The White House has issued a new executive order on post-quantum cryptography, calling for federal agencies to complete migration to quantum-resistant algorithms by 2030. Cloudflare's analysis welcomes the milestone but urges faster action and broader scope.
Key changes and implications:
- 2030 deadline: All National Security Systems and federal agencies must migrate to post-quantum cryptography (PQC) by 2030. This is the first hard timeline from the U.S. government.
- Hybrid approach: The order recommends using hybrid X.-509 certificates combining traditional algorithms (e.g., ECDSA) with PQC algorithms (e.g., ML-KEM, ML-DSA, SLH-DSA) to ensure backward compatibility.
- Cloudflare's role: Cloudflare already supports post-quantum key agreement via ML-KEM (Kyber) for TLS, and post-quantum authentication via X.-509 certificates with ML-DSA (Dilithium).
- Migration playbook: Cloudflare provides a step-by-step guide: inventory cryptographic assets, prioritize high-value systems, test with
curl --tls13-key-exchange --curves X25519Kyber768for TLS 1.3, and switch to hybrid certificates. - Missing pieces: The order does not address code signing or blockchain applications; Cloudflare suggests extending timelines and including more domains like IoT and supply chain.
- Developer action: Start testing PQC now using Cloudflare's post-quantum tunnel (try with
cloudflared tunnel --post-quantum) and update TLS libraries to support OpenSSL 3.2+ with Kyber and Dilithium.
For developers, this order means quantum-safe cryptography is no longer optional. Applications must be ready for a hybrid world where both classical and PQC algorithms coexist. Cloudflare's existing support for Post-Quantum TLS and Hybrid Key Exchange (e.g., X25519Kyber768) offers a smooth migration path. The 2030 deadline may seem distant, but cryptographic inventory and testing should start today.