~~NOTOC~~
====== Scenario 7.1: Crittografia ibrida ======

<WRAP round info>
**Categoria:** [[.:start|Crittografia]] \\
**Complessità:** Alta \\
**Prerequisiti:** Coppia chiavi ML-KEM, coppia chiavi classica \\
**Tempo stimato:** 20-30 minuti
</WRAP>

----

===== Descrizione =====

Questo scenario descrive la **crittografia ibrida** con algoritmi classici (RSA/ECDH) e Post-Quantum (ML-KEM). La crittografia ibrida combina entrambi i metodi per essere protetti sia contro attacchi classici che quantistici.

**Concetto:**
  * **Chiave classica** - Protezione contro minacce attuali
  * **Chiave PQ** - Protezione contro futuri computer quantistici
  * **Chiave combinata** - Sicurezza finché uno dei due è sicuro

----

===== Workflow =====

<mermaid>
flowchart LR
    subgraph Mittente
        DATA[Dati] --> SYM[AES-256-GCM]
        KEY1[RSA/ECDH Key Exchange] --> KDF
        KEY2[ML-KEM Key Encapsulation] --> KDF
        KDF[HKDF Combine] --> SYM
    end

    subgraph Destinatario
        SYM2[AES-256-GCM Decrypt]
        KDF2[HKDF Combine] --> SYM2
        DEC1[RSA/ECDH Decrypt] --> KDF2
        DEC2[ML-KEM Decapsulate] --> KDF2
    end

    SYM --> |Ciphertext| SYM2

    style KDF fill:#e8f5e9
    style KDF2 fill:#e8f5e9
</mermaid>

----

===== Esempio codice (C#) =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography;

using var ctx = PqCryptoContext.Initialize();

// Chiavi destinatario (entrambi gli algoritmi)
var recipientEcdh = ECDiffieHellman.Create(ECCurve.NamedCurves.nistP384);
var recipientMlKem = ctx.GenerateKeyPair(PqAlgorithm.MlKem768);

// === CIFRATURA ===

// 1. Key Exchange classico (ECDH)
using var senderEcdh = ECDiffieHellman.Create(ECCurve.NamedCurves.nistP384);
var ecdhSharedSecret = senderEcdh.DeriveKeyMaterial(recipientEcdh.PublicKey);

// 2. PQ Key Encapsulation (ML-KEM)
var (mlKemCiphertext, mlKemSharedSecret) = ctx.Encapsulate(recipientMlKem.PublicKey);

// 3. Combinare chiavi via HKDF
var combinedSecret = CombineSecrets(ecdhSharedSecret, mlKemSharedSecret);
var encryptionKey = ctx.DeriveKey(
    combinedSecret,
    outputLength: 32,
    salt: null,
    info: Encoding.UTF8.GetBytes("hybrid-encryption-v1")
);

// 4. Cifrare dati
var plaintext = Encoding.UTF8.GetBytes("Messaggio segreto");
var nonce = RandomNumberGenerator.GetBytes(12);
var ciphertext = new byte[plaintext.Length];
var tag = new byte[16];

using var aes = new OpenSslAesGcm(encryptionKey);
aes.Encrypt(nonce, plaintext, ciphertext, tag);

// 5. Assemblare messaggio cifrato
var encryptedMessage = new HybridEncryptedMessage
{
    EcdhPublicKey = senderEcdh.PublicKey.ExportSubjectPublicKeyInfo(),
    MlKemCiphertext = mlKemCiphertext,
    Nonce = nonce,
    Ciphertext = ciphertext,
    Tag = tag
};

Console.WriteLine($"Cifrato: {encryptedMessage.Ciphertext.Length} Bytes");
</code>

----

===== Decifratura =====

<code csharp>
// === DECIFRATURA ===

using var ctx = PqCryptoContext.Initialize();

// Caricare chiavi private destinatario
var recipientEcdh = ctx.LoadEcdhPrivateKey("recipient-ecdh.key.pem", "Password!");
var recipientMlKem = ctx.LoadPrivateKey("recipient-mlkem.key.pem", "Password!");

// 1. Key Exchange classico
var senderEcdhPubKey = ECDiffieHellman.Create();
senderEcdhPubKey.ImportSubjectPublicKeyInfo(encryptedMessage.EcdhPublicKey, out _);
var ecdhSharedSecret = recipientEcdh.DeriveKeyMaterial(senderEcdhPubKey.PublicKey);

// 2. PQ Key Decapsulation
var mlKemSharedSecret = ctx.Decapsulate(recipientMlKem, encryptedMessage.MlKemCiphertext);

// 3. Combinare chiavi
var combinedSecret = CombineSecrets(ecdhSharedSecret, mlKemSharedSecret);
var decryptionKey = ctx.DeriveKey(
    combinedSecret,
    outputLength: 32,
    salt: null,
    info: Encoding.UTF8.GetBytes("hybrid-encryption-v1")
);

// 4. Decifrare dati
var decrypted = new byte[encryptedMessage.Ciphertext.Length];

using var aes = new OpenSslAesGcm(decryptionKey);
aes.Decrypt(
    encryptedMessage.Nonce,
    encryptedMessage.Ciphertext,
    encryptedMessage.Tag,
    decrypted
);

var message = Encoding.UTF8.GetString(decrypted);
Console.WriteLine($"Decifrato: {message}");
</code>

----

===== Combinazione secret (HKDF) =====

<code csharp>
private static byte[] CombineSecrets(byte[] secret1, byte[] secret2)
{
    // Concat e Hash - metodo semplice ma sicuro
    // Alternativa: HKDF parallelo e XOR
    var combined = new byte[secret1.Length + secret2.Length];
    Buffer.BlockCopy(secret1, 0, combined, 0, secret1.Length);
    Buffer.BlockCopy(secret2, 0, combined, secret1.Length, secret2.Length);

    // HKDF Extract
    return HKDF.Extract(HashAlgorithmName.SHA256, combined);
}
</code>

----

===== Formato messaggio =====

<code csharp>
public class HybridEncryptedMessage
{
    // Header
    public string Version { get; set; } = "1.0";
    public string Algorithm { get; set; } = "ECDH-P384+ML-KEM-768/AES-256-GCM";

    // Key Encapsulation
    public byte[] EcdhPublicKey { get; set; }   // Chiave pubblica effimera ECDH
    public byte[] MlKemCiphertext { get; set; } // Ciphertext ML-KEM

    // Contenuto cifrato
    public byte[] Nonce { get; set; }           // 12 bytes
    public byte[] Ciphertext { get; set; }      // Variabile
    public byte[] Tag { get; set; }             // 16 bytes

    // Serializzazione
    public byte[] Serialize()
    {
        using var ms = new MemoryStream();
        using var writer = new BinaryWriter(ms);

        writer.Write(Version);
        writer.Write(Algorithm);
        writer.Write(EcdhPublicKey.Length);
        writer.Write(EcdhPublicKey);
        writer.Write(MlKemCiphertext.Length);
        writer.Write(MlKemCiphertext);
        writer.Write(Nonce.Length);
        writer.Write(Nonce);
        writer.Write(Ciphertext.Length);
        writer.Write(Ciphertext);
        writer.Write(Tag.Length);
        writer.Write(Tag);

        return ms.ToArray();
    }
}
</code>

----

===== Combinazioni di algoritmi =====

^  Combinazione  ^  Classico  ^  PQ  ^  Livello sicurezza  ^
| Standard | ECDH P-384 | ML-KEM-768 | 192-bit ibrido |
| Alta sicurezza | ECDH P-521 | ML-KEM-1024 | 256-bit ibrido |
| Supporto legacy | RSA-4096 + ECDH P-256 | ML-KEM-512 | 128-bit ibrido |
| Minimale | X25519 | ML-KEM-512 | 128-bit ibrido |

----

===== Requisiti specifici per settore =====

^  Settore  ^  Min. sicurezza  ^  Combinazione raccomandata  ^
| **Settore finanziario** | 192-bit | ECDH P-384 + ML-KEM-768 |
| **Sanità** | 128-bit | ECDH P-256 + ML-KEM-512 |
| **Governo** | 256-bit | ECDH P-521 + ML-KEM-1024 |
| **Energia** | 192-bit | ECDH P-384 + ML-KEM-768 |

----

===== Scenari correlati =====

^  Relazione  ^  Scenario  ^  Descrizione  ^
| **Componente** | [[.:key_encapsulation|7.2 Key Encapsulation]] | Dettagli ML-KEM |
| **Applicazione** | [[.:file_encryption|7.3 Crittografia file]] | Utilizzo pratico |
| **Correlato** | [[it:int:pqcrypt:szenarien:schluessel:generierung|11.1 Generazione chiavi]] | Creare chiavi |

----

<< [[.:start|← Panoramica crittografia]] | [[it:int:pqcrypt:szenarien:start|↑ Scenari]] | [[.:key_encapsulation|7.2 Key Encapsulation →]] >>

{{tag>scenario crittografia hybrid ml-kem ecdh}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//