Bas Westerbaan, Principal Research Engineer, Cloudflare
The rapid progress in quantum computing is reshaping long-term security planning. While today’s quantum computers cannot yet break widely used cryptographic algorithms, their future potential creates an urgent need to transition to post-quantum cryptography (PQC). Data intercepted today could be decrypted later in a “harvest now, decrypt later” scenario once a powerful quantum computer becomes available—a moment often referred to as Q-Day.
The Path to Q-Day: Hardware and Software Progress
Two developments influence the arrival of Q-Day: advancements in quantum hardware and improvements in the algorithms that run on these machines.
Hardware Progress
Every year brings new quantum processors with higher qubit counts. However, qubits are fragile, and noise limits reliability. Silicon-based quantum computers are fast and scalable but extremely noisy, requiring millions of qubits with error correction to break RSA-2048. Ion-trap systems are quieter but harder to scale; even hundreds of thousands of qubits could pose a threat to RSA-2048.
Scalability remains a challenge, but Google’s Willow project, announced in late 2024, demonstrated the first scalable implementation of a logical qubit using surface code—a major milestone. Google continues to advance superconducting qubits, while Microsoft explores topological qubits, a theoretically more stable but not yet proven architecture. Other emerging approaches include neutral atoms and ion traps. Still, software optimizations have accelerated the threat more dramatically than hardware.
Software Breakthroughs
In 2025, Craig Gidney’s work showed that breaking RSA-2048 requires fewer than one million superconducting qubits, down from earlier estimates of 20 million. Assuming qubit counts double every one-and-a-half years, this brings Q-Day approximately seven years closer. Further optimizations are expected, but RSA-2048 will likely still require at least a quarter million superconducting qubits.
Occasionally, dramatic algorithmic claims emerge. In 2024, a proposed quantum algorithm by Yilei Chen briefly raised concerns for lattice-based cryptography before being shown incorrect. This episode highlighted how heavily current PQC designs rely on lattice-based schemes and how few viable alternatives exist. Quantum key distribution, often cited as a solution, is not scalable for widespread use.
How Soon Will Q-Day Arrive?
While the exact timing remains uncertain, governments are already acting. The U.S. NSA’s CNSA 2.0 guidelines set migration targets between 2030 and 2033, with full U.S. federal adoption by 2035. Australia targets completion by 2030, while the UK and EU expect transitions between 2030 and 2035. Whether Q-Day arrives in 2034 or 2050, most experts agree it will come too soon for organisations that delay preparation.
Two Migration Priorities: Key Exchange and Signatures
Transitioning to PQC involves two critical components: key agreement and digital signatures. Symmetric encryption, such as AES-GCM, is considered safe against quantum attacks. Grover’s algorithm does not require doubling key sizes, so AES-128 remains robust, with AES-256 optional.
The primary vulnerability lies in asymmetric cryptography—RSA and ECC—which quantum computers can break using Shor’s algorithm. Organisations should prioritise replacing these systems rather than strengthening symmetric encryption.
- Post-Quantum Key Agreement
Key agreement is urgent because it prevents harvest-now/decrypt-later attacks. Current TLS handshakes rely on X25519, which fails under quantum attack. Post-quantum methods like ML-KEM can be integrated with minimal disruption. Cloudflare already protects roughly half of its traffic using hybrid post-quantum key exchange, and all major browsers now support PQC by default.
- Post-Quantum Signatures and Certificates
Digital signatures authenticate identities online. RSA and ECDSA signatures will be forgeable by quantum computers, but replacing them is more complex than updating key exchange. TLS handshakes use multiple signatures, certificate chains are long, and post-quantum signatures are significantly larger.
NIST has standardised ML-DSA and SLH-DSA for signatures, but widespread adoption requires updates to certificate formats, browsers, and certificate authorities. The first PQ certificates are expected in 2026, with broader adoption by 2027.
Where PQC Stands Today
By 2025, PQC entered mainstream deployment. NIST standardised ML-KEM (FIPS 203) for key exchange and ML-DSA/SLH-DSA (FIPS 204/205) for signatures. ML-KEM is widely supported in TLS, browsers, and operating systems, while ML-DSA integration into certificates is still progressing.
Cloudflare, Google, and browser vendors have tested hybrid approaches such as X25519 + MLKEM768 to ensure compatibility and resilience. Despite early issues caused by middleboxes expecting classical packet sizes, more than 50% of global internet traffic is now protected against quantum-era decryption attacks.
The Harder Part: PQ Signatures
Signatures remain the biggest challenge. ML-DSA-44 adds approximately 15 KB to each TLS handshake, which is heavy for mobile networks. FN-DSA-512 reduces size but introduces side-channel risks. Experimental schemes such as SQISign, MAYO, SNOVA, and UOV present trade-offs, but none are ready for large-scale deployment. As a result, work is underway with Chrome on Merkle Tree Certificates to enable post-quantum security without performance degradation.
For now, ML-DSA-44 remains the most practical starting point.
What Organisations Should Do Now
- Adopt post-quantum key exchange immediately.
Use hybrid modes such as X25519 + ML-KEM-768 to prevent harvest-now/decrypt-later attacks. Tools like Cloudflare Radar and Wireshark can verify support. - Prepare for post-quantum signatures.
Identify high-risk cryptographic use cases, modernise legacy systems, enable automated certificate management, and begin testing PQ-ready infrastructure.
The global transition to post-quantum cryptography is an opportunity to modernise decades of legacy security. Organisations that start early will be ready well before Q-Day arrives.
