Google on Wednesday announced a decisive acceleration of its timeline to migrate all products to Post-Quantum Cryptography (PQC), setting an ambitious internal deadline of 2029 — a full year ahead of NIST’s industrywide 2030 mandate. The announcement, published simultaneously on the Google Security Blog and the Android Developer Blog, signals that the technology giant now views the threat from future quantum computers as sufficiently concrete to demand urgent, industry-wide action today.

Post-Quantum Cryptography refers to a new generation of encryption algorithms designed to remain secure even against the enormous computational power of cryptographically relevant quantum computers (CRQCs). The algorithms currently protecting most internet traffic — including the RSA and elliptic-curve cryptosystems that underpin banking, e-commerce, and government communications — are mathematically vulnerable to quantum attacks. While such machines do not yet exist at scale, the window for a safe transition is narrowing.

“Modern digital security is at a turning point. The threat to encryption is relevant today with store-now-decrypt-later attacks, while digital signatures are a future threat requiring the transition to PQC prior to a Cryptographically Relevant Quantum Computer.”

— Google Security Blog, March 25, 2026

Why the Urgency Now?

Google cited three converging forces behind its decision to accelerate: rapid progress in quantum computing hardware, breakthroughs in quantum error correction, and updated resource estimates for quantum-assisted prime factorization. Together, these developments have compressed the community’s best estimates of when a CRQC might arrive.

Of particular concern is the “store-now, decrypt-later” (SNDL) attack strategy — a practice already underway in which adversaries harvest and stockpile encrypted data today, betting they can decrypt it once sufficiently powerful quantum hardware becomes available. Data with a confidentiality shelf life extending beyond roughly ten years — such as health records, financial credentials, and biometric information — is already at practical risk under this model.

For digital signatures — the cryptographic tools used to verify software identity, authenticate OS boot sequences, and validate app integrity — the threat is understood to arrive later, but the migration itself is more complex. Heather Adkins, VP of Security Engineering, and Sophie Schmieg, Senior Staff Cryptography Engineer, framed the 2029 goal as a “responsibility to lead by example,” urging enterprises and government teams to treat the timeline as a catalyst for their own transitions.

Regulatory Context

Under NIST IR 8547, PQC is preferred for new systems by 2027, required for all new systems by 2030, and classical public-key algorithms will be banned outright by 2035. In January 2026, CISA issued guidance under Executive Order 14306 directing federal agencies to procure only PQC-capable products in categories where capable options already exist — browsers and web servers are already on that list.

Android 17: A Quantum-Resistant Security Stack

The most tangible and immediate announcement concerns Android 17, which Google states will be the first mobile operating system to implement comprehensive PQC integration across its full security architecture. Testing begins in the next Android 17 beta, with general availability in the stable production release.

The upgrade targets four distinct pillars of Android’s security model, building a continuous quantum-resistant “chain of trust” from hardware power-on through to final app execution.

The Four Pillars of Android 17’s PQC Architecture

  • Android Verified Boot (AVB): The AVB library is integrating ML-DSA (Module-Lattice-Based Digital Signature Algorithm), the NIST-standardized PQC signature scheme. This protects the secure boot chain — the sequence that verifies the operating system has not been tampered with before it ever loads.
  • Remote Attestation: Android 17 begins migrating Remote Attestation to a fully PQC-compliant architecture. By updating KeyMint’s certificate chains to support quantum-resistant algorithms, devices can continue to securely prove their integrity state to external services and enterprise systems in a post-quantum environment.
  • Android Keystore: Natively supporting both ML-DSA-65 and ML-DSA-87 via the standard KeyPairGenerator API, Keystore now allows developers to generate and verify quantum-safe signatures entirely within the device’s secure hardware (Trusted Execution Environment), isolating sensitive key material from the main OS.
  • Google Play App Signing: During the Android 17 release cycle, Google Play will automatically generate quantum-safe ML-DSA signing keys for new apps and offer opt-in migration for existing apps. Developers will also be able to supply their own keys for hybrid signatures that pair a classical key with an ML-DSA key — maintaining backward compatibility while adding quantum-resistant protection.

The engineering challenge is considerable. Lattice-based cryptography — the mathematical foundation of ML-DSA — requires significantly larger key sizes and memory footprints than classical elliptic-curve cryptography. Implementing it within the resource-constrained Trusted Execution Environment of a mobile device represents, in Google’s own words, a major engineering achievement. An ML-DSA-65 signature alone runs approximately 3,293 bytes, compared to roughly 64 bytes for a comparable ECDSA signature.

By centralizing PQC at the platform level, Google argues, individual app developers are shielded from the complexity of managing their own cryptographic migrations. The billions of Android users who never touch a security setting stand to benefit automatically.

Industry Timeline at a Glance

2024
Chrome enables PQC by default Since Chrome 131 (November 2024), Google enabled X25519+ML-KEM-768 hybrid key exchange as the default for TLS 1.3 connections, protecting data in transit for billions of browser users.
Jan 26
CISA EO 14306 Guidance Issued Federal agencies directed to procure only PQC-capable products in applicable categories; browser and web server categories immediately in scope.
Mar 26
Google announces 2029 PQC deadline & Android 17 rollout Comprehensive PQC integration across Android Verified Boot, Keystore, Remote Attestation, and Google Play. PQC testing begins in next Android 17 beta.
2027
NIST: PQC preferred for new systems Under NIST IR 8547, all new systems should prefer post-quantum algorithms.
2029
Google internal PQC migration complete Google’s self-imposed deadline, one year ahead of the NIST mandate, covers all products and services.
2030
NIST: PQC required for all new systems Classical public-key algorithms prohibited for new deployments across U.S. federal systems and compliant enterprises.
2035
NIST: Classical algorithms banned Full prohibition on classical public-key cryptography, including RSA and elliptic-curve, across all systems.

What This Means for Users and Developers

For the typical Android user, the transition will be largely invisible — a strengthened foundation beneath familiar surfaces. The chain of trust securing every app download, every OS boot, and every hardware attestation will silently become quantum-resistant. No action is required.

Developers, however, face meaningful decisions. Those using Play App Signing will have PQC key generation handled automatically for new apps. Existing apps will be offered an opt-in migration path. Developers who manage their own signing keys will eventually need to generate ML-DSA keys and configure hybrid signature blocks. Google has signaled it will publish detailed migration documentation to support this transition.

For enterprise security teams and backend infrastructure operators, the announcement is a call to action. Google explicitly recommends that engineering teams adjust their own threat models: treat store-now-decrypt-later as a present threat, and begin planning digital signature migrations before a CRQC emerges — not after. Deploying PQC at a perimeter device such as a web application firewall, security researchers caution, does not guarantee end-to-end protection if the internal connection from the WAF to the origin server still relies on classical TLS only. The full connection path must be evaluated.

By setting a 2029 deadline and deploying PQC in its most widely distributed platform, Google is using Android’s global reach — spanning billions of active devices — as a forcing function for an industry-wide transition. The race to a quantum-safe internet has officially begun.