Building Post-Quantum-Ready SaaS on Cloudflare Workers

NIST finalized CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures) as ML-KEM and ML-DSA in 2024. The question for SaaS architects is no longer whether to migrate — it is how to do it without a full platform rewrite.

This post documents the migration architecture we developed for Svasthya Suci, PSDI's multi-tenant EHR platform serving charitable hospitals across India.

Why the urgency

Harvest-now, decrypt-later attacks are already occurring. Nation-state actors are collecting encrypted traffic today with the expectation of decrypting it once quantum computers mature. For healthcare data, the timeline matters: a patient record encrypted today may still be sensitive in 2035.

The hybrid KEM approach

Rather than a hard cutover, we use a hybrid key encapsulation mechanism that combines X25519 (classical) with ML-KEM-768 (post-quantum). Both keys must be compromised to break the session — giving you classical security today and quantum resistance for the future.

Implementation on Cloudflare Workers

Cloudflare Workers' WebCrypto API does not yet natively support ML-KEM. We use a WASM-compiled implementation of liboqs, loaded as a Workers module, to handle the post-quantum key operations. The classical X25519 exchange uses the native SubtleCrypto API.

The combined handshake adds approximately 1.2KB to the initial exchange and ~2ms of additional latency at the edge — acceptable for a healthcare application where the alternative is data exposure.