Tech

Why ML-DSA Has to Do: Cloudflare’s Post-Quantum Signature Reality Check

Cloudflare just published one of the most clear-eyed posts yet on a problem the security industry keeps politely gliding past: the next generation of post-quantum signature algorithms probably will not be ready before the migration window slams shut. Their blunt conclusion is that we go to war with the algorithms we have — and right now, that means ML-DSA, the scheme NIST standardized in 2024.

This matters because signatures are the quiet half of the post-quantum problem. Encryption gets the headlines — most traffic Cloudflare carries had already moved to ML-KEM by mid-2026, shielding it from “harvest-now-decrypt-later” attacks. But authentication, the part that proves you are who you say you are, still leans on RSA and ECC, both of which a sufficiently powerful quantum computer breaks. Without post-quantum signatures, a future adversary could forge identities even if the wires are quantum-safe.

Why new algorithms are coming too late

In June 2026 NIST advanced nine candidate post-quantum signature schemes into the third round of its “signatures on-ramp” program. Names like HAETAE, MAYO, QR-Aztec, SNOVA, and SQISign are genuinely promising — some offer dramatically smaller signatures or faster verification than ML-DSA. The catch, as Cloudflare’s researchers lay out, is timeline. Standardization, then implementation, then deployment across the internet’s creaky infrastructure, takes years. The threat is arriving on a faster clock.

The team quotes Eric Rescorla’s 2024 line: “You go to war with the algorithms you have, not the ones you wish you had.” That is the whole thesis. Waiting for a smaller, faster, more elegant signature scheme is a luxury the calendar does not grant.

What ML-DSA actually costs you

ML-DSA is not free lunch. Cloudflare’s own comparison table lays out the trade-off in hard numbers. A public key balloons from Ed25519’s 32 bytes to 1,312 bytes, and signatures land around 2,420 bytes. For TLS handshakes, certificate chains, and code-signing pipelines that were tuned for decades of compact RSA and ECC, those sizes mean more bandwidth, more storage, and more careful protocol design.

There are also tricks that worked with classical algorithms and simply do not translate. Certificate transparency logs, aggregate signatures, and various space-saving hacks that relied on small ECC sizes become awkward or impossible with ML-DSA’s bulk. Cloudflare is explicit that this is the price of shipping now rather than later.

Where the better schemes still help

None of this means the nine advancing candidates are a waste. Cloudflare makes a separate, forward-looking case: they are still the best use of NIST’s limited research bandwidth. Smaller signatures matter enormously for constrained environments — IoT devices, satellite links, and blockchain ledgers where every byte is expensive. FN-DSA (formerly Falcon), expected to reach draft standard soon, offers compact signatures for systems that can afford its heavier compute.

The realistic path is two-track: deploy ML-DSA everywhere it fits today, and keep the lighter schemes in the pipeline for the places where ML-DSA’s size is genuinely prohibitive. Cloudflare targets 2029 for being fully post-quantum secure across its own stack, which leaves a multi-year window where ML-DSA carries the load.

The practical takeaway

For engineering teams, the decision is less dramatic than it looks. The standards exist, the libraries exist, and the migration tooling is mature enough to start. The risk of waiting — that a future quantum machine forges signatures on your still-classical auth chain — is concrete and deadline-driven. Cloudflare’s post is worth reading in full not because it announces a product, but because it says out loud what many roadmaps assume but few state: the good-enough algorithm shipped in 2024 is the one you should be rolling out in 2026.

Sources:
Why we cannot wait for better post-quantum signature algorithms — Cloudflare
NIST Post-Quantum Cryptography digital signature on-ramp
NIST’s first post-quantum standards — Cloudflare

We may earn commission from affiliate links at no extra cost to you. Last updated: Jul 11, 2026.
Jinultimate

Editor of ZBrandCo and the person accountable for what we publish — setting our sourcing standards, fact-checking claims against primary sources, and issuing corrections promptly across AI, open source, and gaming. Reach the desk at editorial@zbrandco.com.