Both Google and Cloudflare have announced that they are targeting 2029 to complete their post-quantum transitions, including post-quantum authentication. This is more aggressive than NIST’s 2030 deprecation timeline and the US government’s 2030–2035 targets. The acceleration follows the recent Oratomic and Google breakthroughs that dramatically reduced the estimated resources needed to break elliptic curve cryptography with a quantum computer.
Headlines have been breathless about “Q-Day arriving in 2029.” However, that misreads what is actually being said – and the correct reading is, in many ways, more important.
What “2029” does not mean
Neither Google nor Cloudflare is predicting that a cryptographically relevant quantum computer (CRQC) will exist by 2029. What they are saying is that they can no longer confidently rule it out. The ground under their feet is getting too hot for their liking.
We do not know whether they estimate this to be a 1% chance or a 10% chance — they have not published their full risk calculus. What we do know is that they consider the probability credible enough to justify accelerating multi-year, organisation-wide cryptographic transitions. These are not companies prone to panic. And in particular Google, as a major developer of quantum hardware, has deep insights in the state of progress.
As Scott Aaronson warned late last year: at some point, researchers estimating the resources needed to break deployed cryptosystems would stop publishing. Google’s decision to disclose their improved ECDLP circuit via a zero-knowledge proof rather than publishing it confirms that this point has passed. Future progress may not come with a press release.
Q-Day is not universal
The popular notion of Q-Day — a single moment the internet breaks — is dramatic, but unhelpful. A more productive framing: your Q-Day is the date by which the risk of a CRQC exceeds your organization’s risk appetite. Google’s Q-Day is apparently around 2029. Yours might be earlier or later, depending on what you are protecting.
This connects to an observation Sophie Schmieg made at RWPQC 2026: the cost of a CRQC shapes the threat. An expensive, slow first-generation CRQC will be aimed at high-value targets — CA roots, platform roots of trust, signing keys – where breaking one key cascades to many victims. A cheap, fast CRQC shifts the threat to bulk decryption of harvested traffic.
If your organization holds keys whose compromise would cascade, your Q-Day (or those systems’ Q-Day!) should be aggressive. If you handle long-lived confidential data, harvest-now-decrypt-later is already a present-day risk regardless of when Q-Day falls.
What to do
Whatever Q-Day you set, the migration takes years, not months. Start now. Identify which keys are high-value targets for an expensive CRQC. Which systems need to be updated now to avoid persisting quantum vulnerability for decades. And be explicit about your risk tolerance rather than choosing it by default through inaction.
If you are working out your Q-Day, or how to meet your deadline, PQShield can help — from cryptographic risk assessment to production-ready PQC solutions across software, hardware, and silicon.
Author: Dr Thom Wiggers: Thom obtained his PhD with distinction in early 2024 from Radboud University, The Netherlands. His thesis was titled Post-Quantum TLS and discussed how we can secure connections on the web. He is known for the KEMTLS proposal for post-quantum authentication in TLS. His main research interests include making post-quantum cryptography work in cryptographic protocols and standardization of PQC.