It was good to read Microsoft’s thoughts on the progress towards next-generation cryptography. The company is involved with many parts of the quantum computing landscape (hardware, error-correction, design of post-quantum algorithms, implementation of the same), and this adds expertise and weight to their opinions.
The need for speed
The first thing that leaps out about the Microsoft strategy is its pace. In the past year or so, government and advisory bodies have begun to be more specific about the timescales in which various cryptographic discovery and migration tasks need to be completed if we are to adapt to the accelerating quantum threat. A common theme is that the rate of change needs to pick up and ambitious deadlines have been set. A rough consensus of governments is to complete transition by 2035. Microsoft, perhaps informed by their own studies, have chosen an even tighter timeframe to be completed by 2033. Their plan to first get a trustworthy tool set in the form of their SymCrypt library then integrate these new components into core service and then roll out to all Microsoft endpoints is considered, but a huge undertaking, especially with the ambitious timing.
The uncertainty of the road ahead
Lurking behind the bold goals and impressive credentials of the Microsoft post are cautionary tales. These might make one worry about the unpredictability of the next few years and how unforeseen developments could hamper or derail the best laid plans.
The many paths to quantum computation
Microsoft are justified in starting their blog with mention of their impressive contributions to quantum computing. Their Majorana processor is unique in early quantum devices in that it uses topological qubits for its processing rather than the more common superconducting qubits. Their resource estimation tool predicts that this technology might require substantially fewer physical qubits to attack the main forms of cryptography due to more resilient handling of information. These estimates vary with the different forms of vulnerable cryptography. The tool does not currently have estimates for other promising quantum technologies such as ion traps, neutral atoms or photonics, each with very different strengths and limitations. The simultaneous development of so many different approaches, with different implications for different bits of primitives and different threats for different functions (e.g. key establishment vs. digital signature) suggest that migration requirements might have to rapidly evolve, with some tasks acquiring greater urgency than others.
The challenges of developing new post-quantum algorithms
Microsoft also highlight their contributions of developing proposals for new post-quantum algorithms, as part of the NIST process. Such designs require a great depth of cryptographic understanding, and the skill and willingness to contribute is always praiseworthy. However, Microsoft’s own experiences underscore just how uncertain the development of secure and usable methods can be. Microsoft contributed to four designs: FrodoKEM, SIKE, Picnic, and qTESLA. The Picnic signature was a highly innovative design with a very strong claim to hardness; it was also however immensely bandwidth consumptive. The qTesla signature was not too dissimilar to the winners ML-DSA and FN-DSA, but again suffered from bandwidth requirements and so was dropped. SIKE was a very bandwidth friendly key establishment, but was catastrophically broken by cryptanalysts realising the applicability of decades old mathematics and modest computer resources (it’s worth adding that the Project Natick work cited in the blog as a good example of Microsoft experimenting with PQA deployment was secured with SIKE). FrodoKEM on the other hand was a moderately efficient key establishment method, intended to have less exploitable mathematical structure than the eventual NIST winner ML-KEM. Some feel that the more conservative approach of FrodoKEM is worth the additional overhead, and it has been more favoured by the EU and international bodies such as the ISO. Cryptanalysis and debate on the relative merits of PQAs continue and NIST is developing still more standards as well as considering further candidate signatures. The uneven acceptance and deployment rate of finalised standards interferes with timelines. Agreed and finalised standards can be incorporated now; a timeline with multiple new standards set to appear is hard to orchestrate in an agile manner. Acceleration in hardware is easier to develop for finalised designs, but will be wasted work if subsequent designs prove more desirable.
Conclusion
Definitive plans and timelines to manage the enormous challenge of changing the world’s usage of cryptography are always welcome. Bold statements of intent to bring about these changes for a broad swathe of users earlier than other efforts are to be commended. However, in the words of Helmuth von Moltke, “No plan survives contact with the enemy”. There are many uncertainties and events that will disrupt the most carefully thought out plan. Any strategy for the quantum challenge would be well-advised to include expedients to cope with these.
Arqit is pleased to stand ready with a simple, robust, and easy to deploy alternatives to help users with their migration journey.
27 August 2025
Dr Daniel Shiu, Chief Cryptographer, Arqit