Microsoft Accelerates Quantum-Safe Push with New Timeline

Written by

Microsoft has revealed it is speeding up efforts to transition to post-quantum cryptography (PQC) in line with what it claimed is a shifting “risk horizon.”

The tech giant’s CTO, Mark Russinovich, noted in a June 30 blog post that advances in quantum R&D had precipitated the decision to move “critical products and services” to PQC by 2029.

Advanced research efforts mean that cryptographically relevant quantum computers (CRQCs) capable of cracking asymmetric encryption could appear sooner than anticipated.

“Recent government actions, including United States and French guidance to adopt quantum-safe cryptography as early as 2030 in certain high-risk systems, reflect the same conclusion: preparing for this transition is already underway,” Russinovich explained.

“This is a recognition that the transition to quantum-safe cryptography is a multi-year engineering effort that benefits from early planning and action, and delaying that work increases both cost and risk. This reinforces our decision to bring the work forward.”

Read more on quantum: NCSC Sets 2035 Deadline for Post-Quantum Cryptography Migration.

Microsoft’s efforts rest on three pillars:

  1. Upgrade network cryptography to TLS 1.3, which supports hybrid and post-quantum key exchange for secure data in transit.
  2. Build crypto-agility for data at rest so algorithms can be updated with minimal service disruption or application changes. This means making cryptographic settings configurable outside of applications, standardizing key management and rotation, and eliminating hard-coded algorithms.
  3. Modernizing the crypto trust chains that underpin software, devices, and services. This will include hardware-backed key protection, updated certificate lifetimes and policies, and auditable signing and issuance processes for critical trust anchors. Microsoft will transition to PQC algorithms when available.

Advice From Microsoft

Microsoft is not only accelerating its Microsoft Quantum Safe Program (QSP) timeline, but also incorporating PQC into its Secure Future Initiative (SFI), which it said will help customers to transition to quantum-safe systems sooner.

Russinovich said customers are focusing on crypto-agility for long-term resilience, prioritizing long-lived, sensitive data which may already be at risk from harvest now, decrypt later (HNDL) attacks.

By starting the process now, organizations can reap immediate benefits, he added.

“Most organizations lack clear visibility into where cryptography exists across applications, infrastructure, and legacy systems, making discovery and prioritization the primary challenge,” Russinovich continued.

“Organizations that begin with cryptographic discovery and lifecycle management consistently uncover existing gaps that require attention today, independent of quantum risk.

He shared several steps organizations can take to start their post-quantum journey today:

  • Define ownership, scope, and milestones for a multi-year cryptography transition
  • Build crypto-agility into new systems to streamline adoption of future standards
  • Create and maintain a living cryptographic inventory to identify, prioritize, and modernize dependencies
  • Adopt modern standards such as TLS 1.3 as a baseline across client and server systems

What’s Hot on Infosecurity Magazine?