
Microsoft has announced that it will transition its services and products to meet post-quantum cryptographic standards by 2033 and adopt quantum-safe capabilities by 2029.
“To maintain resilience of Microsoft’s services and systems against quantum computers powerful enough to break modern cryptographic algorithms, we’ve developed a phased transition strategy built on a modular framework,” said Microsoft about its transition plan released on Wednesday.
The company said its transition will take place over three phases to switch over to cryptographic standards strong enough to protect against quantum computers.
To start with, Microsoft said it will focus on foundational security components by integrating post-quantum cryptographic (PQC) algorithms into its foundational components, such as SymCrypt, which is its open-source cryptographic library.
That phase also includes prioritizing quantum-safe key exchange mechanisms, which Microsoft said aims to mitigate the threat of harvest now, decrypt later cyberattacks that enable threat actors to store encrypted data today to break later.
The second phase will include updating foundational components in products and services, such as Microsoft Entra authentication and signing services, which “will protect the most sensitive and essential components first” to build “a strong foundation for the broader transition.”
Microsoft’s final phase will integrate PQC into all Microsoft products and services to provide “comprehensive protection.”
“This approach considers each service unique requirements, performance constraints, and risk profile, resulting in either a direct shift to full PQC or a hybrid approach combining classical and quantum-resistant algorithms as an interim step,” said Microsoft.
Once completed – and by the 2033 goal – Microsoft would complete early adoption of PQC protections two years before the 2035 deadline that the Biden administration had set for completing the transition of most cryptographic standards.
Microsoft said it is also working with regulatory bodies such as the National Institute of Standards and Technology, Internet Engineering Task Force, and the International Organization for Standardization to align on PQC standards and enable global interoperability.
“While scalable quantum computing is not available today, the time to prepare is now,” said Microsoft.
Federal agencies are working on similar timelines to transition to PQC algorithms. For example, the Cybersecurity and Infrastructure Security Agency has set an internal target of 2030.