Google speeds up post-quantum migration to counter "harvest now, decrypt later" attacks
Traditional encryption may soon be trivial to crack - prompting adversaries to gather sensitive protected data they can access in future.
A “harvest now, decrypt later” attack sounds like the plot of an espionage thriller. But the threat is very real.
At some point in the future, a cryptographically relevant quantum computer will be able to break widely used encryption systems such as RSA and ECC - a moment often referred to as Q-Day.
Criminals and nation states are already acting on this assumption, gathering vast amounts of sensitive encrypted data, from top-secret national security files to valuable corporate secrets, in the expectation that it will soon be trivial to crack it open.
Now, Google has cited this looming risk as the reason for accelerating its shift to post-quantum cryptography (PQC), setting a new, aggressive deadline of 2029 and warning that "quantum frontiers may be closer than they appear".
In a statement, the company said it hoped to "provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry".
It wrote: "Quantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures. The threat to encryption is relevant today with store now, decrypt later attacks, while digital signatures are a future threat that requires the transition to PQC prior to a cryptographically relevant quantum computer.
"That’s why we’ve adjusted our threat model to prioritize PQC migration for authentication services — an important component of online security and digital signature migrations. We recommend that other engineering teams follow suit."
A quantum leap for cryptography
Quantum computers will be able to break encryption using at least two methods. Firstly, Shor’s algorithm will quickly solve the mathematical problems that underpin widely used encryption systems. Grover’s algorithm will also speed up brute-force searching by efficiently probing “black box” functions where only the input and output are known.
NIST is now working to standardise quantum-safe algorithms, which may not be agreed and widely available for several years.
Although Google did not rule out the risk of insiders or criminal actors like ransomware gangs leveraging quantum computers, it previously argued that nation-states will be the most likely to weaponise the tech.
"They will most likely try to deploy the quantum computer in a deniable fashion, in order to avoid tipping off adversaries of their capabilities," it wrote. "Nation states are most likely to target the Cloud deployments of other nation state customers, and may target political dissidents and other targets for surveillance. Nation-states might also target Google or other infrastructure providers for military or economic reasons."
Last year, ETSI (European Telecommunications Standards Institute) introduced a new standard for quantum-safe hybrid key exchanges.
Mark Pecen, ETSI Chair of Technical Committee on Quantum Technologies, said Google's accelerated 2029 deadline reflects a shift from trying to predict Q-day to managing the risk of this epochal event.
READ MORE: When will quantum computing have its "ChatGPT moment"?
"The existing public key cryptographic systems that protect our Internet and wireless transactions, Rivest-Shamir-Adelman (RSA) and Elliptic Curve Cryptography (ECC) are aging cryptosystems, developed in the 1970s and 1980s respectively," he explained. "These algorithms become weaker for every year that technology advances, so post-quantum cryptography is also being viewed as the next generation of data security.
"In addition, newer and faster algorithms have already been developed, such as the JVG algorithm, that require less quantum computational power (qubits) to factor large prime numbers, on which some legacy cryptosystems such as RSA are based. By moving earlier than government timelines, Google is effectively forcing the industry to treat post-quantum migration as an immediate operational priority rather than a future compliance exercise."
Matt Campagna Chair of the Quantum-Safe Cryptography working group at ETSI, told Machine Google's "ambitious timeline" reflects an "accelerating quantum threat landscape", advising businesess to start preparing as soon as possible.
"Organizations operating information technology systems should take note: understanding local PQC migration timelines—as set by customers and regulators—is now essential," he said. "Businesses must develop their own PQC migration strategies and actively engage with vendors and suppliers to ensure alignment."
Are enterprises ready for Q-Day? Probably not...
However, many organisations have barely even started thinking about cut safe cryptography.
Kieran B, Head of Security Engineering at Bridewell, said: "Our research into post-quantum readiness highlights a concerning gap at this stage. Many organisations report confidence in their preparedness, yet a significant proportion have not yet fully assessed their cryptographic exposure or engaged with existing guidance. This suggests that, for some, the challenge is not just technical readiness but a fundamental understanding of the scale and complexity of the transition ahead.
One of the biggest risks with post-quantum security is assuming there will be a clear, visible moment when the threat arrives. In reality, “Q-day” is likely to be quiet, sudden, and only obvious in hindsight. Google’s timeline makes it clear that the transition to post-quantum cryptography is now a multi-year change programme and organisations that begin in earnest today will be far better placed to manage it in a controlled, risk-based way.”
READ MORE: Commercialising the "second quantum revolution"
For Simon Pamplin, Chief Technology Officer at Certes, the threat is not some far-away risk - but an immediate danger.
“Google’s revised Q-Day estimate of 2029 is a significant wake-up call, but for many organisations, the most dangerous window isn’t when quantum computers arrive, it’s right now," he said.
"Adversaries are already running harvest now, decrypt later campaigns: exfiltrating encrypted data today with the intention of unlocking it once a cryptographically relevant quantum computer exists. If your organisation is still relying on RSA, TLS, or standard PKI to protect sensitive data in transit, that data is already at risk, regardless of whether Q-Day lands in 2029 or 2035."
