By 2029, Cloudflare aims to safeguard its entire platform against quantum computing threats, accelerating the replacement of vulnerable internet cryptography. In a Tuesday blog post, the web infrastructure firm highlighted its focus on post-quantum authentication, noting that compromised keys could allow attackers to impersonate servers or distribute malicious updates.
“Transitioning to post-quantum authentication is more intricate than shifting encryption protocols because it entails additional steps,” Sharon Goldberg, Cloudflare’s senior director of product management, explained to Decrypt. “For post-quantum encryption upgrades in TLS, only the client and server need changes.”
Transport Layer Security (TLS) secures internet connections between clients and servers by protecting data exchanged over websites, applications, and services.
Cloudflare’s timeline aligns with increasing concerns about ‘Q-Day’—the anticipated moment when quantum computers become practical. Initially expected decades away, research from companies like IBM and Google suggests it could occur as soon as 2032.
“Recent breakthroughs in quantum computing, combined with Google targeting a post-quantum rollout by 2029, have accelerated our timeline,” Goldberg stated. Cloudflare’s announcement follows Google’s earlier commitment to achieving quantum resistance by the same year.
Goldberg warned that after Q-Day, systems not using post-quantum authentication could be vulnerable to attacks from adversaries with quantum computers.
The urgency extends beyond web services; Bitcoin and other cryptocurrencies rely on cryptographic methods susceptible to quantum computing. Experts like Ethereum’s Vitalik Buterin and Solana’s Anatoly Yakovenko have cautioned that a powerful quantum computer utilizing Shor’s algorithm could compromise private keys derived from public ones, necessitating a move to post-quantum algorithms before Q-Day.
A 2023 study by Caltech and Oratomic suggested breaking Bitcoin cryptography might require only 10,000 qubits on a neutral-atom quantum computer. However, achieving this is complex, as noted by Dolev Bluvstein of Oratomic during an interview with Decrypt.
Cloudflare has mitigated some risks since enabling post-quantum encryption across its products in 2022. “While over 65% of human traffic to Cloudflare benefits from post-quantum encryption,” Goldberg said, “our mission continues until post-quantum authentication is fully deployed.”
Plans include implementing post-quantum authentication for origin connections by mid-2026, extending it to visitor connections by mid-2027, supporting enterprise networking platforms by early 2028, and finalizing deployment across all services by 2029.
“The upgrade’s complexity necessitates immediate action,” Goldberg emphasized. “Other organizations should act urgently to ensure a secure transition before Q-Day.”