Experts have generally agreed that “Q-Day,” or the point at which quantum computers become capable of trivially defeating current encryption standards, is roughly 10 years off. Google now thinks we have less than half that time window left. A new paper from the tech giant declares that it is setting a deadline of 2029 for its own internal readiness and recommends that others follow suit.
Google says that progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates has increased such that the overall timeline for encryption standard replacement must be drastically increased. The first three finalized post-quantum encryption standards were just announced by NIST in August 2025, and the current federal government timeline does not make implementation mandatory in new systems until 2030 or mandatory across all national security systems until 2033.
Google says Android 17 will implement new NIST-approved standard for digital signature protection
Google did not produce a full timeline for its PQC transition, but did announce the upcoming Android 17 (projected to have its stable launch in June) will be integrating PQC digital signature protection using one of the three NIST-approved encryption standards (ML-DSA). The company is additionally updating its threat model to prioritize PQC migration for authentication services.
The more general warning seems to be that the company believes, at minimum, “store-now-decrypt-later” attacks will begin being feasible in 2029 for encryption standards still presently thought to be safe. This is more in keeping with estimates advanced by groups such as the Cloud Security Alliance, which has previously advised that “cryptographically relevant quantum computers” will be available by 2030 and will begin being able to unlock previously stolen government and business secrets, forge signatures and facilitate man-in-the-middle attacks.
As to the apocalyptic “Q-Day” end to every security standard that keeps the internet and cryptographic secrets functioning, the timeline is still not clear. Sooner is obviously better than later in terms of encryption transition, but Google’s announcement surprised many who have been working in the quantum computing field. The general confusion is compounded by the fact that Google did not really provide specific rationales as to why a timeline that was generally set by experts at about 2035 for the “point of no return” would be advanced by so much. Google has been conducting some of the most advanced research in this field, however, and in June 2025 published research indicating that the number of qubits needed to break RSA encryption within a week would likely only be one million rather than the prior industry standard estimate of 19 million.
Overall encryption picture remains unclear
Estimates for the arrival of “Q-Day” began in the 1990s, when it was demonstrated that then-theoretical quantum computers could factor integers in polynomial time and thus break RSA encryption in a trivial amount of time. The estimate of the need for physical qubits to break current encryption standards within a matter of days have continued to move down with new research over the years, from one billion in 2012 to 20 million in 2019.
Though the “Q-Day” term makes it seem as if the internet will break all at once, the reality is that both the offensive and defensive sides of this will likely go through a gradual transition that takes place over the course of at least several years. This is certainly true for internet-connected architecture, which requires identifying and updating everywhere throughout the organization that encryption is used. Google themselves initiated their transition in 2016, but for most organizations the issue began to crystallize and become something to really act on just last year when NIST named the first set of post-quantum encryption standards.
Other major tech companies, including Cloudflare and Apple, have quietly begun implementing bits and pieces of their “Q-Day” preparation already. However, the general state of readiness is still very low at this point. The first move for organizations is to take inventory of all of their assorted uses of encryption, something that most have not been maintaining detailed lists of to present. Of particular concern is identification of legacy systems that may well be impossible or overly difficult to modify and update, and getting a plan in place for replacement without substantial business disruption.
The other major concern is identifying encrypted data that may have already been exfiltrated. Threat actors can simply sit on this data and wait out the clock until “Q-Day” cracking methods become available. Some organizations will have to reckon with the reality of already-stolen secrets unexpectedly becoming public, or at least available to data extortion groups, likely at some point within the next few years if Google’s updated timeline is to be believed. What access to quantum computing will look like for the general public also remains fuzzy, making it hard to predict where threats will eventually emerge from beyond the most technologically advanced national governments.
