Cloudflare Enhances Security with Post-Quantum Cryptography Against Quantum Attacks

Cloudflare has announced a major expansion of post-quantum cryptography (PQC) protections within its Zero Trust platform, aiming to future-proof corporate network traffic against quantum computing threats.

This initiative comes as the National Institute of Standards and Technology (NIST) accelerates plans to deprecate conventional RSA and Elliptic Curve Cryptography (ECC) by 2030, with a complete ban by 20351.

Quantum Threats and Cryptographic Urgency

Quantum computers pose an existential risk to current encryption standards through “harvest now, decrypt later” attacks, where adversaries intercept and store encrypted data for decryption once quantum capabilities mature.

Cloudflare reports that over 35% of non-bot HTTPS traffic on its network already uses PQC, leveraging the ML-KEM (Module-Lattice Key Encapsulation Mechanism) algorithm alongside conventional X25519 elliptic curves in a hybrid model1.

The urgency is compounded by recent U.S. government mandates, including Executive Order 14144, which requires federal agencies to prioritize PQC-enabled products.

Cloudflare’s approach bypasses the need for organizations to individually upgrade legacy systems by tunneling traffic through quantum-safe connections.

Technical Implementation: A Two-Phase Migration

Phase 1: Post-Quantum Key Agreement

Cloudflare has prioritized migrating TLS 1.3 key exchange to ML-KEM, a lattice-based algorithm selected by NIST for its balance of performance and security.

This hybrid implementation (X25519MLKEM768) secures short-lived TLS sessions while mitigating risks from quantum decryption.

As of March 2025, this protects:

• Clientless Zero Trust Network Access (ZTNA): Browser-to-Cloudflare connections for internal web applications.
• Secure Web Gateway (SWG): TLS inspection for third-party websites supporting PQC1.

Phase 2: Post-Quantum Digital Signatures

While quantum-resistant signatures (e.g., CRYSTALS-Dilithium) face performance challenges due to larger key sizes, Cloudflare is experimenting with their deployment for long-lived TLS connections.

These signatures will become critical once quantum computers can actively tamper with live sessions, a threat not yet imminent1.

Zero Trust Use Cases Enabled

1. Quantum-Safe Clientless Access
   • Secures browser-to-application traffic via three PQC-protected layers:
     • Browser-to-Cloudflare: TLS 1.3 with ML-KEM.
     • Internal Cloudflare Network: Inter-datacenter traffic (e.g., Frankfurt to San Francisco) secured with PQC.
     • Cloudflare Tunnel: Connects on-premises/corporate clouds to Cloudflare’s network1.
2. WARP Client-to-Tunnel (Mid-2025)
   • Replaces legacy VPNs by encapsulating any protocol (not just HTTPS) in quantum-safe tunnels.
   • Uses the MASQUE protocol for post-quantum key exchange between devices and Cloudflare’s network1.
3. Quantum-Ready Secure Web Gateway
   • Inspects HTTPS traffic via dual PQC connections:
     • Browser-to-Gateway: Requires PQC-supported browsers (Chrome/Edge/Firefox).
     • Gateway-to-Origin: Works if third-party servers (e.g., pq.cloudflareresearch.com) support ML-KEM1.

Strategic Implications

Cloudflare’s crypto-agility model shifts the burden of cryptographic upgrades away from enterprises, addressing systemic challenges like the prolonged deprecation of MD5 in RADIUS (exploited as recently as 2024).

The platform’s phased approach allows organizations to:

• Mitigate harvest-now-decrypt-later risks immediately.
• Prepare for NIST’s 2030 ECC/RSA deprecation without operational disruption.
• Align with U.S. federal procurement requirements for PQC-enabled tools.

Looking Ahead

By mid-2025, Cloudflare aims to extend PQC protections to all WARP client traffic, ensuring end-to-end security for protocols beyond HTTPS.

The company’s early adoption (since 2017) and collaboration with financial institutions, governments, and ISPs position it as a critical player in the quantum transition.

As Bas Westerbaan, Cloudflare’s cryptography lead, noted: “Privacy is a fundamental right. Our job is to make advanced cryptography invisible and accessible—no premiums, no trade-offs”.

Enterprises leveraging Cloudflare’s Zero Trust platform can now future-proof their networks against quantum threats, ensuring compliance and resilience in a post-quantum era.

Also Read:

Google Parent Alphabet in Talks for $30B Acquisition of Cybersecurity Firm Wiz

See more