Skip to main content
CybersecurityVulnerability Management

Microsoft Accelerates Post-Quantum Cryptography Migration to 2029

Cryptographer working on laptop in lab with abstract cryptography concepts on screen.

"Advances in quantum research and development have shifted the risk horizon," Mark Russinovich, chief technology officer of Microsoft Azure, said.

Microsoft's 2029 PQC goal and program changes

Microsoft announced it is accelerating its quantum-safe security roadmap and moving the target for transitioning critical products and services to post‑quantum cryptography (PQC) to 2029. The company said it will speed up the Microsoft Quantum Safe Program (QSP) timeline and incorporate PQC requirements into its Secure Future Initiative (SFI). The Windows maker framed the change as a response to faster-than-expected advances in quantum computing and the "significant" work required to prepare.

TLS 1.3, crypto-agility, and securing trust chains

Microsoft identified several concrete engineering priorities. Key focus areas include upgrading network cryptography by adopting TLS 1.3, building "crypto‑agility" for stored data so systems can change cryptography without costly redesigns, and transitioning to PQC algorithms to secure trust chains such as code signing, certificate issuance, key protection, and update pipelines.

On crypto‑agility, Microsoft urged the removal of hard‑coded algorithm assumptions and said systems must "persist adequate information to reconstruct the cryptographic context." It called for either "self‑describing cryptographic metadata or versioned ciphertext formats so implementations can read legacy data while writing with the newest approved algorithms." The company advised that a well‑designed crypto‑agile system should "read older ciphertext formats long enough to support migration, while writing new data with the newest approved configuration."

Research developments that shifted the risk horizon

Microsoft cited recent academic and industry findings as part of its rationale. A team of researchers from Google disclosed they had "drastically improved upon the quantum algorithm to break elliptic curve cryptography," specifically the 256‑bit elliptic curve discrete logarithm (ECDLP‑256), using fewer qubits and gates than previously realized. Separately, "a group of academics from Caltech and Oratomic demonstrated a new error‑correction approach that could make Shor's algorithm practical with as few as 10,000 reconfigurable qubits" and potentially break RSA‑2048 and P‑256.

Those technical advances feed into the practical risk Microsoft highlighted: adversaries could collect encrypted data today with the intent to "harvest now, decrypt later" once large‑scale quantum machines become operational.

How U.S. federal action, Google, and Cloudflare fit the timeline

The Microsoft announcement follows policy and peer moves described in the same timeframe. The company noted that U.S. President Donald Trump signed an executive order setting hard deadlines for federal agencies to move high‑value assets and high‑impact systems to PQC. Earlier this March, Google said it was launching a program in its Chrome browser to ensure HTTPS certificates are secure against quantum risks and publicly committed to migrating its own infrastructure to be quantum secure by 2029. Web infrastructure company Cloudflare has also stated plans to move towards PQC by 2029.

What this means for technologists, policymakers, and enterprises

  • Technologists and security teams: Expect to prioritize crypto‑agility work — removing hard‑coded algorithms, adding versioned ciphertext formats or self‑describing metadata, and planning migration windows so legacy ciphertext remains readable during transition.
  • Policymakers and regulators: Will need to coordinate deadlines and compliance timelines with industry; the executive order mentioned in Microsoft's statement sets a federal timetable that aligns with the 2029 horizon highlighted by major vendors.
  • Enterprises and procurement leaders: Must inventory where trust chains (code signing, certificates, update pipelines, key protection) rely on current algorithms and build measurable milestones to meet vendor and federal timelines.

Conclusion

Microsoft framed the move as embedding "quantum‑safe readiness into the same disciplined engineering framework we use for other critical security outcomes: clear ownership, measurable milestones, and transparent progress," and said doing so will "empower customers to move sooner and more confidently." With industry peers and federal policy aligned around a 2029 timeline, the immediate engineering task is clear: build crypto‑agility now so algorithm upgrades become routine engineering tasks rather than emergency rewrites.

Original story — The Hacker News