In brief
- Cloudflare aims to make its platform fully post-quantum secure by 2029.
- New quantum research is compressing security timelines across the tech industry.
- The same cryptographic math protects internet authentication and Bitcoin signatures.
Cloudflare says it plans to make its entire platform resistant to quantum computing attacks by 2029, accelerating efforts to replace internet cryptography that powerful quantum machines could eventually break.
In a blog post on Tuesday, the web infrastructure company said it is prioritizing post-quantum authentication, warning that compromised authentication keys could allow attackers to impersonate servers, access systems, or distribute malicious software updates.
“The migration to post-quantum authentication is more complex than the transition for encryption because it involves more steps,” Sharon Goldberg, senior director of product management at Cloudflare, told Decrypt. “With post-quantum encryption upgrades to TLS, we only need to upgrade the TLS client and the TLS server.”
Transport Layer Security, or TLS, is the cryptographic protocol that secures internet connections between clients and servers, protecting data exchanged by websites, applications, and online services.
Cloudflare’s timeline reflects growing concern of ‘Q-Day,’ the theoretical yet increasingly plausible day when a practical quantum computer comes online. While experts once placed Q-Day decades away, new research, including by IBM and Google, puts the date closer to 2032.
“Our decision to accelerate our post-quantum roadmap–especially authentication–was triggered by recent breakthroughs in quantum computing, along with Google now also targeting 2029 for a full rollout of post-quantum authentication,” Goldberg said.
Cloudflare’s post echoed an announcement last month by Google, which said it plans to be quantum-resistant by 2029, which the company said helped trigger the accelerated timeline.
“All of this suggests that Q-Day might come sooner than expected,” warning that after Q-Day, an adversary armed with a quantum computer could break into any system not protected with post-quantum authentication,” Goldberg added.
Cloudflare joins a growing list of companies and developers sounding the alarm that quantum computing is advancing at a pace where it could become a cybersecurity risk, and the issue extends beyond websites.
Bitcoin relies on elliptic-curve digital signatures to prove ownership of coins and authorize transactions. Experts, including Ethereum co-founder Vitalik Buterin, Solana co-founder Anatoly Yakovenko, and Cardano founder Charles Hoskinson, have warned that a sufficiently powerful quantum computer running Shor’s algorithm could theoretically derive a private key from a public key, and that a move to post-quantum algorithms is necessary before Q-Day happens.
In March, researchers at Caltech and Oratomic published a study suggesting that breaking the cryptography used by Bitcoin would be done with as few as 10,000 qubits using a neutral-atom quantum computer. Experts say, however, that achieving that 10,000 mark is easier said than done.
“Just having 10,000 physical qubits is something that could happen within a year,” Oratomic co-founder and CEO Dolev Bluvstein previously told Decrypt. “But that's really not the goalpost people think it is. It’s not like when you design a computer, you just put the transistors on the chip, wash your hands, and say you’re done. It’s a highly non-trivial, extremely complicated task to actually go and build one of these.”
Those developments have pushed companies to accelerate their migration schedules.
Cloudflare said it mitigated much of that risk by enabling post-quantum encryption across most of its products starting in 2022.
“While we’re proud that over 65% of human traffic to Cloudflare is post-quantum encrypted and the majority of our products also support post-quantum encryption,” Goldberg said, “our work is not done until we’ve also deployed post-quantum authentication.”
Cloudflare said plans include rolling out post-quantum authentication for origin connections in mid-2026, expanding it to visitor connections in mid-2027, extending support across its enterprise networking platform by early 2028, and then ultimately completing deployment across its services by 2029.
“The complexity of the upgrade means that we need to start now,” Goldberg said. “Other organizations should also begin acting with a sense of urgency, so they don’t run out of time to implement a safe and smooth upgrade as Q-Day approaches.”