Microsoft Prepares for Quantum Computing Threat with 2033 Transition Goal

Since 2014, Microsoft has been investing in post-quantum cryptography (PQC) and quantum computing advancements, including the Majorana 1 quantum processor and 4D geometric error correction codes, proactively preparing for the potential risks posed by scalable quantum computing to current cryptographic security. The company participates in partnerships with regulatory and technical bodies such as the National Institute of Standards and Technology (NIST), Internet Engineering Task Force (IETF), and International Organization for Standardization (ISO), and in 2023 created the Quantum Safe Program (QSP) to protect its infrastructure and that of its customers. Microsoft aims to complete the transition of its services and products to PQC by 2033, two years before the 2035 deadline set by most governments, and to enable early adoption by 2029, integrating PQC algorithms into foundational components like SymCrypt, the cryptographic library used across Windows, Microsoft Azure, and Microsoft 365.

Preparing for Post-Quantum Cryptography

Microsoft is proactively preparing for the risks posed by scalable quantum computing by partnering with regulatory and technical bodies including the National Institute of Standards and Technology (NIST), Internet Engineering Task Force (IETF), International Organization for Standardization (ISO), Distributed Management Task Force (DMTF), Open Compute Project (OCP), and European Telecommunications Standards Institute (ETSI) to align on quantum-safe encryption standards and ensure worldwide interoperability. Migration to post-quantum cryptography (PQC) is a multiyear transformation requiring immediate planning and coordinated execution, presenting an opportunity to address legacy technology and implement improved cryptographic standards. Microsoft has been investing in both quantum computing advancements, such as the Majorana 1 quantum processor and 4D geometric error correction codes, and the requirements for PQC since 2014, publishing research on post-quantum algorithms and quantum cryptanalysis. The company participated in submissions to both the 2017 and current NIST PQC calls, and since 2018 has been experimenting with verified PQC algorithms, including testing a PQC-protected VPN tunnel between Redmond, Washington, and Scotland using Project Natick’s underwater datacenter.

Microsoft is a founding member of the Open Quantum Safe project and led the integration workstream of the NIST NCCoE Post-Quantum project. Its research, including the FrodoKEM cryptosystem developed in collaboration with academic and industry partners, is poised to become an ISO standard algorithm. In 2024, Microsoft contributed Adams Bridge Accelerator, an open-source quantum-resilient cryptographic hardware accelerator, integrated into Caliptra 2.0, part of the Open Compute Project (OCP). Furthermore, PQC capabilities have been previewed for Windows Insiders and Linux, and SymCrypt has been updated to support verified PQC algorithms, enabling customers to proactively prepare their software and services.

In 2023, Microsoft created the Quantum Safe Program (QSP) to unify and accelerate efforts to protect its infrastructure, and that of its customers, partners, and ecosystems, from the evolving risk of quantum computing. The QSP aligns with United States government requirements and timelines for quantum safety, including guidance from the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), NIST, and the National Security Agency. Microsoft also monitors quantum-safe initiatives from international governments, including those of the European Union, Japan, Canada, Australia, and the United Kingdom.

The QSP strategy is guided by three priorities: making Microsoft quantum safe by updating services, supply chains, and ecosystems; supporting customers, partners, and ecosystems with appropriate tools and guidance; and promoting global research, standards, and solutions for quantum-safe technologies and crypto-agility. This began with an enterprise-wide inventory to assess and prioritize cryptographic asset risks, followed by partnerships to address dependencies and investment in quantum-safe research and hardware/firmware innovation. Microsoft aims to complete the transition of its services and products by 2033, two years before the 2035 deadline set by most governments, and to enable early adoption of quantum-safe capabilities by 2029.

The transition strategy is built on a modular framework, considering each service’s unique requirements, performance constraints, and risk profile, resulting in either a direct shift to full PQC or a hybrid approach combining classical and quantum-resistant algorithms. This strategy consists of three phases: foundational security components, core infrastructure services, and all services and endpoints.

Microsoft has integrated PQC algorithms into foundational components like SymCrypt, the primary cryptographic library used across Windows, Microsoft Azure, and Microsoft 365. SymCrypt supports both symmetric and asymmetric algorithms, providing essential cryptographic operations. Recent updates have made ML-KEM and ML-DSA available through Cryptography API: Next Generation (CNG) and Certificate and Cryptographic messaging functions for Windows Insiders and Linux customers. To counter the threat of Harvest Now, Decrypt Later (HNDL) cyberattacks, security protocol standards are prioritizing quantum-safe key exchange mechanisms, and SymCrypt-OpenSSL version 1.9.0 has enabled TLS hybrid key exchange as per the latest IETF internet draft.

Updating foundational components to provide quantum safety for Microsoft and its customers constitutes the core infrastructure services phase, prioritizing the protection of the most sensitive and essential components first. The final phase involves integrating PQC into Windows, Azure services, Microsoft 365, data platforms, AI services, and networking to provide comprehensive protection across all platforms and applications.

Microsoft’s Proactive Approach

Microsoft aims to complete the transition of its services and products by 2033, two years before the 2035 deadline set by most governments, and to enable early adoption of quantum-safe capabilities by 2029. In 2023, Microsoft created the Quantum Safe Program (QSP) to unify and accelerate efforts to protect its infrastructure, and that of its customers, partners, and ecosystems, from the evolving risk of quantum computing. The QSP aligns with United States government requirements and timelines for quantum safety, including guidance from the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), NIST, and the National Security Agency. Microsoft also monitors quantum-safe initiatives from international governments, including those of the European Union, Japan, Canada, Australia, and the United Kingdom.

The QSP strategy is guided by three priorities: making Microsoft quantum safe by updating services, supply chains, and ecosystems; supporting customers, partners, and ecosystems with appropriate tools and guidance; and promoting global research, standards, and solutions for quantum-safe technologies and crypto-agility. This began with an enterprise-wide inventory to assess and prioritize cryptographic asset risks, followed by partnerships to address dependencies and investment in quantum-safe research and hardware/firmware innovation.

Microsoft has been investing in both quantum computing advancements, such as the Majorana 1 quantum processor and 4D geometric error correction codes, and the requirements for post-quantum cryptography since 2014, publishing research on post-quantum algorithms and quantum cryptanalysis. The company participated in submissions to both the 2017 and current NIST PQC calls, and since 2018 has been experimenting with verified PQC algorithms, including testing a PQC-protected VPN tunnel between Redmond, Washington, and Scotland using Project Natick’s underwater datacenter.

Microsoft is a founding member of the Open Quantum Safe project and led the integration workstream of the NIST NCCoE Post-Quantum project. Its research, including the FrodoKEM cryptosystem developed in collaboration with academic and industry partners, is poised to become an ISO standard algorithm. In 2024, Microsoft contributed Adams Bridge Accelerator, an open-source quantum-resilient cryptographic hardware accelerator, integrated into Caliptra 2.0, part of the Open Compute Project (OCP). Furthermore, PQC capabilities have been previewed for Windows Insiders and Linux, and SymCrypt has been updated to support verified PQC algorithms, enabling customers to proactively prepare their software and services.

Implementing Quantum-Safe Security

Microsoft aims to complete the transition of its services and products by 2033, two years before the 2035 deadline set by most governments, and to enable early adoption of quantum-safe capabilities by 2029. The transition strategy is built on a modular framework, considering each service’s unique requirements, performance constraints, and risk profile, resulting in either a direct shift to full post-quantum cryptography or a hybrid approach combining classical and quantum-resistant algorithms. This strategy consists of three phases: foundational security components, core infrastructure services, and all services and endpoints.

Microsoft has integrated post-quantum cryptography algorithms into foundational components like SymCrypt, the primary cryptographic library used across Windows, Microsoft Azure, and Microsoft 365. SymCrypt supports both symmetric and asymmetric algorithms, providing essential cryptographic operations. Recent updates have made ML-KEM and ML-DSA available through Cryptography API: Next Generation (CNG) and Certificate and Cryptographic messaging functions for Windows Insiders and Linux customers.

To counter the threat of Harvest Now, Decrypt Later (HNDL) cyberattacks, security protocol standards are prioritizing quantum-safe key exchange mechanisms, and SymCrypt-OpenSSL version 1.9.0 has enabled TLS hybrid key exchange as per the latest IETF internet draft.

Updating foundational components to provide quantum safety for Microsoft and its customers constitutes the core infrastructure services phase. This prioritizes protecting the most sensitive and essential components first. The final phase involves integrating post-quantum cryptography into Windows, Azure services, Microsoft 365, data platforms, AI services, and networking to provide comprehensive protection across all platforms and applications.

Microsoft encourages customers and partners to begin developing their quantum-safe strategy now and will continue to provide insights and guidance based on its practical experience. Further information on Microsoft Security solutions, the Security blog, LinkedIn, and X are available online.

A Phased Transition Strategy

The transition strategy is built on a modular framework, considering each service’s unique requirements, performance constraints, and risk profile, resulting in either a direct shift to full post-quantum cryptography or a hybrid approach combining classical and quantum-resistant algorithms. This strategy consists of three phases: foundational security components, core infrastructure services, and all services and endpoints.

Microsoft aims to complete the transition of its services and products by 2033, two years before the 2035 deadline set by most governments, and to enable early adoption of quantum-safe capabilities by 2029. The initial phase focuses on updating foundational components to provide quantum safety for Microsoft and its customers, prioritizing the protection of the most sensitive and essential components first. The final phase involves integrating post-quantum cryptography into Windows, Azure services, Microsoft 365, data platforms, AI services, and networking to provide comprehensive protection across all platforms and applications.