====== KeyExchange Namespace ======

**Namespace:** ''WvdS.System.Security.Cryptography.KeyExchange''

Contains classes for post-quantum key exchange with ML-KEM.

----

===== Classes =====

^  Class  ^  Description  ^
| KeyExchangeService | High-level service for client/server key exchange |
| EphemeralKeyPair | Container for ephemeral ML-KEM/ML-DSA key pairs |
| SecureSession | Represents an established secure session |

----

===== Request/Response Classes =====

^  Class  ^  Description  ^
| KeyExchangeInitRequest | Client initiation message |
| KeyExchangeInitResponse | Server response message |
| KeyExchangeConfirmRequest | Client confirmation message |
| KeyExchangeConfirmResponse | Server confirmation response |

----

===== Protocol Flow =====

<code>
Client                              Server
  |                                    |
  +- GenerateClientKeysAsync()         |
  |                                    |
  +- CreateInitRequest() ------------->|
  |   (ML-KEM PubKey + ML-DSA Sig)     |
  |                                    +- ProcessClientRequest()
  |                                    |   (Verify, Encapsulate)
  |<---------------------- InitResponse -+
  |   (Ciphertext + ML-DSA Sig)        |
  |                                    |
  +- ProcessServerResponse()           |
  |   (Verify, Decapsulate)            |
  |                                    |
  +- CreateConfirmRequest() ---------->|
  |   (HMAC Confirmation)              |
  |                                    +- VerifyConfirmation()
  |<---------------- ConfirmResponse --+
  |                                    |
  v                                    v
  SecureSession                   SecureSession
  (Shared Secret)                 (Shared Secret)
</code>

----

===== Example =====

<code csharp>
using WvdS.System.Security.Cryptography.KeyExchange;

var kex = new KeyExchangeService();

// === Client ===
var clientKeys = await kex.GenerateClientKeysAsync();
var initRequest = await kex.CreateInitRequestAsync(clientKeys);

// Send initRequest to server...

// === Server ===
var serverKeys = await kex.GenerateServerKeysAsync();
var (response, serverSession) = await kex.ProcessClientRequestAsync(
    initRequest, serverKeys);

// Send response to client...

// === Client ===
var clientSession = await kex.ProcessServerResponseAsync(
    response, clientKeys);

// Both now have identical shared secret!
</code>

----

===== Main Methods =====

==== KeyExchangeService ====

^ Method ^ Description ^
| ''GenerateClientKeysAsync'' | Generate client-side keys |
| ''GenerateServerKeysAsync'' | Generate server-side keys |
| ''CreateInitRequestAsync'' | Create initiation message |
| ''ProcessClientRequestAsync'' | Server processes client request |
| ''ProcessServerResponseAsync'' | Client processes server response |
| ''CreateConfirmRequestAsync'' | Create confirmation message |
| ''VerifyConfirmationAsync'' | Verify confirmation |

----

===== See Also =====

  * [[.:encryption|Encryption Namespace]]
  * [[.:keyderivation|KeyDerivation Namespace]]
  * [[.:start|API Overview]]

{{tag>namespace keyexchange ml-kem}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//