PostQuantum.FileEncryption.Hybrid 1.0.0

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details.

Requires NuGet 6.0.0 or higher.

dotnet add package PostQuantum.FileEncryption.Hybrid --version 1.0.0
                    


                    

                
NuGet\Install-Package PostQuantum.FileEncryption.Hybrid -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="PostQuantum.FileEncryption.Hybrid" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="PostQuantum.FileEncryption.Hybrid" Version="1.0.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="PostQuantum.FileEncryption.Hybrid" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add PostQuantum.FileEncryption.Hybrid --version 1.0.0
                    


                    

                
#r "nuget: PostQuantum.FileEncryption.Hybrid, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package PostQuantum.FileEncryption.Hybrid@1.0.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=PostQuantum.FileEncryption.Hybrid&version=1.0.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=PostQuantum.FileEncryption.Hybrid&version=1.0.0
                    


                            Install as a Cake Tool

PostQuantum.FileEncryption.Hybrid

The single recommended path for public-key file encryption in this suite. Encrypt files to a recipient's public key so that only their private key can open them — protected by X25519 + ML-KEM-768 together, so your data stays safe even if either primitive is later broken.

Fully managed (BouncyCastle) — no native ML-KEM / OpenSSL 3.5 requirement, so it runs anywhere .NET 10 runs. Produces standard .pqfe containers.

dotnet add package PostQuantum.FileEncryption.Hybrid --version 1.0.0

Versioning. This package is intentionally kept in lockstep with PostQuantum.FileEncryption: every release of one ships at the same version as the other, and Hybrid's pack pins the matching core version. The two packages are one cryptographic unit — the core owns the .pqfe container and the chunk/AEAD engine; Hybrid plugs into the core's KeyEstablishment seam to add the public-key path. A version mismatch would mean Hybrid is talking to a different format/engine than the one it was designed against. See docs/VERSIONING.md.

Migrating from the deprecated inline ML-KEM-only mode

If you previously used PqKeyPair / PqRecipientPublicKey / PqRecipientPrivateKey and the recipient overloads on PqFileEncryptor / PqFileDecryptor in the core PostQuantum.FileEncryption package, those are deprecated (PQFE002) as of 1.0.0-rc.2. They remain for source-compatibility but emit a deprecation warning; removal is targeted for a future major release.

// Before (deprecated PQFE001 + PQFE002 in the core package, platform-gated by ML-KEM):
using var keyPair = PqKeyPair.Generate();
await new PqFileEncryptor().EncryptFileAsync("plain.bin", "cipher.pqfe", keyPair.PublicKey);
await new PqFileDecryptor().DecryptFileAsync("cipher.pqfe", "out.bin", keyPair.PrivateKey);

// After (this package — hybrid combiner, runs everywhere, no platform gate):
using var keyPair = PqHybridKeyPair.Generate();
await new PqHybridEncryptor().EncryptFileAsync("plain.bin", "cipher.pqfe", keyPair.PublicKey);
await new PqHybridDecryptor().DecryptFileAsync("cipher.pqfe", "out.bin", keyPair.PrivateKey);

Usage

using PostQuantum.FileEncryption.Hybrid;

// Recipient: generate once, publish the public key, keep the private key safe.
using var keyPair = PqHybridKeyPair.Generate();
byte[] publish = keyPair.PublicKey.Export();

// Sender: encrypt to the public key.
var recipient = PqHybridPublicKey.Import(publish);
byte[] container = await new PqHybridEncryptor().EncryptBytesAsync(secretBytes, recipient);

// Recipient: decrypt with the private key.
byte[] plaintext = await new PqHybridDecryptor().DecryptBytesAsync(container, keyPair.PrivateKey);

Multiple recipients

var recipients = new[] { alice, bob, carol }; // PqHybridPublicKey[]
await new PqHybridEncryptor().EncryptFileToAsync("report.pdf", "report.pqfe", recipients);
// Any one of alice/bob/carol can decrypt with their own private key.

File and stream APIs (EncryptFileAsync, EncryptAsync, DecryptFileAsync, DecryptAsync) are also available, with atomic file output and progress reporting.

How it works

X25519 ECDH and ML-KEM-768 encapsulation each produce a shared secret; HKDF-SHA256 combines them (ss_pq ‖ ss_classical) into a key-wrapping key that AES-256-GCM uses to wrap a random content key. See the format spec (KeySource = 3 and 4) and docs/ROADMAP-v3.md.

To God be the glory — 1 Corinthians 10:31.

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.1 0 6/6/2026
1.0.0 0 6/6/2026
1.0.0-rc.3 40 6/4/2026
1.0.0-rc.2 44 6/2/2026
1.0.0-rc.1 64 5/31/2026
0.2.0 308 5/31/2026

1.0.0 — first stable release; tracks PostQuantum.FileEncryption 1.0.0 in lockstep. The .pqfe container format (v2) is FROZEN for the 1.x line. Recommended public-key path: X25519 + ML-KEM-768 hybrid combiner with multi-recipient support, fully managed via BouncyCastle (no platform ML-KEM dependency, runs anywhere .NET 10 does). Same library code as 1.0.0-rc.3 — no format, public-API, or runtime-dependency change. Suite-versioning lockstep with the core is enforced by the release workflow. EnablePackageValidation against the 1.0.0-rc.3 baseline. See CHANGELOG.md.