====== 1.1 Algorithms ======

Post-quantum algorithms in WvdS.System.Security.Cryptography.

----

===== ML-DSA (Digital Signatures) =====

**Module-Lattice-Based Digital Signature Algorithm**

Standardized in NIST FIPS 204((NIST FIPS 204: https://csrc.nist.gov/pubs/fips/204/final)).

==== Variants ====

^  Algorithm  ^  Security Level  ^  Signature Size  ^  Public Key  ^
| ML-DSA-44 | NIST Level 2 (~AES-128) | 2,420 bytes | 1,312 bytes |
| ML-DSA-65 | NIST Level 3 (~AES-192) | 3,309 bytes | 1,952 bytes |
| ML-DSA-87 | NIST Level 5 (~AES-256) | 4,627 bytes | 2,592 bytes |

**Default:** ML-DSA-65 (balanced between security and size)

==== Usage ====

  * Certificate signatures (X.509)
  * Document signatures (CMS/PKCS#7)
  * Code signing
  * TLS handshake

----

===== ML-KEM (Key Encapsulation) =====

**Module-Lattice-Based Key-Encapsulation Mechanism**

Standardized in NIST FIPS 203((NIST FIPS 203: https://csrc.nist.gov/pubs/fips/203/final)).

==== Variants ====

^  Algorithm  ^  Security Level  ^  Ciphertext  ^  Public Key  ^
| ML-KEM-512 | NIST Level 1 (~AES-128) | 768 bytes | 800 bytes |
| ML-KEM-768 | NIST Level 3 (~AES-192) | 1,088 bytes | 1,184 bytes |
| ML-KEM-1024 | NIST Level 5 (~AES-256) | 1,568 bytes | 1,568 bytes |

**Default:** ML-KEM-768 (balanced)

==== Usage ====

  * Key exchange (instead of ECDH)
  * Hybrid encryption
  * TLS key agreement
  * Ephemeral session keys

----

===== Hybrid Combination =====

In Hybrid mode, classical and PQ algorithms are combined:

^  Operation  ^  Classical  ^  Post-Quantum  ^  Combination  ^
| Signature | RSA-4096 / P-384 | ML-DSA-65 | Both in parallel |
| Key | ECDH P-384 | ML-KEM-768 | Secrets combined |
| Hash | SHA-384 | SHA-384 | Shared |

**Security Guarantee:** The system is secure as long as **one** of the algorithms is secure.

----

===== Symmetric Algorithms =====

For symmetric encryption with PQ-derived keys:

^  Algorithm  ^  Key Size  ^  Nonce  ^  Tag  ^  .NET Class  ^
| AES-256-GCM | 256 bit | 96 bit | 128 bit | ''System.Security.Cryptography.AesGcm'' |
| ChaCha20-Poly1305 | 256 bit | 96 bit | 128 bit | ''System.Security.Cryptography.ChaCha20Poly1305'' |

<WRAP info>
**Quantum Security:** AES-256 and ChaCha20 are considered quantum-safe at full key size (Grover's algorithm halves effective strength -> 128 bit remains sufficient).

**Note:** These algorithms are built into .NET 8+. Use the standard .NET classes directly - no WvdS wrappers needed.
</WRAP>

----

===== Key Derivation =====

^  Function  ^  Standard  ^  Usage  ^
| HKDF | RFC 5869((RFC 5869: https://datatracker.ietf.org/doc/html/rfc5869)) | Session keys from shared secret |
| PBKDF2 | RFC 8018((RFC 8018: https://datatracker.ietf.org/doc/html/rfc8018)) | Password-based keys |
| Argon2id | RFC 9106((RFC 9106: https://datatracker.ietf.org/doc/html/rfc9106)) | Memory-hard (if available) |

----

===== Further Reading =====

  * [[.:sicherheit|Security]] - Threat model
  * [[en:int:pqcrypt:api:keyexchange|KeyExchange API]]
  * [[en:int:pqcrypt:api:signatures|Signatures API]]

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>algorithms ml-dsa ml-kem nist fips}}