Post‑quantum timetables accelerate
Cloudflare says it's actively reprioritising post‑quantum cryptography work after Google signalled a faster timeline for quantum‑safe transitions, pushing what looked like a distant upgrade into immediate planning. Security teams and vendors now face compressed deadlines to deploy new cryptography standards and update infrastructure. (csoonline.com) (cybersecurity-insiders.com)
Most internet security still relies on math problems that ordinary computers cannot solve in useful time, but a powerful quantum computer could solve some of them much faster. The two big targets are the systems behind website locks and digital identities: Rivest-Shamir-Adleman and elliptic curve cryptography. (nist.gov) Post-quantum cryptography is the replacement set of locks. The National Institute of Standards and Technology says three post-quantum standards are already finished and ready to implement now, after an eight-year review process. (nist.gov) One risk is “harvest now, decrypt later.” An attacker can steal encrypted traffic today, store it for years, and wait for a future quantum machine to unlock it after the fact. (blog.google) Google said on March 25, 2026 that it is now working to a 2029 migration timeline. Google tied that date to newer estimates on quantum hardware, quantum error correction, and the resources needed to break current cryptography. (blog.google) Google also said the danger is no longer just old encrypted data sitting in storage. It said digital signatures and authentication now need priority, because those are the checks that prove a login, software update, or certificate is really from who it claims to be. (blog.google) Cloudflare moved four days later. In its April 7, 2026 roadmap update, it said it now targets 2029 for full post-quantum security, including post-quantum authentication across its platform. (blog.cloudflare.com) Cloudflare said it had already enabled post-quantum encryption for all websites and application programming interfaces on its network in 2022. It also said more than 65% of human traffic reaching Cloudflare is already using post-quantum encryption. (blog.cloudflare.com) The unfinished part is identity, not secrecy. Encrypting traffic protects what two computers say to each other, but authentication is the ID check that stops an attacker from pretending to be your bank, your employer, or a software vendor. (blog.cloudflare.com) Cloudflare said the trigger was new research, including a Google claim of a major improvement in a quantum attack on elliptic curve cryptography and an Oratomic estimate that breaking the widely used P-256 curve on a neutral-atom machine could take about 10,000 qubits. (blog.cloudflare.com) That is why this stopped looking like a “someday” upgrade and started looking like a calendar problem. NIST says products, protocols, and services all need updates, and organizations need to find every place old algorithms are buried before they can swap them out. (nist.gov) The practical bottleneck is that cryptography is wired into certificates, browsers, phones, cloud services, virtual private networks, hardware security modules, and software signing systems. If one piece in that chain cannot handle the new standard, the whole migration slows down. (nist.gov)
