Tech

Cloudflare’s ML-DSA Deadline: Why Post-Quantum Signatures Can’t Wait

Cloudflare’s ML-DSA Deadline: Why Post-Quantum Signatures Can’t Wait

Cloudflare's official artwork for the ML-DSA post-quantum signature announcement

Quick take: Cloudflare published a candid engineering note explaining why the post-quantum migration hinges on signatures, not encryption — and why it is betting on ML-DSA now instead of waiting for a “better” scheme. The short version: the encryption half is largely solved, but authentication (proving something is really you, or really from Cloudflare) still runs on algorithms a future quantum computer could break.

Most people who have heard “post-quantum” think of encryption — the padlock on data in transit. Cloudflare’s own numbers show that side is mostly done: the majority of traffic it handles already uses ML-KEM (the NIST-standardized key-establishment method), which protects against “harvest-now-decrypt-later” attacks where an adversary records encrypted traffic today and waits for a quantum machine to crack it. Signatures are the lagging half, and they are technically harder to retire because they sit inside authentication, certificate chains, and code-signing trust roots that cannot be swapped overnight.

Cloudflare's official artwork for the ML-DSA post-quantum signature announcement
Cloudflare’s official announcement artwork for the ML-DSA signature work. (Source: blog.cloudflare.com)

Why signatures are the real bottleneck

RSA and ECC — the algorithms underpinning almost all modern authentication — were standardized decades ago and are fast, compact, and well-understood. They are also, in Cloudflare’s words, “vulnerable to the attack of sufficiently advanced quantum computers.” Those computers do not exist yet, but the timeline keeps moving earlier, which is exactly why the migration is happening now rather than later.

Encryption and signatures are not symmetric problems. Cloudflare can roll ML-KEM encryption out at the edge relatively cleanly because it is a per-connection negotiation: two parties agree on a shared secret using math a quantum computer cannot reverse. Signatures, by contrast, are baked into the long-lived trust infrastructure — TLS certificates, intermediate authorities, firmware signing keys, and the handshake proofs that say “this server really is Cloudflare.” Replacing those means touching the parts of the stack that are hardest to change and most expensive to get wrong.

What ML-DSA actually is

ML-DSA (Module-Lattice-Based Digital Signature Algorithm) is the “best all-around post-quantum signature scheme standardized today,” in Cloudflare’s phrasing. It was finalized by NIST in 2024 after an eight-year open international competition, sitting alongside ML-KEM on the post-quantum shelf. The appeal is that it is already vetted, already specified, and already implementable in shipping products.

The catch is size and rigidity. ML-DSA signatures and keys are much larger on the wire than RSA or ECC equivalents. That matters for a global edge network where every extra byte in a handshake or certificate chain is multiplied across billions of requests. And many of the space-saving tricks engineers leaned on with RSA and ECC — compact representations, certain batching optimizations — “simply cannot be done with ML-DSA,” Cloudflare notes. Adopting it means accepting a heavier, less flexible primitive and redesigning around its constraints.

The temptation to wait — and why Cloudflare won’t

The most interesting part of the note is the explicit argument against waiting. NIST announced it is advancing nine additional post-quantum signature schemes into the third round of its “signatures on-ramp” process, and a draft standard for FN-DSA (a Falcon-family scheme) is also moving. On paper, waiting for those could yield smaller or more efficient signatures than ML-DSA.

Cloudflare’s counter is operational, not theoretical: standing up post-quantum signatures across a global infrastructure is a multi-year program touching trust stores, hardware security modules, customer-facing certificate pipelines, and internal signing systems. If you wait for a marginally better algorithm, you also wait to start — and “harvest-now-decrypt-later” is already a live threat model for today’s encrypted traffic. The 2029 target for being “fully post-quantum secure” only holds if the heavy lifting starts now on the algorithm that is actually ready. Better is the enemy of done, and done is what the threat calendar demands.

What this means in practice

For builders, the takeaway is concrete. If you operate any service that authenticates users, signs artifacts, or terminates TLS, the question is no longer whether to migrate but when — and the timing pressure is on signatures specifically. The migration path is two-legged: finish the ML-KEM encryption rollout if you have not already, then schedule the signature transition against a real date rather than an aspirational one.

There is also a lesson about standards strategy. The eight-year NIST competition produced algorithms that are imperfect but deployable; the “on-ramp” schemes may improve on them, but betting your security roadmap on a not-yet-finalized draft means betting your timeline on someone else’s committee. Cloudflare’s choice to commit to ML-DSA now is a bet that a good-enough standardized primitive beats a perfect pending one — because the attack surface does not wait for the sequel.

The bottom line Cloudflare is drawing: encryption is mostly handled, signatures are the open work, and the algorithm to build on is the one that already exists. The 2029 finish line is reachable only if the signature migration starts on ML-DSA today rather than pausing for the next round of the competition.

We may earn commission from affiliate links at no extra cost to you. Last updated: Jul 13, 2026.
Jinultimate

Editor of ZBrandCo and the person accountable for what we publish — setting our sourcing standards, fact-checking claims against primary sources, and issuing corrections promptly across AI, open source, and gaming. Reach the desk at editorial@zbrandco.com.