Cloudflare accelerates post‑quantum work
Cloudflare says it is 'actively adjusting' its post‑quantum cryptography priorities after a Google alert accelerated migration timelines, turning PQC from theoretical planning into a roadmap item for large providers. The practical pressure is pushing organisations toward cryptographic agility rather than immediate blanket switches, since long‑lived clients and systems make wholesale replacement hard (csoonline.com).
Cloudflare just moved its deadline for full post-quantum security to 2029 after Google set the same date on March 25, 2026, which is unusually fast for a change that touches the plumbing of the internet. (blog.cloudflare.com(blog.cloudflare.com)) (blog.google(blog.google)) Post-quantum cryptography is the replacement lock for today’s internet encryption, because a future quantum computer could break two of the old locks, Rivest-Shamir-Adleman and elliptic curve cryptography, that protect logins, certificates, and key exchange. (csrc.nist.gov(csrc.nist.gov)) The pressure is not only about a machine that exists today. Google said “store-now-decrypt-later” attacks already matter, because encrypted traffic stolen in 2026 could be opened years later if quantum hardware catches up. (blog.google(blog.google)) The standards are no longer theoretical. The National Institute of Standards and Technology finalized its first three post-quantum standards in August 2024, including Module-Lattice-Based Key-Encapsulation Mechanism for key exchange and Module-Lattice-Based Digital Signature Algorithm for signatures. (csrc.nist.gov(csrc.nist.gov)) Cloudflare says more than 65% of human traffic on its network is already using post-quantum encryption, because browsers and websites can swap in new key exchange methods faster than they can replace every identity check on the internet. (blog.cloudflare.com(blog.cloudflare.com)) That last part is the snag. Google said it is now prioritizing authentication services, which means the harder job is not wrapping data in a safer box but replacing the signatures and certificates that prove who is talking to whom. (blog.google(blog.google)) Cloudflare tied its schedule change to new research claims that the quantum resources needed to break elliptic curve cryptography may be lower than older estimates, and to separate work from Oratomic that estimated breaking P-256 on a neutral-atom machine at 10,000 qubits. (blog.cloudflare.com(blog.cloudflare.com)) Google’s public message was narrower but still sharp: progress in quantum hardware, error correction, and factoring estimates was enough for it to publish a 2029 migration target and tell other engineering teams to move faster too. (blog.google(blog.google)) Nobody is promising a one-week switch. The National Institute of Standards and Technology says organizations have to find where old algorithms are buried across products, services, and protocols, and its transition plan deprecates quantum-vulnerable algorithms by 2035 with high-risk systems moving earlier. (csrc.nist.gov(csrc.nist.gov)) So the real change in this story is not that Cloudflare thinks a quantum computer is breaking the web tomorrow. It is that two companies that run huge pieces of the modern internet now have the same date on the calendar, and that turns post-quantum cryptography from a research project into an engineering deadline. (blog.cloudflare.com(blog.cloudflare.com)) (blog.google(blog.google))
