The 2029 Post-Quantum Deadline: Can Your HSMs Make the Migration?

On 7 April 2026, Cloudflare pulled its post-quantum cryptography (PQC) deadline forward to 2029, three years earlier than planned. Google did the same. IBM's quantum security lead said attacks on high-value targets can no longer be ruled out by that date. For HSM owners, the planning horizon just shifted from "sometime next decade" to "decisions this year."
 

Why Cloudflare moved the deadline to 2029

Two research papers in March 2026 showed that breaking today's elliptic curve cryptography needs roughly twenty times fewer qubits than previously estimated. Cloudflare and Google responded by accelerating their timelines and by changing their priority.
Until now, post-quantum planning focused on encryption. Cloudflare and Google flipped that. Authentication comes first. Their reasoning: a quantum attacker with scarce, expensive early hardware won't waste it decrypting archives. They'll target long-lived signing keys, where one forgery grants persistent infrastructure access.

Those signing keys live in HSMs. Root CAs, intermediate CAs, code-signing, firmware trust anchors, qualified electronic signatures under eIDAS — the keys just classified as the priority migration target are the keys your HSMs protect. NIST's own guidance under CNSA 2.0 aligns with this direction, with deprecation of classical algorithms coming well before 2035.
 

The benchmark problem: why RSA signatures-per-second is about to become meaningless

Every HSM on the market has been measured the same way for twenty years: RSA-2048 signatures per second. That metric is about to stop being useful.

Post-quantum algorithms behave differently. An ML-DSA-65 signature (NIST FIPS 204) is 3,309 bytes, against 256 bytes for RSA-2048 and roughly 64 bytes for ECDSA. Certificate chains grow from 1.5 KB to around 17 KB. TLS handshakes get longer. Certificate storage grows. Network tools calibrated for old signature sizes behave unexpectedly.

Inside the HSM, the workload itself changes. ML-DSA signing can actually outperform RSA, but it requires substantially more working memory per operation. Stateful hash-based algorithms like LMS and XMSS — the right fit for firmware signing and some root CA scenarios — come with a specific trap: unlike RSA keys, they cannot simply be copied for backup or replicated for high availability. State has to be managed carefully, or the security guarantee breaks.

The implication: an HSM fleet rated in RSA signatures per second tells you almost nothing about how it will behave under post-quantum workloads. The measurements that shaped two decades of procurement are about to stop being useful.
 

Three questions to ask your HSM vendor

Three questions separate vendors who are ready from vendors who are catching up.

• Can I activate post-quantum algorithms on the hardware I already own? If the answer is "you need new HSMs," you're facing a fleet refresh on top of an algorithm migration. Utimaco's Quantum Protect package activates on existing u.trust GP HSM Se-Series and u.trust GP HSM CSe-Series hardware. No hardware swap. ML-DSA (FIPS 204), ML-KEM (FIPS 203) and LMS are NIST CAVP validated and shipping today. SLH-DSA (FIPS 205) is on the roadmap.
• How is stateful signature state managed? LMS and XMSS are operationally unforgiving. Our implementation includes a patented state management approach designed specifically for high-availability and backup scenarios where naive implementations fail.
• What's the upgrade path if my fleet turns out to be undersized? The u.trust GP HSM Se-Series scales from Se100 through Se40k with in-field upgrades with no hardware replacement. If the new workload pushes capacity past what you sized for, you're not locked in.

Benchmark first, buy second

Before any procurement conversation, test the algorithms against your own workload. Our Quantum Protect Simulator is free, runs in your own environment, and integrates with your existing PKI or code-signing pipeline. You'll learn more in an afternoon of testing than in a quarter of vendor datasheets.

The 2029 deadline is three years out. HSM hardware has five-to-seven-year lifecycles. The buying decisions made in 2026 determine whether you migrate through existing infrastructure or replace it under time pressure.

Quantum Protect | Quantum Protect Simulator | Contact Sales

Further reading: Cloudflare's post-quantum roadmap announcement · NIST FIPS 204 (ML-DSA)

Related: What the Rise of Machine Identities Means for Your HSM Architecture · The Next Era of Security: CNSA 2.0 and PQC Essentials

About the Author

Amani Karchoud

Product Marketing Manager, Utimaco