Microsoft has begun integrating post-quantum cryptography (PQC) into Windows Insider builds, marking a critical step toward quantum-resilient cybersecurity.
Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility with existing systems.
The implementation introduces support for NIST-selected PQC algorithms, ML-KEM (for key encapsulation) and ML-DSA (for digital signatures), within Windows’ Cryptography API: Next Generation (CNG) and SymCrypt, the company’s core cryptographic library. These algorithms are based on lattice cryptography, considered resistant to attacks by both classical and quantum computers.
ML-KEM, a finalist in NIST’s PQC standardization process, is included with three security parameter sets (Levels 1, 3, and 5). For example, ML-KEM-1024 offers Level 5 security, with encapsulation keys and ciphertexts each 1,568 bytes long. On the digital signature front, ML-DSA, based on Dilithium, is provided in three variants, with ML-DSA-87 offering the highest security level. However, Microsoft acknowledges the performance overhead, particularly regarding key and signature sizes, advising developers to begin compatibility testing early.
For Windows, these updates allow developers to import, export, and validate ML-DSA certificates via the WinCrypt certificate API surface, laying the groundwork for more complex use cases such as trust chain validation and digital identity assurance. Microsoft recommends hybrid cryptography, using both classical and quantum-safe algorithms in tandem, during this transitional phase, particularly against “harvest now, decrypt later” threats.
These efforts come as Microsoft positions itself at the forefront of quantum security preparation. The company is contributing to the IETF's LAMPS working group on PKI and certificate standards and collaborating with partners to support composite and pure PQC algorithms across a wide range of applications, including firmware signing, authentication protocols, and software delivery systems.
Future plans include adding support for PQC algorithms like SLH-DSA and LMS/XMSS across Windows TLS (Schannel), SymCrypt for OpenSSL, and Active Directory Certificate Services (ADCS). These additions will enable full-lifecycle support for PQC certificates, from issuance to revocation, including compatibility with mobile device management solutions like Microsoft Intune.
Leave a Reply