Inhaltsverzeichnis
Encryption Namespace
Namespace: WvdS.System.Security.Cryptography.Encryption
Contains classes for symmetric encryption with PQ key derivation.
Classes
| Class | Description |
|---|---|
| SymmetricEncryptionExtensions | AES-GCM encryption with PQ keys |
| HybridEncryptedData | Container for hybrid-encrypted data |
| PqCrypto | Convenience API for PQ encryption |
Encryption Modes
| Mode | Classic | ML-KEM | Usage |
| Classic | RSA-OAEP / ECDH | - | Standard .NET behavior |
| Hybrid | RSA-OAEP / ECDH | Yes | Maximum security |
| PostQuantum | - | Yes | Pure post-quantum |
Encryption Format
+------------------------------------------+ | AES-GCM Encrypted Data | +------------------------------------------+ | [12 Bytes] Nonce (IV) | | [n Bytes] Ciphertext | | [16 Bytes] Authentication Tag | +------------------------------------------+
Example
using WvdS.System.Security.Cryptography.Encryption; using WvdS.System.Security.Cryptography.KeyExchange; // Shared secret from key exchange byte[] sharedSecret = session.SharedSecret; // Encrypt byte[] plaintext = Encoding.UTF8.GetBytes("Secret message"); byte[] encrypted = SymmetricEncryptionExtensions.EncryptWithPqKey( plaintext, sharedSecret); // Decrypt byte[] decrypted = SymmetricEncryptionExtensions.DecryptWithPqKey( encrypted, sharedSecret);
Main Methods
SymmetricEncryptionExtensions
| Method | Description |
|---|---|
EncryptWithPqKey | AES-GCM with PQ-derived key |
DecryptWithPqKey | Decryption with PQ key |
EncryptHybrid | RSA-OAEP + ML-KEM hybrid |
DecryptHybrid | Hybrid decryption |
EncryptEcdhPq | ECDH + ML-KEM hybrid |
DecryptEcdhPq | ECDH+ML-KEM decryption |
EncryptAesGcm | Standard AES-256-GCM |
DecryptAesGcm | AES-GCM decryption |
EncryptStream | Stream-based encryption |
DecryptStream | Stream-based decryption |
PqCrypto
| Method | Description |
|---|---|
GenerateKeyPair | Generate ML-KEM key pair |
Encrypt | PQ encryption |
Decrypt | PQ decryption |
Security Note
Key combination in Hybrid mode:
Combined Key = HKDF-SHA256(
ikm = classicSecret || pqSecret,
info = "WvdS-Hybrid-Key"
)
Even if an attacker compromises the classic secret, the encryption remains protected by the PQ secret (and vice versa).
See Also
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/29 at 11:15 PM
