Skip to content

[Breaking change]: Composite ML-DSA on Windows uses native implementation #54565

Description

@PranavSenthilnathan

Description

Windows is starting to implement Composite ML-DSA natively in BCrypt and NCrypt in recent insider previews. Our Composite ML-DSA APIs predate this so our implementations were a managed layer over the underlying components (ML-DSA, RSA, and ECDSA). With dotnet/runtime#129612 we are now switching to use the native Windows implementation. However, Windows only supports a few of the composite algorithms (as seen here), so this change reduces the number of supported Composite ML-DSA algorithms.

The affected APIs are those on the CompositeMLDsa class. The certificate APIs for Composite ML-DSA will continue to throw PlatformNotSupportedException as before. Note: these APIs are all currently Experimental.

Version

.NET 11 Preview 7

Previous behavior

CompositeMLDsa APIs on Windows would work on all algorithms as long as the underlying components were supported (ML-DSA, RSA and ECDSA). The others (ones with EdDSA components) would throw PNSE.

New behavior

CompositeMLDsa APIs on Windows will only support the algorithms that Windows supports natively. Currently it's the four listed here.

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

It's preferable to use the native APIs on the platform rather than a managed layer on top.

Recommended action

Check CompositeMLDsa.IsAlgorithmSupported before use if possible and if not, handle the PNSE gracefully.

Feature area

Cryptography

Affected APIs

All the APIs on CompositeMLDsa.


Associated WorkItem - 592901

Metadata

Metadata

Assignees

Labels

📌 seQUESTeredIdentifies that an issue has been imported into Quest.breaking-changeIndicates a .NET Core breaking change

Type

No type
No fields configured for issues without a type.

Projects

Status
🔖 Ready

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions