Cloudflare Accelerates Post-Quantum Security to 2029 After Google Proves Quantum Algorithm Can Break Elliptic Curve Cryptography

Cloudflare has dramatically accelerated its post-quantum migration timeline to 2029, following breakthroughs from Google and Oratomic that suggest quantum computers could break current encryption far sooner than expected.

What Happened

Three independent developments have collapsed the quantum threat timeline:

The Numbers That Matter

• 10,000 qubits — Oratomic's estimate for breaking P-256 (current standard)
• Previous estimate — Millions of qubits were thought necessary
• Current state — ~1,000-2,000 qubits publicly known
• IBM Quantum Safe CTO — Can't rule out "moonshot attacks" as early as 2029
• Google — Accelerated their own migration timeline to 2029, prioritizing authentication
• Cloudflare — 65% of human traffic already has PQ encryption, but authentication remains vulnerable

Why Authentication Matters More Than Encryption

Google's prioritization of quantum-secure authentication over mitigating harvest-now/decrypt-later attacks is telling:

• Encryption — Can be upgraded proactively (data encrypted with PQ keys is safe)
• Authentication — If Q-Day arrives before migration, attackers could impersonate any server
• Implication — Google is concerned about Q-Day coming as soon as 2030

Cloudflare's Timeline

What This Means for Everyone

• Every website using TLS needs to migrate authentication to post-quantum
• Every API endpoint needs PQ-secure client certificates
• Every organization with digital certificates needs an urgent migration plan
• The deadline — formerly thought to be 2035+, now potentially 2029-2030

Scott Aaronson's Warning

"At some point, the people doing detailed estimates of how many physical qubits... will stop publishing."

Progress on quantum computers is likely to go dark as it approaches practical capability.