How we are preparing for the future of cryptography
Cryptography is the science of securing information from unauthorized access or modification. It is essential for protecting the privacy and integrity of data in the digital world. However, cryptography is not static. It evolves with advances in mathematics, computer science, and technology. One of the biggest challenges that cryptography faces today is the future threat from substantially more powerful quantum computers
Quantum computing leverages the properties of quantum physics, such as superposition and entanglement, operations that are impossible or impractical for classical computers. While quantum computers have the potential to help us solve some of the most complex problems in science, engineering, and medicine, they also have the potential to upend public-key algorithms, which form the foundation of today’s encryption and security for most existing information and communication technology products.
In an earlier blog post we explored how quantum computing could disrupt the most commonly used asymmetric algorithms, such as Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC), and why symmetric cryptography largely withstands quantum threats. While a capable enough quantum computer to break public-key cryptography is still in the future, threat actors are preparing today. There are increasing concerns related to attackers recording data now with a view to being able to decrypt it later when quantum computers are sufficiently mature – in so-called “Harvest-now, Decrypt-later” attacks.
To address this challenge, researchers have been developing post-quantum cryptography (PQC) algorithms that are resistant to quantum attacks. PQC is based on mathematical problems that are hard for both classical and quantum computers. PQC algorithms offer a promising solution for the future of cryptography, but they also come with some trade-offs. For example, these typically require larger key sizes, longer computation times, and more bandwidth than classical algorithms. Therefore, implementing PQC in real-world applications requires careful optimization and integration with existing systems and standards.
Microsoft is a key participant in and contributor to the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization Process, which announced the first set of PQC algorithms which can be used by public and private sectors. Microsoft Research’s work on PQC includes several proposals for PQC algorithms in collaboration with academics and industry partners, and we have provided feedback and analysis on other submissions. Microsoft is also a core member and contributor in Open Quantum Safe (OQS) and National Cybersecurity Center of Excellence (NCCoE). We are also actively engaged in the Internet Engineering Task Force (IETF) to define standard interoperable ways to use PQC algorithms for safeguarding communication. This step is crucial before we see mainstream PQC adoption in software products and services across the industry.
Microsoft has developed a comprehensive strategy to support quantum resistance, acknowledging the significant impact quantum computing may have on existing public-key encryption methods. To address this, we established the Microsoft Quantum Safe Program (QSP), which unifies and accelerates all quantum-safe initiatives across the company from both technical and business perspectives. The goal of QSP is to achieve quantum readiness by integrating PQC algorithms and other security measures into Microsoft products, services, and infrastructures. Additionally, QSP is dedicated to supporting and empowering our customers, partners, and ecosystems as they work toward their own quantum-safe transitions.
Introducing PQC Algorithms in SymCrypt
At Microsoft, we strive to provide our customers with top security solutions for their data and communications. That is why we are proud to announce that we have begun releasing support for post-quantum algorithms in SymCrypt, Microsoft’s open-source core cryptographic library. Last week we published a SymCrypt update that includes the ML-KEM and XMSS algorithms, to be followed in the coming months with additional algorithms described below. This is a major milestone in our journey to prepare for the quantum era and to help protect our customers from future quantum threats.
SymCrypt is Microsoft's main cryptographic library used in products and services such as Azure, Microsoft 365, Windows 11, Windows 10, Windows Server 2025, Windows Server 2022, Azure Stack HCI, and Azure Linux. These products and services use SymCrypt to provide cryptographic security for scenarios such as email security, cloud storage, web browsing, remote access, and device management. SymCrypt offers a consistent interface for encryption, decryption, signing, verification, hashing, and key exchange using both symmetric and asymmetric algorithms. It is built to be fast, secure, and portable across multiple platforms and architectures. In Windows operating systems, the SymCrypt cryptographic library is embedded in the Cryptographic Primitives Libraries (bcryptprimitives.dll and cng.sys) which have gone through multiple FIPS 140 validations; SymCrypt is also going through a FIPS 140 validation as a cryptographic module for Linux-based operating systems. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard. We will continue to update and pursue evaluations for our products and services as standards evolve to support PQC algorithms.
With NIST releasing an initial group of finalized post-quantum encryption standards, we are excited to bring these into SymCrypt, starting with ML-KEM (FIPS 203, formerly Kyber), a lattice-based key encapsulation mechanism (KEM). In the coming months, we will incorporate ML-DSA (FIPS 204, formerly Dilithium), a lattice-based digital signature scheme and SLH-DSA (FIPS 205, formerly SPHINCS+), a stateless hash-based signature scheme.
In addition to the above PQC FIPS standards, in 2020 NIST published the SP 800-208 recommendation for stateful hash-based signature schemes which are also resistant to quantum computers. As NIST themselves called out, these algorithms are not suitable for general use because their security depends on careful state management, however, they can be useful in specific contexts like firmware signing. In accordance with the above NIST recommendation we have added eXtended Merkle Signature Scheme (XMSS) to SymCrypt, and the Leighton-Micali Signature Scheme (LMS) will be added soon along with the other algorithms mentioned above.
PQC algorithms have been meticulously chosen by NIST to offer high security, performance, and compatibility. They have been fine-tuned for efficiency in speed and size and have gone through rigorous tests for security and robustness. Efforts are ongoing within multiple industry standards organizations to ensure these algorithms are adopted into and compatible with existing standards and protocols such as Transport Layer Security (TLS), Secure Socket Shell (SSH), and Internet Protocol Security (IPSec), and that they can operate in hybrid mode alongside classical algorithms like RSA, Elliptic Curve Diffie–Hellman (ECDH), and Elliptic Curve Digital Signature Algorithm(ECDSA). As PQC standards develop, we will seek to incorporate additional algorithms into SymCrypt to maintain compliance, security, and compatibility.
The recommended path for leveraging SymCrypt is via Cryptography API: Next Generation (CNG) on Windows, while on Linux there are several options: direct use of SymCrypt APIs, the SymCrypt engine for OpenSSL (SCOSSL), or the SymCrypt Rust Wrapper. Over the coming months, these layers will add support for PQC algorithms, giving our customers the ability to experiment in their own environments and applications.
The use of PQC algorithms to secure TLS communications is an area experiencing rapid development. Although the finalization of NIST algorithms represents a key milestone in this advancement, two critical standards are required for widespread adoption: quantum safe key exchange and quantum safe signature authentication. We are working closely with the IETF to develop and standardize quantum-safe key exchange and authentication for TLS and other IETF protocols. As these standards get finalized, we will make these available through the Windows TLS stack (Schannel) and SymCrypt engine for OpenSSL on Linux.
PQC algorithms are relatively new, and it is prudent not to consider the initial generation of PQC algorithms as the definitive solution but rather view this as an evolving field. This underscores the importance of "Crypto Agility" which involves designing solutions to be resilient to the use of different algorithms and/or upgradable to use future algorithms as the PQ standards evolve. Recognizing this, Microsoft is a strong advocate of building solutions which are crypto agile, as well as deploying PQC solutions which make use of a hybrid PQ mode of operation. In time, we expect a shift towards pure PQ deployments, as PQ algorithms and standards mature.
Adding post-quantum algorithm support to the underlying crypto engine is the first step towards a quantum safe world. As we enable support for PQC in additional system components and applications, we will see services light up end-to-end scenarios protected by PQC while also giving our customers the option to experiment with and adopt it in their own environments and applications.
Start your PQC transition journey
The transition to PQC is a complex, multi-year and iterative process, which requires attention and careful planning. One of the first steps that we recommend organizations to take is creating an inventory of cryptographic assets in use. By that, organizations can better understand the scope of the effort and establish a risk-based plan for their PQC transition.
Also, we recommend familiarizing the organization with the PQC algorithms and approaches for implementations.
Microsoft is here to assist its customers, partners and ecosystems in navigating their transition to quantum safety and optimizing safety in the quantum era. Fill out this questionnaire to get started with Microsoft.
Conclusion
PQC algorithm support in SymCrypt is a significant step forward in our efforts to prepare for the quantum era, and to help protect our customers from future quantum threats. We are excited to share this update with you and to hear your feedback and suggestions. We also look forward to collaborating with the research community, industry, and standards bodies to advance the state of the art in post-quantum cryptography and to make it more widely available and adopted. By working together, we can maintain cryptography as a strong method for protecting information in the digital age.