Accelerating Towards a Post-Quantum Secure Future

At Cloudflare, we are committed to ensuring the Internet remains private and secure, and our focus has shifted towards achieving full post-quantum (PQ) security by 2029. This includes not just encryption but also crucially upgrading authentication to withstand the impending quantum threat. Our journey began with universal SSL certificates in 2014, and by 2022, we enabled post-quantum encryption for all websites and APIs, addressing harvest-now/decrypt-later attacks. However, recent breakthroughs in quantum computing, particularly from Google and Oratomic, have accelerated the timeline for Q-Day, the day when quantum computers can break current cryptographic systems.

Google's recent announcement of a significant improvement in quantum algorithms for breaking elliptic curve cryptography, alongside Oratomic's resource estimates for breaking RSA-2048 and P-256, underscores the urgency of our mission. These advancements suggest that Q-Day could arrive as early as 2029, prompting us to expedite our post-quantum migration plans. The focus is now on quantum-secure authentication, as broken authentication could be catastrophic, allowing attackers to impersonate servers or forge credentials.

Quantum computing progress depends on three fronts: hardware, error correction, and software. Each front has seen significant advancements, with neutral atoms emerging as a promising approach due to their scalability and efficient error-correcting codes. Google and Oratomic's breakthroughs in quantum algorithms further highlight the need for immediate action.

Historically, the focus has been on post-quantum encryption to prevent harvest-now/decrypt-later attacks. However, with the imminent threat of Q-Day, the priority has shifted to upgrading authentication systems. Long-lived keys, such as root certificates and API auth keys, are particularly vulnerable and should be prioritized for post-quantum upgrades.

Cloudflare is committed to providing post-quantum encryption across our products and aims for full post-quantum security by 2029. We recommend businesses make post-quantum support a procurement requirement and assess critical vendors early. Governments should lead by setting clear timelines and promoting international standards to avoid fragmentation.

For our customers, Cloudflare will continue to implement post-quantum security by default, ensuring privacy and security remain fundamental to the Internet. Our connectivity cloud protects corporate networks and helps build Internet-scale applications, offering end-to-end protection with post-quantum encrypted infrastructure. We believe free post-quantum cryptography is essential to secure the Internet's future, just as free TLS helped encrypt it.