Full Report
Discussion of PQC relevant statistics that we see across our customers and other data sources.
Analysis Summary
# Industry News: The Shift to Post-Quantum Authentication
## Summary
Google has accelerated the timeline for Post-Quantum Cryptography (PQC) migration, setting a target of 2029 and pivoting focus toward PQC Digital Signature Algorithms (DSA). This shift marks a transition from simply defending against "harvest-now-decrypt-later" attacks to securing the foundational integrity of authentication services.
## Key Details
- **Date:** May 28, 2026 (Reported)
- **Companies Involved:** Wiz, Google, NIST
- **Category:** Market Analysis / Strategic Realignment
## The Story
For years, the cybersecurity industry focused on PQC specifically for key exchanges (ML-KEM) to prevent threat actors from stealing encrypted data today to decrypt it later once quantum computers mature. However, in early 2026, Google announced a strategic pivot: prioritizing PQC for **authentication and digital signatures** (ML-DSA and SLH-DSA).
This change is driven by research showing that the "capability gap" to **Q-Day**—the moment quantum computers can break asymmetric encryption—is narrowing faster than anticipated. While key exchange is now considered a largely "solved" implementation problem in modern browsers and servers, the industry must now tackle the more complex migration of digital signatures, which are essential for verifying identities and software integrity.
## Business Impact
### For the Companies Involved
- **Google:** Positions itself as the pacesetter for PQC standards, forcing the rest of the web ecosystem to align with its 2029 deadline.
- **Wiz:** Solidifies its role as a strategic advisor, providing the telemetry and data necessary for enterprises to audit their quantum readiness.
### For Competitors
- Cloud providers and security vendors must accelerate their own PQC roadmaps to remain compatible with Google’s ecosystem and avoid being perceived as "quantum-vulnerable."
### For Customers
- Organizations must inventory not just their encrypted traffic, but their entire authentication infrastructure.
- There is a looming "technical debt" crisis for companies still reliant on legacy protocols like TLS 1.2, which do not support PQC.
### For the Market
- A surge in demand for crypto-agility tools and services is expected as the 2029 deadline approaches.
- The market is shifting from "theoretical concern" to "mandatory compliance."
## Technical Implications
The migration to PQC Digital Signatures introduces significant overhead. **ML-DSA** (the NIST-preferred standard) produces signatures significantly larger than traditional RSA or ECDSA (e.g., 2,420 bytes vs. 64 bytes). This will impact network latency, packet fragmentation, and storage requirements for certificates and signed code.
## Strategic Analysis
- **Market Positioning:** Google is leveraging its dominance in the browser and cloud space to set a global security standard, effectively dictating the hardware and software requirements of the next decade.
- **Competitive Advantage:** Early adopters of PQC-ready software (like TLS 1.3 users) will face lower migration costs than those forced into a "fire drill" in 2028.
- **Challenges:** Implementation of SLH-DSA is computationally expensive (slow signing), while FN-DSA remains unstandardized and difficult to implement correctly.
## Industry Reactions
- **Analyst Opinion:** Analysts view Google's 2029 timeline as aggressive but necessary given the rate of quantum hardware advancement.
- **Expert Commentary:** Cryptographers emphasize that ML-DSA is the "primary algorithm" and warn against waiting for "more efficient" alternatives that are not yet standardized.
## Future Outlook
- **The "Squeeze":** Expect more software vendors to deprecate TLS 1.2 and older asymmetric algorithms by 2027.
- **Hardware Refresh:** We will likely see a push for hardware acceleration in CPUs and NICs to handle the larger key sizes and signature verification loads of PQC.
## For Security Professionals
Practitioners should immediately focus on:
1. **Upgrading to TLS 1.3:** This is the prerequisite for implementing PQC in transit.
2. **Crypto-Inventory:** Identifying where RSA and ECC are used for digital signatures in internal code signing and identity providers (IdPs).
3. **Vendor Pressure:** Asking SaaS and infrastructure providers for their specific PQC migration roadmaps in light of the 2029 target.