptographic migrations are typically complex, multi-year programs — and 2029 leaves a narrower window than many security leaders may realize.

Why Proactive Planning Is Crucial:

• Magnitude of change: Upgrading cryptographic systems is a significant undertaking, impacting a wide range of applications, infrastructure, and processes.
• Interoperability: Ensuring compatibility between legacy systems and new quantum-resistant algorithms requires careful consideration.
• Resource allocation: Implementing PQC requires dedicated resources, expertise, and budget.
• Active threat exposure: Harvest now, decrypt later attacks mean that organizations handling long-lived sensitive data are already at risk, regardless of when a CRQC becomes operational.
• Staying ahead of the curve: Organizations that act now will be better positioned to meet the 2029 target and regulatory requirements that are likely to follow.

Step 1: Conduct a Quantum Readiness Assessment

A comprehensive Quantum Readiness Assessment provides a baseline of your organization’s current cryptographic posture and identifies vulnerabilities to quantum attacks. This assessment should include an inventory of all systems, applications, and devices relying on cryptography; a risk assessment of critical assets and data; a gap analysis against PQC requirements; and a roadmap with priorities, timelines, and resource allocation.

Step 2: Prioritize High-Value and Long-Lived Data

Identify your organization’s most critical and sensitive data and systems. Given the active harvest now, decrypt later threat, data that retains sensitivity for five years or more — financial records, intellectual property, health data, government information — should be treated as already at risk and prioritized for immediate PQC migration.

Step 3: Develop a Phased Migration Plan

Create a phased approach to transitioning to quantum-resistant algorithms, including:

• Pilot projects: Implement PQC in a limited scope to test and validate before wider deployment.
• Hybrid approach: Combine classical and post-quantum algorithms during the transition to maintain compatibility and security.
• Phased rollout: Gradually upgrade systems starting with the most critical, working toward completion ahead of the 2029 horizon.

Step 4: Monitor NIST Standards and Implement Cryptographic Agility

With NIST’s four initial PQC standards now finalized, organizations should begin adoption planning based on these published standards. Additionally, building cryptographic agility into your systems — the ability to switch algorithms without major re-engineering — is essential for responding to future developments, whether additional NIST standards, newly discovered vulnerabilities, or evolving regulatory requirements.

Step 5: Invest in Training and Awareness

Educate your IT and security teams about the quantum threat and the importance of PQC. Provide training on implementing and managing quantum-resistant cryptographic systems. Engaging with industry groups like the PKI Consortium can help your organization stay on the leading edge of post-quantum developments.

Step 6: Engage with Experts

Partner with cybersecurity experts like Accutive Security to assess your quantum readiness, develop a comprehensive PQC strategy, and implement quantum-resistant solutions across PKI, CLM, HSM, and secrets management environments. With Google’s 2029 deadline now on the table, organizations benefit from partners who specialize in these complex cryptographic transitions and can accelerate time-to-readiness.

The post-quantum era is no longer a theoretical future — it is an approaching deadline with concrete implications for every organization that relies on digital trust. By taking these proactive steps now, organizations can mitigate the risks posed by quantum computing and ensure the long-term security of their data and systems well ahead of the 2029 horizon.