PostQuantum.FileEncryption.Hybrid 0.2.0

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher.
There is a newer prerelease version of this package available.
See the version list below for details.

Requires NuGet 6.0.0 or higher.

dotnet add package PostQuantum.FileEncryption.Hybrid --version 0.2.0
                    


                    

                
NuGet\Install-Package PostQuantum.FileEncryption.Hybrid -Version 0.2.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="PostQuantum.FileEncryption.Hybrid" Version="0.2.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="PostQuantum.FileEncryption.Hybrid" Version="0.2.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="PostQuantum.FileEncryption.Hybrid" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add PostQuantum.FileEncryption.Hybrid --version 0.2.0
                    


                    

                
#r "nuget: PostQuantum.FileEncryption.Hybrid, 0.2.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package PostQuantum.FileEncryption.Hybrid@0.2.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=PostQuantum.FileEncryption.Hybrid&version=0.2.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=PostQuantum.FileEncryption.Hybrid&version=0.2.0
                    


                            Install as a Cake Tool

PostQuantum.FileEncryption.Hybrid

Post-quantum hybrid public-key encryption for PostQuantum.FileEncryption: encrypt files to a recipient's public key so that only their private key can open them — protected by X25519 + ML-KEM-768 together, so your data stays safe even if either primitive is later broken.

Fully managed (BouncyCastle) — no native ML-KEM / OpenSSL 3.5 requirement, so it runs anywhere .NET 10 runs. Produces standard .pqfe containers.

dotnet add package PostQuantum.FileEncryption.Hybrid --version 0.1.0

Usage

using PostQuantum.FileEncryption.Hybrid;

// Recipient: generate once, publish the public key, keep the private key safe.
using var keyPair = PqHybridKeyPair.Generate();
byte[] publish = keyPair.PublicKey.Export();

// Sender: encrypt to the public key.
var recipient = PqHybridPublicKey.Import(publish);
byte[] container = await new PqHybridEncryptor().EncryptBytesAsync(secretBytes, recipient);

// Recipient: decrypt with the private key.
byte[] plaintext = await new PqHybridDecryptor().DecryptBytesAsync(container, keyPair.PrivateKey);

Multiple recipients

var recipients = new[] { alice, bob, carol }; // PqHybridPublicKey[]
await new PqHybridEncryptor().EncryptFileToAsync("report.pdf", "report.pqfe", recipients);
// Any one of alice/bob/carol can decrypt with their own private key.

File and stream APIs (EncryptFileAsync, EncryptAsync, DecryptFileAsync, DecryptAsync) are also available, with atomic file output and progress reporting.

How it works

X25519 ECDH and ML-KEM-768 encapsulation each produce a shared secret; HKDF-SHA256 combines them (ss_pq ‖ ss_classical) into a key-wrapping key that AES-256-GCM uses to wrap a random content key. See the format spec (KeySource = 3 and 4) and docs/ROADMAP-v3.md.

To God be the glory — 1 Corinthians 10:31.

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.0-rc.2 34 6/2/2026
1.0.0-rc.1 61 5/31/2026
0.2.0 62 5/31/2026

0.2.0 — production X25519 + ML-KEM-768 hybrid combiner (KeySource 3) and multiple recipients (KeySource 4), managed via BouncyCastle. Round-trip, multi-recipient, fail-closed, and pinned decrypt-KAT tested.