Microsoft sets 2033 deadline for post-quantum security rollout

Microsoft has detailed its Quantum Safe Program as part of an ongoing transformation to protect infrastructure, customers and global ecosystems from the potential threats posed by future quantum computers.

The company is integrating post-quantum cryptography (PQC) into components such as SymCrypt, its core cryptographic library, and Transport Layer Security (TLS), with updates extending to authentication systems, key management, signing services, and a full range of Microsoft products, including Windows, Azure, Microsoft 365, data and AI services, and networking platforms.

Quantum threat landscape

Quantum computing is likely to enable breakthroughs across a variety of industries but also introduces a new level of risk. Future scalable quantum computers could undermine today's public-key cryptography and digital signatures, compromising authentication and identity verification systems. While such quantum computers are not yet available, Microsoft and security experts agree that immediate preparations are necessary.

The prospect of so-called "Harvest Now, Decrypt Later" (HNDL) attacks adds urgency, where attackers might record encrypted data now and decrypt it later once quantum computers become operational. In response, the security industry - including Microsoft - is prioritising the development and implementation of quantum-safe algorithms and protocols.

Industry-wide alignment

Microsoft stated that the Quantum Safe Program (QSP) closely aligns with United States government initiatives and timelines on quantum safety, referencing guidance from agencies including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the National Security Agency (NSA). The company is also monitoring quantum-safe policies from governments in the European Union, Japan, Canada, Australia, and the United Kingdom.

Microsoft's roadmap targets completion of the transition to PQC across all products and services by 2033, which is two years before the 2035 deadline that most major governments have set. The company's approach is designed to enable early adoption by 2029, with a gradual shift to making quantum-safe technologies the default.

Phases of transition

The transition plan to quantum security is structured into three phases. The first phase involves updating foundational cryptographic components such as SymCrypt, which underpins the security of Microsoft operating systems and cloud services. The second phase focuses on core infrastructure services including identity authentication and key management. The third and widest phase extends quantum-safe updates to all services and endpoints, across Windows, Azure, Microsoft 365, and the company's data and AI offerings.

SymCrypt has already introduced Module-Lattice Key Encapsulation Mechanism (ML-KEM) and Module-Lattice Digital Signature Algorithm (ML-DSA) through its Cryptography API: Next Generation (CNG), making these available to Windows Insiders and Linux users. TLS 1.3 is also being enhanced with support for hybrid and post-quantum key exchange to help thwart HNDL attack vectors.

Ongoing collaboration

Microsoft has been working with international standards bodies - including NIST, the Internet Engineering Task Force (IETF), International Organisation for Standardization (ISO), Distributed Management Task Force (DMTF), the Open Compute Project (OCP), and the European Telecommunications Standards Institute (ETSI) - to align quantum-safe cryptography standards and facilitate global interoperability. It has contributed to NIST's post-quantum cryptography efforts since at least 2017 and was a founding member of the Open Quantum Safe project.

The company's research history in PQC includes experiments such as operating a VPN tunnel secured with experimental PQC algorithms between its Redmond campus and a datacentre located underwater in Scotland. Microsoft has also led the integration workstream for NIST's National Cybersecurity Centre of Excellence (NCCoE) Post-Quantum project and contributed the FrodoKEM cryptosystem to be included in ISO standards.

Internal strategy

"Our QSP is a comprehensive and company-wide effort to enable Microsoft, our customers, and partners, to transition smoothly and securely into the quantum era. The program is governed by the QSP leadership team with representatives across all major business groups, research and engineering divisions, and functions."

Microsoft's strategy is based on three main priorities: making Microsoft itself quantum-safe, supporting customers and partners to do the same, and advancing research and international standards for quantum-safe technologies and crypto-agility, which is the ability to change cryptographic algorithms as threats emerge.

The programme began with a comprehensive audit of cryptographic assets, followed by targeted investments in quantum-safe algorithms and partnerships to address critical dependencies and modernise hardware and firmware. The implementation of quantum-resilient solutions is taking place across the supply chain and ecosystem, with ongoing adoption of open-source silicon-based protections.

Call for early action

Migration to PQC is described by Microsoft as a multi-year process that requires strategic planning and coordinated execution across industries. The company stresses that transitioning to quantum-safe security is not an instantaneous change but a "complex but essential process."

"Migration to post quantum cryptography (PQC) is not a flip-the-switch moment, it's a multiyear transformation that requires immediate planning and coordinated execution to avoid a last-minute scramble."

Microsoft encourages organisations to address legacy technologies, modernise cryptographic standards, and begin their preparations for a future in which quantum computing may pose real risks to today's security mechanisms.