POST-QUANTUM SECURITY

The move reflects mounting evidence that advances in Quantum Computing could threaten today’ s encryption standards sooner than previously anticipated.

The company’ s updated roadmap expands beyond encryption to include post-quantum authentication – a critical but more complex layer of Internet security that ensures identities, certificates and digital signatures remain trustworthy in a quantum era.

Rising urgency driven by breakthroughs in Quantum Computing

Recent developments in quantum research have significantly shortened the expected timeline for‘ Q-Day’ – the moment when quantum computers can break widely used cryptographic systems. New findings suggest that algorithms capable of compromising elliptic curve cryptography and RSA encryption may require far fewer resources than previously believed.

Cloudflare’ s decision aligns with similar moves by industry leaders, including Google, signalling a broader consensus that the transition to post-quantum cryptography must happen within the next few years rather than decades.

From encryption to authentication: The next frontier

Cloudflare has already made substantial progress in deploying postquantum encryption. Since 2022, the company has enabled quantumresistant encryption for all websites and APIs on its platform, helping mitigate‘ harvest now, decrypt later’ attacks – where encrypted data is captured today and decrypted once quantum capabilities mature.

However, encryption alone is not sufficient. The company’ s new roadmap prioritises post-quantum authentication – the systems that verify identities and establish trust across the Internet. These systems are significantly harder to upgrade due to their reliance on certificates, legacy infrastructure and complex dependencies across vendors and devices.

Security experts warn that authentication vulnerabilities could allow attackers to forge credentials and gain direct access to systems once quantum capabilities mature, making this layer a top priority.

A phased roadmap to 2029

Cloudflare outlined a multi-stage plan to achieve full postquantum security:

• Mid-2026: Introduction of post-quantum( PQ) authentication using ML-DSA for Cloudflare-to-origin connections

• Mid-2027: Deployment of PQ authentication for visitor-to- Cloudflare connections, enabled through Merkle Tree Certificates

• Early 2028: Integration of PQ authentication into the Cloudflare One SASE suite, achieving full PQ security across the platform

• 2029: Completion of Cloudflare’ s transition to a fully postquantum secure network

What Cloudflare recommends

Cloudflare recommends that businesses make post-quantum support a requirement for any procurement. Common best practices, such as keeping software updated and automating certificate issuance, remain meaningful and can go a long way.

For regulatory agencies and governments, Cloudflare notes that leading with early timelines has been crucial for industry-wide progress to date. The company emphasises that the industry is now at a pivotal moment, where fragmentation in standards and efforts – both between and within jurisdictions – could put progress at risk. Cloudflare recommends that governments assign and empower a lead agency to co-ordinate the migration on a clear timeline, maintain a strong focus on security and promote the use of existing international standards.

For Cloudflare customers, the company states that no mitigating action is required with respect to its services. Cloudflare is closely monitoring advancements in Quantum Computing and taking proactive steps to protect customer data.

WWW. INTELLIGENTCISO. COM 31