Microsoft has quietly embedded post-quantum cryptography into the heart of Windows 11, giving security-conscious developers and enterprises their first official tools to fend off attacks from future quantum computers. The new algorithms — ML-KEM and ML-DSA — now ship inside SymCrypt, the operating system’s core cryptographic library, and are exposed through the familiar Cryptography API: Next Generation (CNG). The move signals the start of a long-hyped transition toward encryption that can survive in a post-quantum world.
Two algorithms, code-named after lattice problems, form the backbone of the update. ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism, handles the secure exchange of encryption keys. It is Microsoft’s implementation of the CRYSTALS-Kyber scheme, which NIST standardized in August 2024 as FIPS 203. ML-DSA, or Module-Lattice-Based Digital Signature Algorithm, is derived from CRYSTALS-Dilithium and now carries the FIPS 204 badge. Together they replace the classical key-exchange and digital-signature primitives that quantum computers are expected to break within the next decade.
Why Quantum Computers Threaten Today’s Encryption
The anxiety around quantum decryption is no longer theoretical. A large, fault-tolerant quantum machine running Shor’s algorithm could factor the integers underpinning RSA and solve the discrete-logarithm problems that secure elliptic-curve cryptography (ECC) — and it could do so in hours, not millennia. Because virtually every TLS handshake, VPN tunnel, and digitally signed software update relies on RSA or ECC, the impact of a cryptographically relevant quantum computer would be catastrophic.
Microsoft’s own researchers have warned for years that “harvest now, decrypt later” attacks are already underway. Adversaries are stockpiling encrypted traffic, betting they can crack it once quantum hardware matures. Data with a long shelf life — medical records, government secrets, financial transactions — is especially vulnerable. Integrating strong post-quantum defenses now prevents those stored ciphertexts from ever being read.
Inside the SymCrypt Integration
SymCrypt is the cryptographic module that underpins everything from BitLocker to TLS on Windows. By baking ML-KEM and ML-DSA directly into SymCrypt, Microsoft ensures that every application calling CNG can opt into quantum-safe algorithms without a major refactor. Developers get new algorithm identifiers (e.g., BCRYPT_ML_KEM_ALGORITHM and BCRYPT_ML_DSA_ALGORITHM) and key-blob formats that are consistent with the rest of the Windows crypto stack.
The code is already open source under the MIT License on GitHub, where Microsoft has been iterating on SymCrypt for years. The repository shows the exact parameter sets: ML-KEM-768 for key encapsulation (roughly equivalent to AES-192 security against classical and quantum adversaries) and ML-DSA-65 for signatures. Both selections match the NIST-mandated security levels for general-purpose use.
Critically, Microsoft is not advising a wholesale switch. Instead, the guidance echoes NIST’s own: employ a hybrid mode that couples a traditional algorithm (RSA or ECDSA) with the post-quantum one during the transition period. “This enables a graceful migration, so you get the best of both worlds — classical security today and quantum resistance for tomorrow,” a Microsoft security program manager wrote in a blog post accompanying the release.
Following the NIST Standardization Roadmap
NIST’s Post-Quantum Cryptography Standardization Project picked its first winners in 2022 and released the final standards in August 2024. The three pillars are:
- FIPS 203 (ML-KEM): Derived from Kyber, a lattice-based key-establishment scheme.
- FIPS 204 (ML-DSA): Based on Dilithium, also lattice-based, for digital signatures.
- FIPS 205 (SLH-DSA): A stateless hash-based signature scheme built on SPHINCS+. Microsoft has not yet shipped SLH-DSA in Windows, but the SymCrypt roadmap hints at future inclusion.
By adopting NIST’s official standards, Microsoft avoids the risk of proprietary, pre-standard algorithms that plagued early encryption products. The National Security Agency, the UK’s NCSC, and Germany’s BSI have all endorsed NIST’s selections, giving enterprises the regulatory cover they need to deploy post-quantum cryptography.
What Developers and IT Admins Should Do Now
The new algorithms are available in Windows 11 Insider Preview builds and will roll out to all Windows 11 editions in a forthcoming “moment” update. Windows Server 2025 and Azure Stack HCI will follow. To start experimenting, developers need only target the Windows 11 SDK and call the standard CNG functions: NCryptCreatePersistedKey, NCryptEncrypt, NCryptSignHash, etc.
Early benchmark data posted by the SymCrypt team shows that ML-KEM-768 key generation takes roughly 1.5 milliseconds on a modern x86 core, while encapsulation and decapsulation each run under 1 ms. ML-DSA-65 signing and verification are similarly lightweight — about 2 ms and 0.5 ms respectively. These numbers are competitive with ECDSA and RSA-2048, meaning the performance tax for switching is modest.
Nevertheless, PQC keys and signatures are larger. A raw ML-KEM-768 public key is 1,184 bytes, compared with 256 bits for a P-256 ECDH public key. An ML-DSA-65 signature balloons to 3,309 bytes, versus roughly 72 bytes for an ECDSA signature. IT administrators will need to assess the impact on certificate chains, TLS handshake payloads, and VPN tunnel overhead. Microsoft’s hybrid approach — combining a classical and a PQC algorithm — doubles the size further during the transition, so careful capacity planning is essential.
The Enterprise Security Picture
For chief information security officers, the integration marks the starting pistol for a migration that will shape the next decade of enterprise cryptography. Key considerations include:
- Certificate authorities: DigiCert, Let’s Encrypt, and others are preparing to issue hybrid PQC certificates. Microsoft’s own Active Directory Certificate Services will likely gain ML-DSA support once the standards are fully baked into Windows Server.
- Hardware security modules (HSMs): Thales and Utimaco are adding lattice-based algorithms to their firmware. However, many existing HSMs lack the memory and code space for the new math, so a hardware refresh cycle may be triggered.
- Regulatory compliance: The German Federal Office for Information Security, for instance, has mandated that all public-key infrastructure be quantum-safe by 2030. Similar deadlines are expected from the European Union and U.S. federal agencies.
Real-world pilots are already underway. The Internet Security Research Group (parent of Let’s Encrypt) ran a hybrid PQC TLS experiment with Cloudflare and Mozilla, demonstrating that the web can handle the extra certificate sizes without breaking. Microsoft’s own research division has tested PQC inside Azure VPN Gateways, confirming that the throughput hit is acceptable for most workloads.
Challenges That Remain
No technology transition is frictionless, and post-quantum cryptography comes with its own set of hurdles.
Side-channel resistance tops the list. Lattice schemes hide the underlying problem behind random noise, but a naive implementation can leak enough side-channel information to foil the protection. The SymCrypt team has applied constant-time coding techniques and masked arithmetic to the Windows build, but third-party apps that call CNG must also be careful. NIST’s final standards include strict implementation guidance for side-channel hardening.
Patent uncertainty is another concern. While Kyber and Dilithium were submitted under royalty-free pledges, complex lattice primitives could still be subject to submarine patents. Major players like IBM and Qualcomm have committed to reasonable, non-discriminatory licensing, but the risk keeps some legal departments cautious.
Algorithmic depth means that higher-level protocols — TLS 1.3, IPsec, S/MIME, and SSH — must be updated to negotiate the new identifiers. The IETF’s TLS working group has already published draft RFCs for running Kyber and Dilithium inside TLS, but it will take years for browsers, web servers, and VPN appliances to adopt them universally.
What This Means for the Average Windows User
For most home users, the immediate effect is invisible. The algorithms are available but not yet turned on by default for everyday tasks like browsing the web or signing into Microsoft accounts. Microsoft will flip the switch for consumer-facing services — for instance, Windows Update and Microsoft Store — once telemetry confirms stability. When that happens, the transition will feel seamless: a few extra bytes in the background, a few milliseconds more handshake time, and vastly stronger long-term security.
Microsoft has a strong track record of retiring broken cryptography through Windows Update. The company killed SHA-1 certificates in Edge, deprecated TLS 1.0 and 1.1, and pushed TLS 1.3 adoption. Post-quantum migration will follow the same playbook: ship the code early, let enterprises test, gather telemetry, and then enforce the new algorithms via policy.
The Bigger Picture: A Quantum-Safe Ecosystem
Microsoft’s move is part of a larger industry push. Google has already run hybrid Kyber-1024 experiments in Chrome, and Apple added post-quantum TLS to iMessage in February 2024. Signal updated its double-ratchet protocol with post-quantum key agreement, and the Linux kernel merged a “pqc” subsystem for crypto libraries. The puzzle pieces are falling into place.
Still, experts caution that cryptographic agility is the real prize. “We don’t yet know which algorithm will stand the test of time,” said a NIST mathematician at the RSA Conference 2024. “What matters is having the ability to swap one out without rebuilding the entire infrastructure.” Microsoft’s CNG architecture, with its pluggable provider model, was designed for precisely this kind of agility. Adding a new algorithm requires only a new DLL and an updated registry hive — a testament to decades-old architectural decisions paying off.
The next few years will be a period of parallel runways. Classical cryptography will continue to protect most traffic, while post-quantum algorithms gain operational experience. By 2030, if the migration proceeds on schedule, the world’s most sensitive data could be safe from any computer, classical or quantum.
Looking Ahead
Microsoft has confirmed that PQC support will appear in the next Long-Term Servicing Channel (LTSC) build of Windows 11, making it eligible for regulated environments that move slowly. The company is also working on a “crypto provider for hardware-bound keys” that ties ML-KEM and ML-DSA to TPM 2.0, ensuring that private keys never leave the secure enclave.
For now, the message to developers and IT leaders is clear: start testing. Spin up a Windows 11 Insider VM, generate a hybrid certificate, measure the TLS handshake latency, and give feedback to the SymCrypt GitHub repository. The quantum threat is not arriving tomorrow, but the migration to post-quantum cryptography will be one of the largest engineering projects in the history of cybersecurity. Microsoft just delivered the foundation.