Why the Future of Encryption Starts Today
I have been developing software for over 20 years but what is happening right now is something interesting. Something that genuinely makes me sit up and pay attention.
Quantum computers are no longer science fiction. And with .NET 10, Microsoft has built the answer directly into the platform: Post-Quantum Cryptography (PQC). Quantum-safe encryption that holds up even when quantum computers become a reality.
In this article, I will walk you through what I understand what that means step by step even if you are just starting out in software development.
1. Why Is This Even a Topic?
Imagine you send a encrypted data today. Someone copy the data without decrypt it and waits. In ten years, they have a tool that can decrypt it. Then they read your data.
That is exactly the scenario keeping security experts around the world up at night. It even has a name: “Harvest Now, Decrypt Later.” Attackers collect encrypted data today and decrypt it later, once quantum computers are powerful enough.
The data most at risk is anything that needs to stay secret for a long time: financial information, health records, long-term contracts. If you work in finance, this is not an abstract problem — it is your reality.
2. What Exactly Are Qubits?
Before we go further, let me explain what we are dealing with. I am not an expert in that topic but here is what I understood.
Classical Computers: Bits
A classical computer knows only two states: 0 or 1. That is called a bit. Everything a computer does — writing text, playing videos, encrypting data. Everything is built on billions of these tiny 0-or-1 decisions.
Quantum Computers: Qubits
A quantum computer works with qubits. Thanks to a quantum phenomenon called superposition, qubits can be 0 and 1 at the same time as long as you do not measure them. That sounds strange (and I’m not scientific enough to explain that :) ), but the effect is enormous.
Analogy: Think of a maze. A classical computer tries every path one by one. A quantum computer tries all paths simultaneously. For certain problems, that is exponentially faster.
The result: for certain mathematical problems, exactly those that uses RSA, ECDSA, a quantum computer, is exponentially faster than a classical one. Our current encryption would be broken.
3. The New Standards — International and Official
The good news: The American NIST (National Institute of Standards and Technology) finalised the first three post-quantum standards in 2024. And this was not an American solo project. 82 algorithms from 25 countries were submitted and reviewed by cryptographers worldwide.
In parallel, ISO/IEC and ETSI (the European Telecommunications Standards Institute) are working on their own frameworks. The IETF is currently integrating PQC into core protocols like TLS. This is a global process .
| Algorithm | FIPS Standard | Purpose | Replaces |
|---|---|---|---|
| ML-KEM | FIPS 203 | Key Exchange (Key Encapsulation) | ECDH |
| ML-DSA | FIPS 204 | Digital Signatures | RSA / ECDSA |
| SLH-DSA | FIPS 205 | Digital Signatures (hash-based) | RSA / ECDSA |
4. What Does .NET 10 Do with This?
.NET 10 released in November 2025 as a Long-Term Support (LTS) release — brings these algorithms directly into the familiar System.Security.Cryptography namespace.
No external NuGet package, no third-party library. Just there, ready to use.
As a .NET developer, you now find these new classes:
• MLKem
• MLDsa
• SlhDsa
Even X509Certificate2has been extended: certificates can now contain PQC keys. This is important for TLS and PKI infrastructures.
5. The Hybrid Approach — The Best of Both Worlds
I would advise against switching everything over to PQC overnight. In my experience, new developments need time to prove themselves first. The PQC algorithms are mathematically well-founded and approved by NIST – but they have not yet proven themselves to the same level as RSA, which has been in use for decades.
The solution: the hybrid approach. You combine a classical algorithm (e.g. ECDH) plus ML-KEM simultaneously. If one algorithm is broken, the other still protects you. You are secured against both classical and quantum attacks.
Hybrid = classical algorithm + PQC in parallel. Secure against both attack types.
.NET 10 also supports *Composite ML-DSA * which is a combination of a classical and a post-quantum algorithm in a single signature. This is the recommended transition path.
6. What Does This Mean for Your Project?
Let me be honest: if you have services today that do not encrypt data at all, that is more urgent than PQC. Post-quantum only protects encrypted communication. If data is flowing in plain text, the best quantum algorithm in the world will not help.
My recommended order of priority:
| Priority | Action | When |
|---|---|---|
| 1 | Enable TLS for all services, Kafka, RabbitMQ | Today |
| 2 | New services directly with ML-KEM + AES (Hybrid) | During .NET 10 migration |
| 3 | Migrate internal services to PQC | When both sides are under your control |
| 4 | Switch certificates to PQC | When CA + infrastructure are ready |
7. What About the IdentityServer?
Many projects use Duende IdentityServer for authentication — with JWT tokens signed using RS256 (RSA + SHA-256). That is exactly the algorithm a quantum computer could break.
The goal: add ML-DSA as an additional signing algorithm — alongside RS256, not as a replacement. Why alongside? Because older clients expect RS256 and do not yet understand ML-DSA.
⚠️ Important:
Duende IdentityServer must explicitly support ML-DSA. This is a dependency outside your control. Keep an eye on the Duende roadmap!
8. My Personal Conclusion
After years of software development, I have learned: the biggest security problems do not arise from missing technology but they come from acting too late. PQC is not a “someday” topic. It is a “prepare now” topic.
.NET 10 makes it easy for us: the algorithms are there, they are standardised, they are internationally recognised. The entry point is manageable. And anyone currently migrating to .NET 10 has the perfect opportunity to incorporate PQC at the same time, no extra overhead.
Start with what matters most: encrypt first. Then think about PQC. And then you will be ready for what is coming.
Sources & Further Reading
• Post-Quantum Cryptography in .NET — .NET Blog (Microsoft)
• .NET 10: Post-Quantum Cryptography Comes to .NET — Anthony Giretti
• NIST Releases First 3 Finalized Post-Quantum Encryption Standards
• ML-KEM and ML-DSA Post-Quantum Cryptography in .NET — Strathweb
• Post-Quantum Cryptography — NIST (international adoption)
• What’s new in .NET 10 — Microsoft Learn
Top comments (0)