Cloudflare speeds up post‑quantum plans
Cloudflare says it is accelerating its post‑quantum cryptography work and now targets full quantum‑secure authentication by 2029, following Google warnings about an accelerated timeline. That shifts post‑quantum from a distant research project to a cross‑functional programme touching security, infra, and compliance budgets. For engineering leaders, the implication is to treat long‑horizon crypto migrations as explicit programme risks with timelines and resourcing. (CSO Online, heise online)
Most internet encryption today works like a padlock that is easy to check but hard to copy. A powerful enough quantum computer could change that math and break systems that protect website traffic, virtual private networks, software updates, and remote logins. (nist.gov) That is why the National Institute of Standards and Technology spent eight years running a competition for new algorithms and published its first three final post‑quantum standards on August 13, 2024. Those standards include tools for key exchange and digital signatures, which are the two jobs the internet does every time it sets up a secure connection. (nist.gov) Key exchange is the part where two computers quietly agree on a shared secret, like agreeing on a code word before a call. Cloudflare says it already enabled post‑quantum key agreement for all websites and application programming interfaces on its network in 2022, and more than 50% of human web traffic it sees now uses that protection. (blog.cloudflare.com) Authentication is the harder second half. That is the identity check that proves a server, a device, or a user is really who it claims to be, and Cloudflare says full post‑quantum security now depends on replacing those signatures too. (blog.cloudflare.com) Cloudflare moved its target for full post‑quantum security to 2029 on April 7, 2026, and it said the trigger was a faster threat timeline from recent advances in quantum hardware and software. The company said the goal now explicitly includes post‑quantum authentication, not just encrypted transport. (blog.cloudflare.com) Google had already made the same date public on March 25, 2026. In its post, Google said it is accelerating its migration timeline for post‑quantum cryptography across products and infrastructure because the industry should prepare before a cryptographically relevant quantum computer arrives. (blog.google) The reason signatures are urgent is simple: if a future machine can forge them, the problem is not just eavesdropping. Cloudflare said quantum‑vulnerable remote login keys could become entry points for attackers, and software update systems could turn into remote code execution paths. (blog.cloudflare.com) Cloudflare’s roadmap breaks the migration into stages instead of one giant switch. The company plans post‑quantum authentication for connections between its network and origin servers by mid‑2026, then for user‑to‑Cloudflare connections by 2027, with the rest of its platform following by 2029. (blog.cloudflare.com) This is no longer a lab project hidden inside a cryptography team. Cloudflare’s plan touches transport protocols, certificate systems, hardware security modules, compliance work, customer compatibility testing, and software supply chains, which is why the schedule now looks like an infrastructure programme instead of a feature launch. (blog.cloudflare.com) The quiet message in this deadline is that the internet’s biggest operators are no longer waiting for a single dramatic “quantum day.” NIST has already published the replacement tools, Google and Cloudflare have both put 2029 on the calendar, and the work now is the slow part: swapping out identity systems that were built into everything years ago. (nist.gov, blog.google, blog.cloudflare.com)
