Canada’s Harvest Now Decrypt Later & Post-Quantum Migration

Canada Sets 2035 Quantum Cyber Defence Initiative Deadline

Canada accelerates its transition to post-quantum encryption standards in crucial sectors to combat Harvest Now Decrypt Later (HNDL).

Canada has announced a multi-year initiative to protect its government IT systems from quantum computers. All government IT systems that aren't classified as post-quantum cryptography (PQC) must be transformed by 2035, according to the initiative, which started on June 23, 2025. The government's dedication to safeguarding personal information from quantum technologies is demonstrated by this ambitious timeframe.

The Canadian Centre for Cyber Security's roadmap sets strict requirements for government agencies. Initial PQC migration plans and annual progress reports are expected April 2026. High-priority systems should be transferred by 2031, while all other systems should be upgraded by 2035. Cloud providers and in-house IT infrastructure are included.

Quantum Threat: “Harvest Now Decrypt Later”

Quantum computers could replace encryption, making this project vital. The plan opposes “harvest now, decrypt later”. Malicious actors may be amassing encrypted material now to decipher it when quantum computing is practical. Since they are vulnerable to HNDL, systems that protect data privacy over public networks are prioritised for migration.

PQC replaces vulnerable public-key cryptography for user authentication, communication security, and other essential functions to reduce this cryptographic risk. Standardised PQC algorithms are recommended by the Cyber Centre based on worldwide standards finalised by NIST.

A Comprehensive Government Approach with Clear Duties This complex, multi-year effort requires GC devotion and teamwork. Important parties include:

The Communications Security Establishment's Canadian Centre for Cyber Security (Cyber Centre), Canada's IT security authority, provides technical guidance, oversight, and compliance monitoring throughout the multi-phase process. They will also update network protocol setup instructions and a shared resource repository.

Treasury Board Secretariat (TBS) provides strategic direction, policy leadership, and government-wide security management. TBS will release policy tools to compel progress reporting and departmental PQC migration strategies.

Shared Services Canada (SSC) develops its PQC migration strategy and advises TBS and the Cyber Centre on its viability while administering IT services and infrastructure for many departments.

Federal departments and agencies: Each agency handles cybersecurity issues within its program area. They must establish and implement tailored PQC migration plans for their systems, including contractual cloud services.

Phased Execution for Smooth Transition

The roadmap's three PQC migration phases should overlap:

Prepare: Departments must prepare a PQC migration plan. This requires a cross-functional committee, a PQC Migration Technical Lead for coordination, and a PQC Migration Executive Lead (typically the Designated Official for Cyber Security or a delegated executive official) for oversight and accountability.

This phase includes financial planning to decrease costs using IT equipment lifecycles and modernisation strategies. This is because delays can lead to rushed purchases and higher costs. An education plan is needed to inform employees about the quantum threat and migration status. Procurement legislation must be amended to ensure new systems meet PQC, cryptographic agility, and Cyber Centre-recommended contract conditions and certification criteria.

Identification: This key process involves a thorough audit to find all cryptography usage across IT systems. The scope includes network services, operating systems, applications, and physical assets including server racks, laptops, printers, and smart cards. We want to create a complete inventory of system components, vendors, security measures, configurations, dependencies, and accountable contacts.

Departments must prioritise “harvest now, decrypt later” systems. Discovery will employ existing ITSM procedures and software tools, such as network monitoring, EDR, and SIEM solutions. The Cyber Center's sensors program should aid this identification. To understand vendor PQC roadmaps and product compatibility, engage vendors early.

Implement system replacements, updates, secure tunnelling, or network isolation based on inventories. Impact assessments, rollback playbooks, testing staging environments, and post-transition monitoring should be part of IT transition plans. Though the initial range of PQC-capable devices is minimal, providers are increasingly adopting new standards. The change may require backward compatibility and a second phase to disable outdated, vulnerable encryption. Legacy systems that cannot be retrofitted may need complete replacement or network isolation or secure tunnelling.

Governance and Support

The Cyber Centre, SSC, and TBS form the IT Security Tripartite, which governs the effort. It oversees compliance and advises. The Canadian Government's Enterprise Architecture Review Board (GC EARB) will ensure new systems meet cybersecurity and digital service standards. Progress reports will be included in government digital services planning to ensure transparency and help agencies adjust timetables and resources.

Interdepartmental Quantum Science and Technology (S&T) Coordination Committees oversee this pathway, which supports Canada's National Quantum Strategy. The Cyber Centre will advise and steer using the TBS GCxchange platform for resource exchange and the Learning Hub for quantum threat education.

Interdepartmental Quantum Science and Technology (S&T) Coordination Committees oversee this pathway, which supports Canada's National Quantum Strategy. The Cyber Centre will advise and steer using the TBS GCxchange platform for resource exchange and the Learning Hub for quantum threat education.

Microsoft PQC ML-KEM, ML-DSA algorithms for windows & Linux

Microsoft has made significant progress in post-quantum cryptography (PQC) with SymCrypt-OpenSSL version 1.9.0 for Linux and Windows Insiders (Canary Channel Build 27852 and higher). This modification allows customers to test PQC algorithms like ML-KEM and ML-DSA in actual operational situations. Linux and Windows Insiders Get Quantum-Resistant Cryptography.

Due to quantum computing, modern cryptography faces significant challenges. Microsoft is providing early access to PQC capabilities to help organisations evaluate the performance, interoperability, and integration of these novel algorithms with current security infrastructure. This pragmatic approach helps security teams identify challenges, refine implementation strategies, and ease the transition when industry standards evolve. Early adoption also helps prevent new vulnerabilities and protect private data from quantum threats.

Next-generation cryptography API update

Cryptography API: Next Generation (CNG) enhancements are crucial to this Windows edition. CryptoAPI will be superseded forever by CNG. It is extendable and cryptography-independent. Programmers designing programs that allow safe data production and sharing, especially across insecure channels like the Internet, use CNG. CNG developers should know C, C++, and Windows, though it's not required. Cryptography and security knowledge are also advised.

Developers designing CNG cryptographic algorithm or key storage providers must download Microsoft's Cryptographic Provider Development Kit. First to support CNG are Windows Server 2008 and Vista. The latest PQC upgrades use encrypted communications, CNG libraries, and certificates.

New Windows PQC Algorithms

Microsoft is providing ML-KEM and ML-DSA, two NIST-standardized algorithms, to Windows Insiders via CNG updates.

Developers can now try ML-KEM for public key encapsulation and key exchange. This helps prepare for the “harvest now, decrypt later” scenario, in which hackers store encrypted data now to use a quantum computer to decipher it tomorrow. Microsoft proposes a hybrid method that combines ML-KEM with RSA or ECDH for defence in depth throughout the transition, ideally with NIST security level 3 or higher.

By incorporating ML-DSA in CNG, developers can evaluate PQC algorithms for digital signature verification of identity, integrity, or authenticity. Microsoft recommends a hybrid approach, using ML-DSA alongside RSA or ECDSA throughout the transition.

Size and performance will affect these new algorithms, according to preliminary research. Customers should analyse these consequences on their environment and apps early.

Customers can test installing, importing, and exporting ML-DSA certificates to and from the certificate store and CNG and PQC updates using the Windows certificate API interface win crypt. PQ certificate chains and trust status can be verified.

PQC Linux Features

Microsoft is releasing PQC upgrades in the SymCrypt provider for OpenSSL 3 because Linux customers expect them. The provider allows Linux programmers to use OpenSSL's API surface, which uses SymCrypt cryptographic procedures.

The latest IETF internet draft recommends SymCrypt-OpenSSL 1.9.0 for TLS hybrid key exchange testing. This lets you prepare for “harvest now, decrypt later” risks early. This feature allows for a full study of how hybrid PQC algorithms affect handshake message length, TLS handshake delay, and connection efficiency. Such research are needed to understand PQC's actual trade-offs.

It is important to remember that SymCrypt-OpenSSL will be updated when standards change to ensure compliance and compatibility, and that Linux updates are based on draft specifications.

What Next?

PQC's Linux and Windows Insider integration must be described first.

Plans call for more features and improvements:

Upcoming efforts include adding SLH-DSA to SymCrypt, CNG, and SymCrypt-OpenSSL.

Add new algorithms to assure broad compatibility as PQC standards expand, improve security, and comply with international law.

Working with industry partners on X.509 standardisations for the IETF's LAMPS working group's broad use of ML-DSA algorithm, composite ML-DSA, SLH-DSA, ML-KEM, and LMS/XMSS. These efforts will involve PKI use cases and signature approaches for firmware and software signing.

TLS hybrid key exchange for Windows users is being implemented using the Windows TLS stack (Schannel).

Develop and standardise quantum-safe authentication methods for TLS and other IETF protocols including SLH-DSA, Composite ML-DSA, and pure ML-DSA with the IETF. SymCrypt for OpenSSL, Windows TLS stack (Schannel), and Linux Rust Wrapper will deliver standards as they are established.

Active Directory Certificate Services actively supports PQC. Customers setting up a Certification Authority (CA) can use ML-DSA-based CA certificates. PQC algorithms sign CA-issued CRLs for customers who enrol in end-entity certificates. We'll support all ADCS role services.

Supporting PQC certificates in Microsoft Intune's Certificate Connector lets endpoints and mobile devices sign up for quantum-safe credentials. This will unlock SCEP & PKCS #12 scenarios for on-premises CAs utilising ADCS.

TLS 1.3 is essential for PQC. Microsoft strongly advises customers to abandon older TLS protocols.

These new features will be available to Windows Insiders and development channels for real-world testing. Microsoft can make incremental modifications before release by getting feedback on usability, security, and compatibility. Microsoft will distribute dependable and compatible solutions to supported platforms using a flexible and adaptable approach after standards are finalised. Working with standards organisations and industry partners will ensure features fit global regulatory framework and ecosystem needs.

Future challenges and prospects

Due to their youth, PQC algorithms are an emerging field. This shows how important “Crypto Agility” is in building solutions that can use different algorithms or be modified when standards change.

Microsoft recommends hybrid PQ and crypto-agile solutions for PQC deployment. Composite certificates and TLS hybrid key exchange use PQ and RSA or ECDHE algorithms. Pure PQ implementations should increase as algorithms and standards improve.

Despite integration being a turning point, PQC algorithms' performance, interoperability with current systems, and acceptance remain issues.

Performance: PQC algorithms often require more processing power than standard algorithms. Its efficient implementation without affecting system performance is a big hurdle. Technology for hardware acceleration and optimisation is essential. Keccak is utilised in many PQ algorithms, and hardware acceleration is needed to boost its performance for PQC cryptography.

Larger key encapsulation and digital signatures, especially in hybrid mode, may increase TLS round-trip time. Although signatures cannot be compressed, IETF proposals are examining certificate compression and TLS key sharing prediction. These effects should be assessed on applications and surroundings.

Adoption and Compatibility: PQC requires upgrading and replacing cryptographic infrastructure. Developers, hardware manufacturers, and service providers must collaborate to ensure legacy system compatibility and broad acceptance. Education and awareness campaigns and government-mandated compliance deadlines will boost adoption.

In conclusion

PQC incorporation into Linux and Windows Insiders is a major quantum future preparation step. Microsoft is proactively fixing cryptographic security flaws to help create a digital future that uses quantum computing and reduces security risks. PQC is needed to protect data, communications, and digital infrastructure as quantum computing evolves. Cooperation and security are needed to build stronger systems.