Here’s how Windows 11 aims to make the world safe in the post-quantum era

Monday’s update bundles new post-quantum computing algorithms selected by the US Department of Commerce's National Institute of Standards and Technology, or NIST, in its yearslong drive to find replacements for RSA and elliptic-curve cryptosystems. The new algorithms are the latest to be added to the list of FIPS, a NIST-endorsed list of standards for ensuring guaranteed levels of security and interoperability. Inclusion in Windows allows developers to invoke the new PQC algorithms using a set of programming interfaces Microsoft calls Cryptography API: Next Generation, or CNG for short.

“Making the new FIPS-standard PQC algorithms available to developers in Insider builds via the standard CNG APIs is a good first step by Windows and exactly what third-party developers writing Windows apps need in order to start migrating and testing their own code to PQC,” Brian LaMacchia, a cryptography engineer who oversaw Microsoft's post-quantum transition from 2015 to 2022 and now works at Farcaster Consulting Group, wrote in an email. He added that Microsoft had revealed previously that it had begun work integrating the algorithms into SymCrypt, “but this is the first announcement about that work showing up in a beta ('Insider') build of Windows.”

The new algorithms are known as ML-KEM and ML-DSA, short for "Module-Lattice-Based Key-Encapsulation Mechanism” and "Module-Lattice-Based Digital Signature Algorithm,” respectively. ML-KEM provides a means for securely transmitting encryption key material, and ML-DSA allows for the creation of digital signatures. These algorithms were previously known as CRYSTALS-Kyber and CRYSTALS-Dilithium but took on their new names once they progressed far enough through NIST’s PQC program.

Beware of misallocated key sizes

The strength of RSA and elliptic curve cryptography is based on mathematical problems that are simple to solve in one direction and nearly impossible to solve in the other. RSA, for example, relies on the difficulty of factoring extremely large numbers, while elliptic curve cryptography rests on the difficulty of solving the discrete logarithm problem. For decades now, cryptographers have known that the same problems are trivial to solve with a sufficiently large quantum computer.