.NET 10 delivers a major upgrade in cryptographic security with its introduction of native Post-Quantum Cryptography (PQC) algorithms. This significant move addresses emerging quantum computing threats that could potentially undermine current encryption standards widely used to secure data today. Given the increasing industry focus on PQC, the new capabilities in .NET 10 mark a crucial step toward quantum-resistant application development.

Understanding Post-Quantum Cryptography

The term "Post-Quantum" refers to cryptographic algorithms designed to remain secure even against attacks by future quantum computers. While fully powerful quantum machines capable of breaking existing encryption do not yet exist, the threat is significant—particularly for algorithms like RSA and ECC (Elliptic Curve Cryptography) which quantum computers could compromise. PQC algorithms aim to safeguard data from the "harvest now, decrypt later" threat, where encrypted data could be collected today and decrypted in the future once quantum computers become viable. Microsoft’s strategy is proactive, implementing PQC before these quantum computers are available, to ensure early transition and protection.

Key PQC Algorithms Supported in .NET 10

.NET 10 focuses on integrating four primary PQC algorithms that are standards-based and vetted by official bodies like NIST. These include:

• ML-KEM (Key Encapsulation Mechanism) based on NIST FIPS 203

• ML-DSA (Signature Algorithm) as per NIST FIPS 204

• SLH-DSA (Signature Algorithm) following NIST FIPS 205

• Composite ML-DSA, designed for use in X.509 Public Key Infrastructure

These algorithms collectively replace vulnerable RSA and EC-based cryptographic operations with modern, quantum-resilient methods. ML-KEM replaces traditional key transport and agreement schemes, while the signature algorithms substitute RSA and EC-DSA signatures.

Modern Design Philosophy Behind PQC in .NET

The development team consciously moved away from traditional .NET cryptography base classes like AsymmetricAlgorithm due to incompatibilities with PQC paradigms, such as the irrelevance of a single “KeySize” property. Instead, .NET 10 introduces fresh class hierarchies emphasizing key and keypair representations with improved consistency, reduced complexity, and enhanced performance validation.

All PQC-related keys and operations use modern constructs like Span<byte> buffers to improve memory management and performance. Additionally, the new design ensures proper disposal semantics, fewer inheritance pitfalls, and streamlined method signatures that align more closely with the cryptographic standards.

Cross-Platform Support and Experimental Features

.NET 10 PQC algorithms are supported on Windows 11 (post-KB patch updates) and Linux systems with OpenSSL 3.5 or newer. While ML-KEM and ML-DSA are fully supported and production-ready, SLH-DSA and Composite ML-DSA remain experimental due to partial OS support, subject to structural revision as system support matures.

Integration Across .NET Cryptography Ecosystem

These PQC algorithms seamlessly integrate with .NET cryptographic namespaces and workflows, including:

• X509Certificate2 and CertificateRequest classes supporting PQC keypairs

• CmsSigner for CMS/PKCS #7 signing with PQC signatures

• COSE signing support using PQC keys

However, some layers require explicit support updates, such as Kestrel’s CertificateConfigLoader for TLS operations with PQC certificates. TLS 1.3 or later and OS-level support are prerequisites for PQC-enabled TLS connections.

Getting Started with PQC in .NET 10

Developers can begin using PQC features today by installing .NET 10 and running on supported operating systems. Simple API calls enable key generation, encapsulation, signing, and verification with the new PQC algorithms. The platform also provides diagnostic APIs to confirm OS support for each algorithm before usage. For code targeting .NET Standard 2.0, referencing the latest Microsoft.Bcl.Cryptography package is required.

Read more details here: Post-Quantum Cryptography in .NET - .NET Blog