4.3 Migration

Step-by-step migration from classical to hybrid/post-quantum cryptography.

Migration Path

Phase 1          Phase 2          Phase 3          Phase 4
Classic    ->    Hybrid     ->    Hybrid+    ->    PostQuantum
(RSA only)       (RSA+ML-DSA)    (Validation)    (ML-DSA only)

Phase 1: Preparation

Goal: Install library, remain in Classic mode.

// No change to existing behavior
CryptoConfig.DefaultMode = CryptoMode.Classic;

Install NuGet package
Deploy OpenSSL 3.6 → Installation
Run existing tests (must continue to pass)

Phase 2: Enable Hybrid

Goal: New certificates are PQ-protected, old ones continue to work.

// Activate hybrid mode
CryptoConfig.DefaultMode = CryptoMode.Hybrid;

What happens:

New certificates: RSA signature + ML-DSA signature (X.509 extension)
Old certificates: Continue to be accepted
Legacy clients: Ignore PQ extension, validate only RSA

Phase 3: Enable Validation

Goal: PQ signatures are actively verified (not just generated).

// Build chain with PQ validation
var chain = new X509Chain();
bool valid = chain.Build(cert, CryptoMode.Hybrid);
 
// Check if PQ signature is present
if (cert.HasPqSignature())
{
    bool pqValid = cert.VerifyPqSignature();
}

Phase 4: Full PostQuantum (optional)

Goal: Only PQ algorithms, maximum security.

Only when all clients are PQ-capable!

CryptoConfig.DefaultMode = CryptoMode.PostQuantum;

Compatibility Matrix

Creator Mode	Validator Mode	Result
Classic	Classic	Works
Classic	Hybrid	Works (only RSA validated)
Hybrid	Classic	Works (PQ extension ignored)
Hybrid	Hybrid	Works (both validated)
PostQuantum	Classic	Error (no RSA signature)
PostQuantum	Hybrid	Error (no RSA signature)
PostQuantum	PostQuantum	Works

Inhaltsverzeichnis