L4Re Crypto Service [WvdS Doku]

L4Re Crypto Service

Post-Quantum Secure Cryptography for Edge Devices on L4Re Microkernel

Version 0.2.0 | OpenSSL 3.6 FIPS Provider | ML-KEM + ML-DSA + AES-256-GCM

Big Picture: Double-Layer Security

                              DOUBLE-LAYER SECURITY
====================================================================================

  +------------+     +-------------------+         +-----------------------+
  |   DEVICE   |     |  PQ-EDGE-GATEWAY  |         |      PQ-PROXY         |
  |  (Sensor)  |     | (L4Re Microkernel)|         |  (Cloudflare/Nginx)   |
  |            |     |                   |         |                       |
  | Sensor Data|---->|  Layer 1: Payload |-------->|  Layer 1: remains     |
  |            |     |  ML-KEM + AES-GCM |  HTTPS  |  encrypted            |
  |            |     |                   |  (443)  |                       |
  |            |     |  Layer 2: Transport|        |  Layer 2: TLS         |
  |            |     |  TLS 1.3 + ML-KEM |         |  terminated           |
  +------------+     +-------------------+         +-----------+-----------+
                                                              |
                                                              v
                    +-----------------------------------------------------+
                    |                    BACKEND                          |
                    |                                                     |
                    |  +----------+  +----------+  +------------------+   |
                    |  | API      |  | ML/AI    |  | Database         |   |
                    |  | Server   |  | Process. |  | (encrypted)      |   |
                    |  +----------+  +----------+  +------------------+   |
                    |                                                     |
                    +-----------------------------------------------------+

Why 2 Layers?
------------------------------------------------------------------------------------
Layer 2 (Transport): Protects against MITM, but proxy sees plaintext
Layer 1 (Payload):   End-to-end, only backend can decrypt
                     => Even compromised proxy = no data leak

What You Get

The WvdS Crypto Service is a ready-to-use black box:

You compile NOTHING
You configure NOTHING
The daemon runs, you send requests - done

Available Operations

Request-Type	Name	Description
`0x01`	AES_ENCRYPT	AES-256-GCM encryption
`0x02`	AES_DECRYPT	AES-256-GCM decryption
`0x10`	MLDSA_SIGN	ML-DSA signature creation
`0x11`	MLDSA_VERIFY	ML-DSA signature verification
`0x20`	MLKEM_KEYGEN	ML-KEM key pair generation
`0x21`	MLKEM_ENCAPS	ML-KEM encapsulation
`0x22`	MLKEM_DECAPS	ML-KEM decapsulation

Basics

Glossary - PQC terms (ML-KEM, ML-DSA, Nonce…)
Architecture - Two-Daemon System, Shared Memory

Integration

Installation - 3-Step OEM Integration
Integration - Code Examples (C/C++)

Reference

Protocol - Byte-Level Request/Response Format
API Reference - Request-Types + Helper Functions

Security & Compliance

Security - Rate Limiting, Nonce Tracking, Zeroize
Compliance - NIS2, BSI TR-03116-4, FIPS 203/204

Support: Wolfgang van der Stille / EMSR DATA d.o.o. / DATECpro GmbH