Two years after the debut of its Quantum Safe Programme (QSP) Microsoft is now moving steadily through the process of incorporating post-quantum cryptography (PQC) algorithms into some of the foundational components underpinning the security of its product suite.
The computing giant said that in order to maintain the resilience of its systems and servers when future quantum computers likely break current encryption protocols for good, it needs its core services to be set to go before 2029.
This is a self-imposed deadline for early adoption of quantum-safe enabled technology that, for now, sits well ahead of most government targets for take-up – the UK’s National Cyber Security Centre (NCSC) says Britain’s key sectors and organisations should be planning to switchover to PQC by 2035.
Outlining the progress made to date, Microsoft Azure chief technogy officer Mark Russinovich, and Microsoft corporate vice president, CTO of Microsoft Security and Israel R&D Centre managing director Michal Braverman-Blumenstyk said that while scalable quantum computing remains a pipe dream for now, the time to prepare for it is now.
“Migration to post PQC is not a flip-the-switch moment, it’s a multiyear transformation that requires immediate planning and coordinated execution to avoid a last-minute scramble,” they said.
“It is also an opportunity for every organisation to address legacy technology and practices and implement improved cryptographic standards.
They added: “By acting now, organisations can upgrade to modern cryptographical architectures that are inherently quantum safe, upgrade existing systems with the latest standards in cryptography, and embrace crypto-agility to modernise their cryptographic standards and practices and prepare for scalable quantum computing.”
The overall QSP strategy, as previously outlined, centres on three core pillars: updating Microsoft’s own and third-party services, supply chain and ecosystem to be quantum safe; supporting its customers, partners and ecosystems in this goal; and promoting global research, standards and solutions around quantum security.
Redmond has already conducted an enterprise-wide inventory to identify the potential risks and has been partnering with industry leaders over the past couple of years to address some of the more critical dependencies, invest in research, and work together on new hardware and firmware.
Where we stand today
As of this point in time, Microsoft has integrated PQC algorithms into components such as SymCrypt, which is the main cryptographic library used by Windows, Azure and Office 365. This library now supports Module-Lattice Key Encapsulation Mechanism (ML-KEM, formerly known as Crystals-Kyber) and Module-Lattice-Based Digital Signature Algorithm (ML-DSA, formerly known as Crystals-Dilithium), both of which were among the quantum-safe algorithms taken forward by the US National Institute of Standards and Technology (NIST) a year ago.
Addressing the threat of Harvest Now Decrypt Later (HNDL) cyber attacks in which threat actors exfiltrated data today and hold it in reserve until they can crack the code, Microsoft is also ramping up the introduction of quantum-safe key exchange mechanisms in SymCrypt, enabling transport layer security (TLS) hybrid key exchange – per the latest IETF draft – and enhancing TLS 1.3 to support hybrid and pure post-quantum key exchange methods. These capabilities will be trickling down to the Windows TLS stack before much longer, said Russinovich and Braverman-Blumenstyk.
Beyond SymCrypt, Microsoft is also updating components such as its Entra authentication, key and secret management, and signing services, and plans to move towards integrating PQX into Windows, Azure, Office 365, and its data, networking and AI services to ensure the safety of the broader Microsoft services ecosystem.
Alignment to government plans
Microsoft’s overall QSP strategy currently aligns chiefly with US government requirements and timelines concerning quantum safety – including those laid down by agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), NIST, and the National Security Agency (NSA).
However it is closely monitoring quantum safe initiative emanating from Australia, Canada, the European Union (EU), Japan and the UK.
