Post-Quantum Cryptography Comes to Windows Insiders and Linux

As the digital landscape continues to evolve, the emergence of quantum computing presents both significant opportunities and challenges. In previous blog posts, we discussed how quantum computing could disrupt contemporary cryptographic algorithms, Microsoft’s contributions to quantum safety efforts across the industry, and the addition of PQC algorithms to SymCrypt, our core cryptographic library. 

We are pleased to announce the next significant milestone in our PQC journey: We’re making PQC capabilities available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0.  

This advancement will enable customers to commence their exploration and experimentation of PQC within their operational environments. By obtaining early access to PQC capabilities, organizations can proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure. This practical approach helps security teams identify potential challenges, optimize implementation strategies, and enable an easier transition as industry standards evolve. Furthermore, early adoption will offer valuable insights into the ways in which PQC can help mitigate emerging threats, thereby positioning organizations to more effectively protect sensitive data against future quantum threats. 

Windows, being one of the most widely used operating systems globally, plays a crucial role in the digital ecosystem. Taking the addition of PQC algorithms to SymCrypt a step further, we’re excited to bring ML-KEM and ML-DSA to our Windows Insiders via updates to the Cryptography API: Next Generation (CNG) libraries and Certificate and Cryptographic messaging functions.  

Developers can begin experimenting with ML-KEM in scenarios where public key encapsulation or key exchange is desired, to help prepare for “harvest now, decrypt later” threat. The table below describes the parameter sets included in this update. We encourage customers to use a hybrid approach, using ML-KEM alongside existing algorithms (like ECDH or RSA) during transition for defense in depth, with preference for NIST security level 3 and above where possible, based on the need and threat model. 

The addition of ML-DSA in Cryptography API: Next Generation (CNG) enables developers to begin experimenting with PQC algorithms for scenarios that require verification of identity, integrity or authenticity using digital signatures. We encourage customers to use a composite approach, using ML-DSA alongside existing algorithms (like ECDSA or RSA) during transition. Our preliminary analysis indicates that size and performance will have some impact. We encourage you to begin this analysis early to understand the effects on your environment and applications.  

With PQC updates in wincrypt, the Windows certificate API surface, customers can experiment with installing, importing and exporting ML-DSA certificates to and from the certificate store. Customers can also experiment with validating PQ certificate chains and trust status.  

Visit our crypto developer's page to learn more about how you can get started.  

While the changes here correspond to the NIST standardized algorithms, we will continue to iterate and make updates as the standards evolve and what is required for quantum-resistant cryptography changes. 

As we progress in helping make PQC available to our Windows customers through CNG and SymCrypt, it is important to acknowledge that many of our Linux users are anticipating PQC updates in the SymCrypt provider for OpenSSL 3. This provider is a natural way for Linux programmers to use OpenSSL’s API surface powered by SymCrypt cryptographic operations. With version 1.9.0 of SymCrypt-OpenSSL, we are enabling customers to experiment with TLS hybrid key exchange as per the latest IETF internet draft, providing an early opportunity to help prepare for “harvest now, decrypt later” threats.  

Furthermore, this functionality empowers customers to conduct in-depth analysis of how integrating PQC algorithms in a hybrid mode impacts handshake message sizes, changes TLS handshake latency, and has effects on overall connection efficiency. Such investigations are crucial for understanding the operational trade-offs of adopting PQC, enabling informed decisions as organizations prepare for a future where quantum-resistant security becomes fundamental. 

It is important to note that these changes are based on draft specifications, and as the standards evolve, we will update the SymCrypt-OpenSSL implementation to enable interoperability and compliance.   

The integration of PQC into Windows Insiders and Linux marks an important first step in enabling our customers to explore PQC within their environments. This is just the beginning—more capabilities and enhancements are on the way. 

Alongside the addition of SLH-DSA to SymCrypt, CNG and SymCrypt-OpenSSL, we plan to incorporate further algorithms to enable continued compliance with global regulations, robust security, and broad compatibility as PQC standards mature. 

The PKI and certificate standards are gaining momentum within the LAMPS working group in IETF. We are collaborating with industry partners on X.509 standardizations concerning the general use of ML-DSA, composite ML-DSA, SLH-DSA, ML-KEM, composite ML-KEM and LMS/XMSS. These efforts will be relevant to various signature schemes and PKI use cases, including those used in firmware and software signing.  

The use of PQC algorithms to secure TLS communications is rapidly evolving. While we’ve introduced  hybrid key exchange through SymCrypt-OpenSSL for Linux, we’re actively working to get this capability to our Windows customers via the Windows TLS stack (Schannel).  

We’re also collaborating with the IETF to develop and standardize quantum-safe authentication mechanisms including Composite ML-DSA, pure ML-DSA and SLH-DSA for TLS and other IETF protocols. As these standards are finalized, we will make them available through both the Windows TLS stack (Schannel), SymCrypt provider for OpenSSL and SymCrypt Rust Wrapper on Linux.  

It is important to note that TLS 1.3 will be a prerequisite for PQC, and we strongly advise customers to start transitioning from older TLS protocols if they have not already. For more information, see Taking Transport Layer Security (TLS) to the next level with TLS 1.3. 

Another area we’re actively working on is helping support PQC algorithms within Microsoft Active Directory Certificate Services (ADCS). This will enable customers configuring a Certification Authority (CA) to use a CA certificate based on PQC algorithms such as ML-DSA. Clients will be able to enroll for PQC end-entity certificates, and the Certificate Revocation Lists (CRLs) issued by the CA will be signed using PQC algorithms. Support will be extended across all relevant ADCS role services, including the Certificate Enrollment Policy (CEP) and Certificate Enrollment Services (CES), the Network Device Enrollment Service (NDES), and the Online Certificate Status Protocol (OCSP) responder. 

Microsoft Intune’s certificate delivery mechanism – the Certificate Connector – is being enhanced to help support PQC certificates as well, enabling mobile devices and endpoints can enroll and obtain quantum-safe credentials. Going forward, this connector will be updated to handle certificate requests and deliveries that use PQC keys and signatures, unblocking SCEP & PKCS #12 scenarios for on-premises CAs leveraging ADCS. 

These new capabilities will be introduced for experimentation through Windows Insiders and development channels, helping provide early access to organizations and individuals eager to test PQC features within real-world environments. By leveraging these preview channels, Microsoft can gather critical feedback on interoperability, security, and usability, allowing for iterative improvements before wide-scale release. 

As global standards for PQC continue to evolve, Microsoft remains committed to a flexible and adaptive deployment strategy. This approach allows that once standards are finalized, the more robust and interoperable solutions can be more easily brought to supported platform versions across both Windows and Linux ecosystems. Furthermore, collaboration with industry partners and standards bodies will help guarantee that emerging features align with broader ecosystem desires and global regulatory requirements, accelerating the journey toward quantum-safe security for organizations of all sizes.  

PQC algorithms are relatively new, and it is prudent not to consider the initial generation of PQC algorithms as the definitive solution but rather view this as an evolving field. This underscores the importance of "Crypto Agility" which involves designing solutions to be more resilient to the use of different algorithms and/or upgradable to use future algorithms as the PQ standards evolve. Recognizing this, Microsoft is a strong advocate of building solutions which are crypto agile, as well as deploying PQC solutions which make use of a hybrid PQ mode of operation. These hybrid modes, including TLS hybrid key exchange or composite certificates, use both a PQ algorithm and a traditional algorithm such as RSA or ECDHE. In time, we anticipate a shift towards pure PQ deployments, as PQ algorithms and standards mature. 

While the integration of PQC into Windows Insiders and Linux is an important milestone, several challenges remain. The performance of PQC algorithms, compatibility with existing systems, and the desire for widespread adoption are fundamental factors that will determine the success of this transition. 

PQC algorithms often require more computational resources than their classical counterparts. Enabling these algorithms can be more efficiently implemented without significantly impacting system performance is a key challenge. Continuous optimization and hardware acceleration techniques are important to achieve a balance between security and performance.  

Many PQ algorithms, such as ML-KEM and ML-DSA, use Keccak (the basis for SHA-3, SHAKE, and related functions) for pseudo-random value generation and input integrity checks. As PQC adoption grows, improving Keccak performance—especially with hardware acceleration—will be key to efficient cryptography, reducing resource demands and helping boost security for post-quantum operations.  

When used in the TLS protocol, the larger sizes of PQC key encapsulation mechanisms and digital signatures, especially when used in a hybrid mode, may add to the round-trip time to establish and communicate over a secure network channel. Some IETF drafts are in progress that aim to help improve this, including TLS key share prediction for faster cipher suite negotiation and TLS certificate compression to reduce the size of certificates, but note that signatures cannot be compressed. We recommend that you assess the impact of these modifications on your environment and applications. 

The transition to PQC will require updating and replacing existing cryptographic infrastructure across various platforms and applications. Enabling compatibility with legacy systems and achieving widespread adoption will necessitate coordinated efforts among software developers, hardware manufacturers, and service providers. Education and awareness campaigns will also play an important role in encouraging organizations to embrace post-quantum cryptographic solutions along with compliance timelines set by governments globally. 

The integration of PQC capabilities into Windows Insiders and Linux marks a significant step forward in preparing for the quantum era. Quantum computing has significant potential to help solve some of humanity's greatest challenges, and by proactively addressing the security concerns with current cryptographic standards, Microsoft is helping pave the way for a digital future that both realizes the benefits of quantum and mitigates the security risks. As quantum computing continues to advance, the adoption of PQC will be crucial in safeguarding our data, communications, and digital infrastructure. Through collaboration and innovation, we can help build a resilient and secure digital ecosystem that stands the test of time. 

Securing the Present, Innovating for the Future  

Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design and by default, from Windows to the cloud, enabling trust at every layer of the digital experience.  

The updated Windows Security book and Windows Server Security book are available to help you understand how to stay secure with Windows. Learn more about Windows 11, Windows Server and Copilot+ PCs.. To learn more about Microsoft Security Solutions, visit our website.   

Bookmark the Security blog to keep up with our expert coverage on security matters.  

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.