- Joined
- Aug 19, 2017
- Messages
- 3,097 (1.09/day)
To defend regular users from bad actors wielding quantum computing power like Majorana 1, Windows 11 Insider Preview now includes built-in support for post-quantum cryptography (PQC), giving developers and security teams early access to algorithms designed to withstand the capabilities of future quantum computers. Available in Canary Channel Build 27852 and above, this update integrates two new schemes, ML-KEM for key exchange and ML-DSA for digital signatures, directly into the Cryptography API: Next Generation (CNG) and certificate management functions. ML-KEM addresses the "harvest now, decrypt later" threat model, in which adversaries collect encrypted data today to decrypt it once quantum hardware has advanced. Microsoft offers three levels of ML-KEM security: a Level 1 option that produces 800-byte ciphertexts and a 32-byte shared secret; a Level 3 configuration with 1,184-byte ciphertexts and the same 32-byte secret; and a Level 5 tier that increases ciphertext size to 1,568 bytes while keeping the shared secret at 32 bytes. These parameter sets allow organizations to balance performance and protection according to their threat models and operational requirements.
ML-DSA complements key exchange by providing quantum-resistant digital signatures. Three strength tiers are available for trial: Level 2 yields compact public and private keys of 1,312 and 2,560 bytes, respectively, with 2,420-byte signatures; Level 3 increases key sizes to 1,952 and 4,032 bytes with 3,309-byte signatures; and Level 5 offers the highest assurance with 2,592-byte public keys, 4,896-byte private keys, and 4,627-byte signatures. While these larger footprints may impact storage and transmission, they deliver stronger guarantees against future signature-forging attacks. Microsoft recommends running these post-quantum algorithms in hybrid mode alongside classical counterparts such as ECDH, RSA, or ECDSA to ensure in-depth defense.
Early adopters can install, import, and validate PQC-based certificates within the Windows certificate store and measure the impact on handshake latency, certificate size, and API integration. On the Linux side, SymCrypt-OpenSSL 1.9.0 introduces equivalent hybrid key-exchange capabilities for TLS based on the latest IETF drafts. This unified preview across Windows and Linux provides a consistent experimentation, feedback, and performance-tuning environment. Microsoft plans to extend PQC support to the native Windows TLS stack (Schannel), Active Directory Certificate Services, and Intune's certificate connector.
View at TechPowerUp Main Site | Source
ML-DSA complements key exchange by providing quantum-resistant digital signatures. Three strength tiers are available for trial: Level 2 yields compact public and private keys of 1,312 and 2,560 bytes, respectively, with 2,420-byte signatures; Level 3 increases key sizes to 1,952 and 4,032 bytes with 3,309-byte signatures; and Level 5 offers the highest assurance with 2,592-byte public keys, 4,896-byte private keys, and 4,627-byte signatures. While these larger footprints may impact storage and transmission, they deliver stronger guarantees against future signature-forging attacks. Microsoft recommends running these post-quantum algorithms in hybrid mode alongside classical counterparts such as ECDH, RSA, or ECDSA to ensure in-depth defense.
Early adopters can install, import, and validate PQC-based certificates within the Windows certificate store and measure the impact on handshake latency, certificate size, and API integration. On the Linux side, SymCrypt-OpenSSL 1.9.0 introduces equivalent hybrid key-exchange capabilities for TLS based on the latest IETF drafts. This unified preview across Windows and Linux provides a consistent experimentation, feedback, and performance-tuning environment. Microsoft plans to extend PQC support to the native Windows TLS stack (Schannel), Active Directory Certificate Services, and Intune's certificate connector.
View at TechPowerUp Main Site | Source
