Microsoft moves PQC migration timeline to 2029

The company has accelerated its timeline by about 4 years, from its original 2033 deadline.

Deyana Goh - Editor
2 Min Read
Photo by Towfiqu barbhuiya on Unsplash

In response to mandates by the U.S. and French governments regarding Post-Quantum Cryptography (PQC) migration, and also because progress in quantum computing is accelerating, Microsoft has moved its PQC migration deadline to 2029.

Microsoft began speaking about PQC in 2023, and formalized its migration strategy in the Microsoft Quantum Safe Program (QSP), details of which were published on its blog last year. At the time, the company had targeted 2033 as the deadline for quantum-safe migration.

The announcement yesterday sees Microsoft accelerating its timeline by 4 years. The company said it plans to transition critical products and services to PQC by 2029, and is also incorporating PQC requirements into the Secure Future Initiative (SFI). Microsoft has listed its priorities as being in 3 main areas:

- Advertisement -
Ad imageAd image

1. Upgrade network cryptography (data in transit)

This consists of modernizing network cryptography, for example, adopting TLS 1.3 to a baseline that enables hybrid and post-quantum key exchange as standards mature. Therefore, critical endpoints will negotiate TLS 1.3 by default, with legacy protocol use reduced or eliminated wherever possible.

2. Build crypto-agility for stored data (data at rest)

Microsoft will focus on crypto-agility by making cryptographic settings configurable outside of the application, standardizing key management and rotation, and eliminating hard-coded algorithms.

3. Modernize cryptographic trust chains (identity, signing, certificates)

According to Microsoft, the most complex work will take place in securing the chains of trust that underpin software, devices, and services at scale. That includes code signing, certificate issuance, key protection, and update pipelines. Practically, this will mean hardware-backed key protection, updated certificate lifetimes and policies, and auditable signing and issuance processes for critical trust anchors, with a transition to PQC algorithms as they become available.

Editor
Follow:
Deyana Goh is the Editor for Quantum Spectator. She is fascinated by well-identified as well as unidentified flying objects, is a Star Trek fan, and graduated with a Bachelor's Degree in Political Science from the National University of Singapore.