====== 4.3 Migration ======

Step-by-step migration from classical to hybrid/post-quantum cryptography.

----

===== Migration Path =====

<code>
Phase 1          Phase 2          Phase 3          Phase 4
Classic    ->    Hybrid     ->    Hybrid+    ->    PostQuantum
(RSA only)       (RSA+ML-DSA)    (Validation)    (ML-DSA only)
</code>

----

===== Phase 1: Preparation =====

**Goal:** Install library, remain in Classic mode.

<code csharp>
// No change to existing behavior
CryptoConfig.DefaultMode = CryptoMode.Classic;
</code>

  * Install NuGet package
  * Deploy OpenSSL 3.6 -> [[en:int:pqcrypt:administrator:installation|Installation]]
  * Run existing tests (must continue to pass)

----

===== Phase 2: Enable Hybrid =====

**Goal:** New certificates are PQ-protected, old ones continue to work.

<code csharp>
// Activate hybrid mode
CryptoConfig.DefaultMode = CryptoMode.Hybrid;
</code>

**What happens:**
  * New certificates: RSA signature + ML-DSA signature (X.509 extension)
  * Old certificates: Continue to be accepted
  * Legacy clients: Ignore PQ extension, validate only RSA

----

===== Phase 3: Enable Validation =====

**Goal:** PQ signatures are actively verified (not just generated).

<code csharp>
// Build chain with PQ validation
var chain = new X509Chain();
bool valid = chain.Build(cert, CryptoMode.Hybrid);

// Check if PQ signature is present
if (cert.HasPqSignature())
{
    bool pqValid = cert.VerifyPqSignature();
}
</code>

----

===== Phase 4: Full PostQuantum (optional) =====

**Goal:** Only PQ algorithms, maximum security.

<WRAP warning>
Only when **all** clients are PQ-capable!
</WRAP>

<code csharp>
CryptoConfig.DefaultMode = CryptoMode.PostQuantum;
</code>

----

===== Compatibility Matrix =====

^  Creator Mode  ^  Validator Mode  ^  Result  ^
| Classic | Classic | Works |
| Classic | Hybrid | Works (only RSA validated) |
| Hybrid | Classic | Works (PQ extension ignored) |
| Hybrid | Hybrid | Works (both validated) |
| PostQuantum | Classic | Error (no RSA signature) |
| PostQuantum | Hybrid | Error (no RSA signature) |
| PostQuantum | PostQuantum | Works |

----

===== Further Reading =====

  * [[en:int:pqcrypt:business:migration-roadmap|Strategy]] - Timeline and risk assessment
  * [[en:int:pqcrypt:konzepte:sicherheit|Security]] - Threat model

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>migration hybrid classic postquantum}}