Cloudflare announced on April 7 that it is accelerating its post-quantum cryptography roadmap, targeting full post-quantum security across its entire platform by 2029. The move follows Google's identical deadline, set on March 25, and was triggered by a pair of research breakthroughs that compressed the expected timeline for quantum computers capable of breaking modern encryption.
The short version: Q-Day, the moment a quantum computer can crack the cryptography underpinning most of the internet, may arrive years earlier than anyone outside a few labs expected.
What actually happened
Two things dropped in the same week, and together they changed the math. Google announced it had found a drastically improved quantum algorithm for breaking elliptic curve cryptography. They didn't publish the algorithm itself. Instead, they offered a zero-knowledge proof that it exists, which is an unusual move that says something about how seriously they're taking responsible disclosure here.
The same day, a company called Oratomic published a paper estimating the resources needed to break RSA-2048 and P-256 on a neutral atom quantum computer. The P-256 number came in at roughly 10,000 qubits. That's low. Researchers in the field called it unexpectedly low, and Oratomic deliberately withheld some of the implementation details, citing responsible disclosure concerns.
Bas Westerbaan, a cryptographer and principal research engineer at Cloudflare, laid out the company's thinking in a blog post. The convergence of these results, he argued, pulls Q-Day forward from the comfortable 2035-plus estimates the industry had been working with. Neutral atom architectures are in the lead, but other approaches aren't far behind.
Authentication is the real problem now
Here's what shifted in Cloudflare's threat model. For years, the post-quantum conversation was almost entirely about encryption, specifically about harvest-now/decrypt-later attacks where adversaries stockpile encrypted traffic today and wait for quantum computers to crack it open later. Cloudflare has been addressing that since 2022, and says over 65% of human traffic to its network already uses post-quantum key agreement.
But if Q-Day is three to four years away instead of ten, encryption isn't the urgent problem anymore. Authentication is.
An attacker with a working quantum computer doesn't need your old traffic. They can forge credentials, impersonate servers, push malicious software updates. As Cloudflare's blog put it, any overlooked quantum-vulnerable remote-login key becomes an access point, and any automatic update mechanism becomes a remote code execution vector. That's a different category of threat entirely.
Sharon Goldberg, senior director of product management at Cloudflare, told Decrypt that authentication migration is harder than encryption because of the dependency chain. You can't just swap in new algorithms. You have to disable the old ones to prevent downgrade attacks, which means every client needs to support the new stuff first. And once you've done that, you still need to rotate every secret that was ever exposed under the old system. Passwords, access tokens, the lot.
That takes years.
The milestones
Cloudflare's roadmap has specific dates. Post-quantum authentication support for origin connections by mid-2026, using ML-DSA. Merkle Tree Certificates by mid-2027. Full coverage across the company's SASE suite by early 2028. Everything post-quantum secure by 2029, available to all customers on every plan at no extra cost.
Google's timeline is structurally similar, with Android 17 already integrating ML-DSA signature protection. Both companies are ahead of NIST's 2035 target for deprecating legacy algorithms, and well ahead of the NSA's 2031 goal.
Security researcher Bruce Schneier offered a characteristically measured take on his blog, saying the move is good not because he expects a useful quantum computer by 2029, but because crypto-agility is always worth pursuing. Which is a polite way of saying: even if Q-Day doesn't arrive on schedule, the migration itself makes systems more resilient.
Why the federated web makes this harder
The web isn't a single system anyone can just upgrade. It's federated. A server can support post-quantum certificates all it wants, but if the browser on the other end doesn't, you're stuck serving legacy crypto alongside the new stuff. And as long as legacy crypto remains an option, downgrade attacks remain viable.
Cloudflare mentions "PQ HSTS" and certificate transparency as interim protections for HTTPS, but the real fix requires the entire chain to upgrade: browsers, servers, certificate authorities, hardware security modules, and every third-party dependency in the supply chain. One quantum-vulnerable vendor in your procurement pipeline and your fully upgraded internal system is still exposed.
When both the dominant CDN and the dominant browser vendor commit to the same year, that date starts to function less like a voluntary goal and more like an industry mandate. Nobody serving traffic through Cloudflare or Chrome can afford to ignore it. But sectors with hard-to-update systems (automotive, utilities, satellites, consumer electronics) are going to have a rough few years. Goldberg suggested routing legacy traffic over quantum-safe tunnels as a stopgap, which feels like duct tape on a structural problem, but may be the only realistic option for devices that can't receive firmware updates.
What's still unclear
I have questions the blog post doesn't answer. IBM Quantum Safe's CTO has said publicly he can't rule out quantum moonshot attacks on high-value targets as early as 2029. If that's the case, the migration deadline and the threat arrival date are the same year. That's not a comfortable margin.
And Google's decision to withhold the actual algorithm while providing only a zero-knowledge proof of its existence is interesting. Responsible disclosure, sure. But it also means the broader cryptographic community can't independently verify or build on the result. We're taking Google's word for it, which, given what's at stake, is a lot of trust to extend.
Cloudflare says it will make post-quantum security free across all plans, mirroring the approach it took with universal SSL in 2014. That's the right move. But the harder question is whether the rest of the internet, the long tail of services, devices, and protocols that Cloudflare doesn't touch, can possibly keep pace. The 2029 deadline gives everyone a target. Whether it gives them enough time is a different matter.
