Cloudflare says post-quantum signature migration cannot wait for newer NIST candidates

Cloudflare says post-quantum signature migration cannot wait for newer NIST candidates

Cloudflare says ML-DSA should anchor the first post-quantum signature migration while newer NIST candidates mature.

Format News Brief
Read Time 2 min
Category Cyber Security
Updated Jul 10, 2026

Cloudflare is urging security teams to begin the harder half of the post-quantum cryptography transition now, arguing that today's standardized signature algorithm, ML-DSA, will have to carry the first wave of real deployments even though more efficient candidates are still being evaluated.

In a July 9 research post, Cloudflare said RSA and elliptic-curve cryptography remain vulnerable in principle to sufficiently capable quantum computers, and that the industry has already made more progress on quantum-resistant encryption than on quantum-resistant authentication. The company said most traffic handled by its network is already using ML-KEM for post-quantum key agreement, but signatures are needed to protect identity, certificates and software-update style trust decisions from future quantum attacks.

Why this matters

The practical problem is timing. NIST advanced nine additional post-quantum digital signature candidates to a third round of evaluation in May, including FAEST, HAWK, MAYO, MQOM, QR-UOV, SDitH, SNOVA, SQIsign and UOV. Cloudflare's assessment is that these candidates remain important, but are unlikely to be standardized, integrated into protocols and widely available quickly enough for the first migration window.

Cloudflare said it is targeting 2029 to become fully post-quantum secure. Its post argues that newer candidates could offer useful tradeoffs later, such as smaller signatures, different mathematical foundations or better support for advanced cryptographic primitives. But it also says organizations cannot assume they can wait for a cleaner algorithmic answer and still have enough time to update large, distributed systems.

  • ML-DSA is already standardized and broadly positioned as the general-purpose post-quantum signature option.
  • Several alternatives may be better suited to specific use cases, but still face analysis, implementation and deployment work.
  • Supporting classical and post-quantum signatures side by side may itself require careful downgrade protection during migration.

The message is especially relevant for web infrastructure, certificate authorities, software vendors and cloud platforms, where authentication systems have long replacement cycles. Even if regulators set deadlines around 2030 to 2035, Cloudflare argues that deploying at the deadline would leave too little room for testing, compatibility work and removing older cryptography.

The takeaway is not that the NIST process is moving in the wrong direction. Cloudflare says the search for better signatures should continue because future standards may reduce performance costs and unlock post-quantum versions of privacy-preserving systems such as anonymous credentials. For now, however, its advice is clear: plan the first transition around the algorithms that are ready, then improve once stronger options mature.

Sources

Cover photo by Brett Sayles on Pexels, used under the Pexels License.

Comments (0)

Leave a Comment

Loading comments...