~~NOTOC~~
{{wvds:title>L4Re Crypto Service}}

===== L4Re Crypto Service =====

<WRAP center round info 80%>
**Post-Quantum Secure Cryptography for Edge Devices on L4Re Microkernel**

Version 0.2.0 | OpenSSL 3.6 FIPS Provider | ML-KEM + ML-DSA + AES-256-GCM
</WRAP>

==== Big Picture: Double-Layer Security ====

<code>
                              DOUBLE-LAYER SECURITY
====================================================================================

  +------------+     +-------------------+         +-----------------------+
  |   DEVICE   |     |  PQ-EDGE-GATEWAY  |         |      PQ-PROXY         |
  |  (Sensor)  |     | (L4Re Microkernel)|         |  (Cloudflare/Nginx)   |
  |            |     |                   |         |                       |
  | Sensor Data|---->|  Layer 1: Payload |-------->|  Layer 1: remains     |
  |            |     |  ML-KEM + AES-GCM |  HTTPS  |  encrypted            |
  |            |     |                   |  (443)  |                       |
  |            |     |  Layer 2: Transport|        |  Layer 2: TLS         |
  |            |     |  TLS 1.3 + ML-KEM |         |  terminated           |
  +------------+     +-------------------+         +-----------+-----------+
                                                              |
                                                              v
                    +-----------------------------------------------------+
                    |                    BACKEND                          |
                    |                                                     |
                    |  +----------+  +----------+  +------------------+   |
                    |  | API      |  | ML/AI    |  | Database         |   |
                    |  | Server   |  | Process. |  | (encrypted)      |   |
                    |  +----------+  +----------+  +------------------+   |
                    |                                                     |
                    +-----------------------------------------------------+

Why 2 Layers?
------------------------------------------------------------------------------------
Layer 2 (Transport): Protects against MITM, but proxy sees plaintext
Layer 1 (Payload):   End-to-end, only backend can decrypt
                     => Even compromised proxy = no data leak
</code>

==== What You Get ====

The WvdS Crypto Service is a **ready-to-use black box**:

  * You compile NOTHING
  * You configure NOTHING
  * The daemon runs, you send requests - done

==== Available Operations ====

| Request-Type | Name | Description |
| ''0x01'' | AES_ENCRYPT | AES-256-GCM encryption |
| ''0x02'' | AES_DECRYPT | AES-256-GCM decryption |
| ''0x10'' | MLDSA_SIGN | ML-DSA signature creation |
| ''0x11'' | MLDSA_VERIFY | ML-DSA signature verification |
| ''0x20'' | MLKEM_KEYGEN | ML-KEM key pair generation |
| ''0x21'' | MLKEM_ENCAPS | ML-KEM encapsulation |
| ''0x22'' | MLKEM_DECAPS | ML-KEM decapsulation |

==== Navigation ====

=== Basics ===

  * [[.:glossar|Glossary]] - PQC terms (ML-KEM, ML-DSA, Nonce...)
  * [[.:architektur|Architecture]] - Two-Daemon System, Shared Memory

=== Integration ===

  * [[.:installation|Installation]] - 3-Step OEM Integration
  * [[.:integration|Integration]] - Code Examples (C/C++)

=== Reference ===

  * [[.:protokoll|Protocol]] - Byte-Level Request/Response Format
  * [[.:api|API Reference]] - Request-Types + Helper Functions

=== Security & Compliance ===

  * [[.:sicherheit|Security]] - Rate Limiting, Nonce Tracking, Zeroize
  * [[.:compliance|Compliance]] - NIS2, BSI TR-03116-4, FIPS 203/204

----

**Support:** Wolfgang van der Stille / EMSR DATA d.o.o. / DATECpro GmbH