Cloudflare intends to achieve full post-quantum security, encompassing authentication, by the year 2029. The organization’s goal is to establish the internet as private and secure by default. Back in 2014, the company began offering complimentary universal SSL certificates; in 2019, they initiated preparations for the post-quantum transition, and by 2022, they had enabled post-quantum encryption for all websites and APIs to guard against “collect now, decrypt later” assaults. Currently, over 65% of human traffic traversing Cloudflare is secured using post-quantum methods, yet the endeavor remains incomplete until authentication protocols are also upgraded.
Last week, Google revealed a substantial advancement in a quantum algorithm designed to compromise elliptic curve cryptography, which is widely employed to secure online data. Although the specifics of the algorithm were not disclosed, Google provided verification of its potential. On the very same day, the startup Oratomic released an estimation of the resources needed to break RSA-2048 and P-256. For P-256, a mere 10,000 qubits are calculated to be necessary. These developments spurred Google to expedite its own post-quantum migration timeline, setting 2029 as the target.
Q-Day marks the point when quantum computers powerful enough to crack the foundational cryptography protecting data and access will exist. While no such machines are currently operational, numerous research facilities globally are actively working toward their realization. Progress in this domain is becoming progressively less public, thus introducing greater levels of uncertainty.
To successfully compromise cryptography using a quantum computer, advancements are required across three distinct areas: quantum hardware, error correction, and quantum software. For instance, Oratomic demonstrated that neutral atoms require only 3 to 4 physical qubits per logical qubit, significantly lowering the overall resource demands.
Historically, the focus was primarily on post-quantum encryption to thwart “collect now, decrypt later” attacks. However, as Q-Day approaches, the emphasis is shifting toward authentication, given that its compromise could lead to severe repercussions. For example, threat actors could leverage quantum keys to forge access credentials or compromise entire systems.
Cloudflare is already deploying post-quantum encryption across the majority of its offerings and is currently working to update the remaining components. The company advises businesses to make support for post-quantum cryptography a mandatory prerequisite during procurement processes, and urges governments to establish clear deadlines for migration.
The company plans to finalize its migration to post-quantum defense by 2029, which includes updating authentication mechanisms. These enhancements will be provided at no additional cost to all clientele.
About the Author
