====== Encryption Namespace ======

**Namespace:** ''WvdS.System.Security.Cryptography.Encryption''

Contains classes for symmetric encryption with PQ key derivation.

----

===== Classes =====

^  Class  ^  Description  ^
| SymmetricEncryptionExtensions | AES-GCM encryption with PQ keys |
| HybridEncryptedData | Container for hybrid-encrypted data |
| PqCrypto | Convenience API for PQ encryption |

----

===== Encryption Modes =====

| Mode | Classic | ML-KEM | Usage |
| Classic | RSA-OAEP / ECDH | - | Standard .NET behavior |
| Hybrid | RSA-OAEP / ECDH | Yes | Maximum security |
| PostQuantum | - | Yes | Pure post-quantum |

----

===== Encryption Format =====

<code>
+------------------------------------------+
| AES-GCM Encrypted Data                   |
+------------------------------------------+
| [12 Bytes] Nonce (IV)                    |
| [n Bytes]  Ciphertext                    |
| [16 Bytes] Authentication Tag            |
+------------------------------------------+
</code>

----

===== Example =====

<code csharp>
using WvdS.System.Security.Cryptography.Encryption;
using WvdS.System.Security.Cryptography.KeyExchange;

// Shared secret from key exchange
byte[] sharedSecret = session.SharedSecret;

// Encrypt
byte[] plaintext = Encoding.UTF8.GetBytes("Secret message");
byte[] encrypted = SymmetricEncryptionExtensions.EncryptWithPqKey(
    plaintext, sharedSecret);

// Decrypt
byte[] decrypted = SymmetricEncryptionExtensions.DecryptWithPqKey(
    encrypted, sharedSecret);
</code>

----

===== Main Methods =====

==== SymmetricEncryptionExtensions ====

^ Method ^ Description ^
| ''EncryptWithPqKey'' | AES-GCM with PQ-derived key |
| ''DecryptWithPqKey'' | Decryption with PQ key |
| ''EncryptHybrid'' | RSA-OAEP + ML-KEM hybrid |
| ''DecryptHybrid'' | Hybrid decryption |
| ''EncryptEcdhPq'' | ECDH + ML-KEM hybrid |
| ''DecryptEcdhPq'' | ECDH+ML-KEM decryption |
| ''EncryptAesGcm'' | Standard AES-256-GCM |
| ''DecryptAesGcm'' | AES-GCM decryption |
| ''EncryptStream'' | Stream-based encryption |
| ''DecryptStream'' | Stream-based decryption |

==== PqCrypto ====

^ Method ^ Description ^
| ''GenerateKeyPair'' | Generate ML-KEM key pair |
| ''Encrypt'' | PQ encryption |
| ''Decrypt'' | PQ decryption |

----

===== Security Note =====

<WRAP important>
**Key combination in Hybrid mode:**

<code>
Combined Key = HKDF-SHA256(
    ikm = classicSecret || pqSecret,
    info = "WvdS-Hybrid-Key"
)
</code>

Even if an attacker compromises the classic secret, the encryption remains protected by the PQ secret (and vice versa).
</WRAP>

----

===== See Also =====

  * [[.:keyexchange|KeyExchange Namespace]]
  * [[.:keyderivation|KeyDerivation Namespace]]
  * [[.:start|API Overview]]

{{tag>namespace encryption aes-gcm ml-kem}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//