Skip to content
Chimera readability score 0.531 out of 100, reading level.

Cloudflare is accelerating its post-quantum roadmap. We now target 2029 to be fully post-quantum (PQ) secure including, crucially, post-quantum authentication.
At Cloudflare, we believe in making the Internet private and secure by default. We started by offering free universal SSL certificates in 2014, began preparing our post-quantum migration in 2019, and enabled post-quantum encryption for all websites and APIs in 2022, mitigating harvest-now/decrypt-later attacks. While we’re excited by the fact that over 65% of human traffic to Cloudflare is post-quantum encrypted, our work is not done until authentication is also upgraded. Credible new research and rapid industry developments suggest that the deadline to migrate is much sooner than expected. This is a challenge that any organization must treat with urgency, which is why we’re expediting our own internal Q-Day readiness timeline.
What happened? Last week, Google announced they had drastically improved upon the quantum algorithm to break elliptic curve cryptography, which is widely used to secure the Internet. They did not reveal the algorithm, but instead provided a zero-knowledge proof that they have one.
This is not even the biggest breakthrough. That same day, Oratomic published a resource estimate for breaking RSA-2048 and P-256 on a neutral atom computer. For P-256, it only requires a shockingly low 10,000 qubits. Google’s motivation behind their recent announcement to also pursue neutral atoms alongside superconducting quantum computers becomes clear now. Although Oratomic explains their basic approach, they still leave out crucial details on purpose.
These independent advances prompted Google to accelerate their post-quantum migration timeline to 2029. What’s more, in their announcement and other talks, Google has placed a priority on quantum-secure authentication over mitigating harvest-now/decrypt-later attacks. As we discuss next, this priority indicates that Google is concerned about Q-Day coming as soon as 2030. Following the announcements, IBM Quantum Safe’s CTO is more pessimistic and can’t rule out quantum “moonshot attacks” on high value targets as early as 2029.
The quantum threat is well known: Q-Day is the day that sufficiently capable quantum computers can break essential cryptography used to protect data and access across systems today. Cryptographically relevant quantum computers (CRQCs) don’t exist yet, but many labs across the world are pursuing different approaches to building one. Until recently, progress on CRQCs has been mostly public, but there is no reason to expect that will continue. Indeed, there is ample reason to expect that progress will leave the public eye. As quantum computer scientist Scott Aaronson warned at the end of 2025:
[A]t some point, the people doing detailed estimates of how many physical qubits and gates it’ll take to break actually deployed cryptosystems using Shor’s algorithm are going to stop publishing those estimates, if for no other reason than the risk of giving too much information to adversaries. Indeed, for all we know, that point may have been passed already.
That point has now passed indeed.
Why now: independent progress on three fronts
We’d like to spend some words on why it’s difficult to predict progress on quantum computing. Sudden “quantum” leaps in understanding, like the one we witnessed last week, can occur even if everything happens in the public eye. Simply put, breaking cryptography with a quantum computer requires engineering on three independent fronts: quantum hardware, error correction, and quantum software. Progress on each front compounds progress on the others.
Hardware. There are many different competing approaches. We mentioned neutral atoms and superconducting qubits, but there are also ion-trap, photonics, and moonshots like topological qubits. Complementary approaches can even be combined. Most of these approaches are pursued by several labs around the world. They all have their distinct engineering challenges and problems to solve before they can scale up. A few years ago, all of them had a long list of open challenges, and it was unclear if any of them would scale. Today most of them have made good progress. None have been demonstrated to scale yet: if they had, we wouldn’t have a couple of years left. But these approaches are much closer now, especially neutral atoms. To ignore this progress, you’d have to believe that every single approach will hit a wall.
Error correction. All quantum computers are noisy and require error-correcting codes to perform meaningful computation. This adds quite a bit of overhead, though how much depends on the architecture. More noise requires more error correction, but more interestingly, improved qubit connectivity allows for much more efficient codes. For a sense of scale: typically around a thousand physical qubits are required for one logical qubit for the superconducting quantum computers that are noisy and only have neighbor qubit connectivity. We knew “reconfigurable qubits” such as those of neutral-atom machines allow for an order of magnitude better error-correcting codes. Surprisingly, Oratomic showed the advantage is even larger: only about 3-4 physical neutral atom qubits are required per logical qubit.
Software. Lastly, the quantum algorithms to crack cryptography can be improved. This is Google’s breakthrough: they massively sped up the algorithm to crack P-256. On top of that, Oratomic showed further architecture specific optimizations for reconfigurable qubits.
The picture comes together: in 2025 neutral atoms turned out to be more scalable than expected, and now Oratomic figured out how to do much better error-correcting codes with such highly connected qubits. On top of that, breaking P-256 requires much less work. The result is that Q-Day has been pulled forward significantly from typical 2035+ timelines, with neutral atoms in the lead, and other approaches not far behind.
In previous blog posts we’ve discussed how different quantum computers compare on physical qubit count and fidelity, compared to the conservative goalpost of cracking RSA-2048 on a superconducting qubit architecture. This analysis gives us a rough idea of how much time we have, and it’s certainly better than tracking quantum factoring records, but it misses architecture-specific optimization and software improvements. What to watch for now is when the final missing capabilities for each architecture are achieved.
It’s time to focus on authentication
Historically, the industry’s focus on post-quantum cryptography (PQC) has been based largely on PQ encryption, which stops harvest-now/decrypt-later (HNDL) attacks. In an HNDL attack, an adversary harvests sensitive encrypted network traffic today and stores it until a future date when it can use a powerful quantum computer to decrypt the data. HNDL attacks are the primary threat when Q-Day is far away. That’s why our focus, thus far, has been on mitigating this risk, by adopting post-quantum encryption by default in our products since 2022. Today, as we mentioned above, most Cloudflare products are secure against HNDL attacks, and we’re working to upgrade the rest as we speak.
The other category of attacks is against authentication: adversaries armed with functioning quantum computers impersonate servers or forge access credentials. If Q-Day is far off, authentication is not urgent: deploying PQ certificates and signatures does not add any value, only effort.
An imminent Q-Day flips the script: data leaks are severe, but broken authentication is catastrophic. Any overlooked quantum-vulnerable remote-login key is an access point for an attacker to do as they wish, whether that’s to extort, take down, or snoop on your system. Any automatic software-update mechanism becomes a remote code execution vector. An active quantum attacker has it easy — they only need to find one trusted quantum-vulnerable key to get in.
When experts in the field of building quantum computers start patching authentication systems, we should all listen. The question is no longer "when will our encrypted data be at risk?" but "how long before an attacker walks in the front door with a quantum-forged key?"
Prioritizing the most vulnerable systems
If quantum computers arrive in the next few years, they will be scarce and expensive. Attackers will prioritize high-value targets, like long-lived keys that unlock substantial assets or persistent access such as root certificates, API auth keys and code-signing certs. If an attacker is able to compromise one such key, they retain indefinite access until they are discovered or that key is revoked.
This suggests long-lived keys should be prioritized. That is certainly true if the quantum attack of a single key is expensive and slow, which is to be expected for the first generation of neutral atom quantum computers. That’s not the case for scalable superconducting quantum computers and later generations of neutral atom quantum computers, which could well crack keys much faster. Such fast CRQCs flip the script again, and an adversary with one might focus purely on HNDL attacks so that their attacks remain undetected. Google’s Sophie Schmieg compares this scenario to Enigma’s cryptanalysis that changed the direction of World War II.
Adding support for PQ cryptography is not enough. Systems must disable support for quantum-vulnerable cryptography to be secure against downgrade attacks. In larger, especially federated systems such as the web, this is not feasible because not every client (browser) will support post-quantum certificates, and servers need to keep supporting these legacy clients. However, downgrade protection for HTTPS is still achievable using “PQ HSTS” and/or certificate transparency.
Disabling quantum-vulnerable cryptography is not the last step: once done, all secrets such as passwords and access tokens previously exposed in the quantum-vulnerable system need to be rotated. Unlike post-quantum encryption, which takes one big push, migrating to post-quantum authentication has a long dependency chain — not to mention third-party validation and fraud monitoring. This will take years, not months.
It’s natural for organizations reading this to rush out and think about which internal systems they need to upgrade. But that’s not the end of the story. Q-day threatens all systems. As such, it’s important to understand the impact of a potential Q-day on third-party dependencies, both direct and indirect. Not just the third-parties you speak cryptography to, but also any third parties that are critical business dependencies like financial services and utilities.
With Q-day approaching on a shorter timeline, post-quantum authentication is top priority. Long-term keys should be upgraded first. Deep dependency chains and the fact that everyone has third-party vendors means this effort will take on the order of years, not months. Upgrading to post-quantum cryptography is not enough: to prevent downgrades, quantum-vulnerable cryptography must also be turned off.
Cloudflare’s roadmap to full post-quantum security
Today, Cloudflare provides post-quantum encryption for the majority of our products mitigating harvest-now/decrypt-later. This is the product of work we started over a decade ago to protect our customers and the Internet at large.
We are targeting full post-quantum security including authentication for our entire product suite by 2029. Here we’re sharing some intermediate milestones we’ve set, subject to change as our understanding of the risk and deployment challenges evolve.
For businesses, we recommend making post-quantum support a requirement for any procurement. Common best practices, like keeping software updated and automating certificate issuance, are meaningful and will get you pretty far. We recommend assessing critical vendors early for what their failure to take action would mean for your business.
For regulatory agencies and governments: leading by setting early timelines has been crucial for industry-wide progress so far. We are now in a pivotal position where fragmentation in standards and effort between and within jurisdictions could put progress at risk. We recommend that governments assign and empower a lead agency to coordinate the migration on a clear timeline, stay security-focused, and promote the use of existing international standards. Governments need not panic, but can lead migration with confidence.
For Cloudflare customers, with respect to our services, you do not need to take any mitigating action. We are following the latest advancements in quantum computing closely and taking proactive steps to protect your data. As we have done in the past, we will turn on post-quantum security by default, with no switches to flip. What we don’t control is the other side: browsers, applications, and origins need to upgrade. Corporate network traffic on Cloudflare need not worry: Cloudflare One offers end-to-end protection when tunnelling traffic through our post-quantum encrypted infrastructure.
Privacy and security are table stakes for the Internet. That's why every post-quantum upgrade we build will continue to be available to all customers, on every plan, at no additional cost. Making post-quantum security the default is the only way to protect the Internet at scale.
Free TLS helped encrypt the web. Free post-quantum cryptography will help secure it for what comes next.

Facts Only

Cloudflare aims to achieve full post-quantum security, including authentication, by 2029.
Google announced a breakthrough in quantum algorithms for breaking elliptic curve cryptography but did not disclose the algorithm.
Oratomic published research estimating that breaking RSA-2048 and P-256 could require as few as 10,000 qubits on neutral atom computers.
Google has accelerated its post-quantum migration timeline to 2029, prioritizing quantum-secure authentication.
IBM Quantum Safe’s CTO suggests quantum "moonshot attacks" on high-value targets could occur as early as 2029.
Cloudflare has enabled post-quantum encryption for over 65% of human traffic to its network since 2022.
Post-quantum authentication is now a critical focus due to the risk of attackers forging credentials or impersonating servers.
Long-lived keys, such as root certificates and API auth keys, are prioritized for upgrade due to their high-value target status.
Disabling quantum-vulnerable cryptography is necessary to prevent downgrade attacks, but this is challenging in federated systems.
Cloudflare recommends businesses require post-quantum support in procurement and assess vendor readiness.
Governments are advised to coordinate post-quantum migration efforts to avoid fragmentation and promote international standards.
Cloudflare provides post-quantum encryption by default for most products, with no additional cost to customers.

Executive Summary

Cloudflare is accelerating its post-quantum cryptography roadmap, aiming for full post-quantum security—including authentication—by 2029. This shift follows recent breakthroughs in quantum computing, notably Google's announcement of a significantly improved algorithm for breaking elliptic curve cryptography and Oratomic's research suggesting that breaking widely used encryption like RSA-2048 and P-256 could require as few as 10,000 qubits on neutral atom computers. These developments have prompted Google to move its own post-quantum migration timeline to 2029, with a focus on quantum-secure authentication over encryption. The urgency stems from the realization that Q-Day—the point at which quantum computers can break current cryptographic standards—may arrive as early as 2030, or even sooner for high-value targets.
The threat landscape is evolving: while harvest-now/decrypt-later attacks have been the primary concern, the imminent risk of broken authentication—where attackers could forge credentials or impersonate servers—is now a critical priority. Cloudflare has already implemented post-quantum encryption for most of its products, but authentication remains a complex challenge due to dependency chains, third-party integrations, and the need to disable legacy cryptographic systems to prevent downgrade attacks. The company emphasizes that organizations must act urgently, prioritizing long-lived keys and assessing third-party vulnerabilities. Governments and regulatory agencies are urged to coordinate migration efforts to avoid fragmentation and ensure consistent standards.

Full Take

The strongest version of this narrative is that quantum computing advancements are accelerating faster than anticipated, necessitating urgent action to secure digital infrastructure. Cloudflare and Google are responding to credible research—such as Oratomic’s qubit estimates and Google’s algorithmic breakthroughs—by prioritizing post-quantum authentication over encryption. The shift reflects a growing consensus that Q-Day may arrive within the next decade, if not sooner, posing existential risks to authentication systems. The narrative effectively highlights the compounding progress in quantum hardware, error correction, and software, framing the threat as both imminent and systemic.
However, the urgency could be interpreted as a form of fear appeal (ARC-0012), leveraging the specter of catastrophic breaches to drive adoption of post-quantum solutions. While the risks are real, the timeline remains uncertain, and the emphasis on "imminent" threats may overshadow the practical challenges of migration, such as dependency chains and third-party coordination. The narrative also assumes that all actors—governments, businesses, and vendors—will act rationally and collaboratively, which may not account for incentives to delay or resist costly upgrades.
Root cause: The paradigm driving this narrative is the assumption that cryptographic security is a binary state—either fully quantum-resistant or fatally compromised. This framing echoes historical patterns of technological arms races, where early movers gain strategic advantages while laggards face existential risks. The unstated assumption is that quantum computing progress will continue unabated, despite potential bottlenecks in error correction or hardware scalability.
Implications: Human agency is both empowered and constrained. Organizations that act decisively may secure their systems, but those that delay could face catastrophic breaches. The costs of migration—time, resources, and coordination—will disproportionately burden smaller entities, potentially widening security gaps. Second-order consequences include the risk of fragmentation if governments and industries adopt divergent standards, or if legacy systems remain vulnerable due to incompatibility.
Bridge questions: What evidence would change the timeline for Q-Day? How might adversaries exploit the transition period between quantum-vulnerable and post-quantum systems? Are there alternative cryptographic approaches that could mitigate risks without full migration?
Counterstrike scan: A coordinated influence campaign would amplify fear of Q-Day to drive adoption of specific post-quantum solutions, possibly benefiting vendors or governments with early capabilities. The actual content aligns with this pattern by emphasizing urgency and systemic risk, but it stops short of promoting specific products or policies, focusing instead on broad migration strategies. No overt manipulation detected.

Sentinel — Human

Confidence

Sentinel analysis incomplete — partial response from fallback model.

Signals Detected
low severity: Sentence length variance is not uniform and shows human-like irregularity
low severity: The content discusses complex technical topics, which is consistent with human authorship
Cloudflare targets 2029 for full post — Arc Codex