Inhaltsverzeichnis
4.3 Migration
Step-by-step migration from classical to hybrid/post-quantum cryptography.
Migration Path
Phase 1 Phase 2 Phase 3 Phase 4 Classic -> Hybrid -> Hybrid+ -> PostQuantum (RSA only) (RSA+ML-DSA) (Validation) (ML-DSA only)
Phase 1: Preparation
Goal: Install library, remain in Classic mode.
// No change to existing behavior CryptoConfig.DefaultMode = CryptoMode.Classic;
- Install NuGet package
- Deploy OpenSSL 3.6 → Installation
- Run existing tests (must continue to pass)
Phase 2: Enable Hybrid
Goal: New certificates are PQ-protected, old ones continue to work.
// Activate hybrid mode CryptoConfig.DefaultMode = CryptoMode.Hybrid;
What happens:
- New certificates: RSA signature + ML-DSA signature (X.509 extension)
- Old certificates: Continue to be accepted
- Legacy clients: Ignore PQ extension, validate only RSA
Phase 3: Enable Validation
Goal: PQ signatures are actively verified (not just generated).
// Build chain with PQ validation var chain = new X509Chain(); bool valid = chain.Build(cert, CryptoMode.Hybrid); // Check if PQ signature is present if (cert.HasPqSignature()) { bool pqValid = cert.VerifyPqSignature(); }
Phase 4: Full PostQuantum (optional)
Goal: Only PQ algorithms, maximum security.
Only when all clients are PQ-capable!
CryptoConfig.DefaultMode = CryptoMode.PostQuantum;
Compatibility Matrix
| Creator Mode | Validator Mode | Result |
|---|---|---|
| Classic | Classic | Works |
| Classic | Hybrid | Works (only RSA validated) |
| Hybrid | Classic | Works (PQ extension ignored) |
| Hybrid | Hybrid | Works (both validated) |
| PostQuantum | Classic | Error (no RSA signature) |
| PostQuantum | Hybrid | Error (no RSA signature) |
| PostQuantum | PostQuantum | Works |
Further Reading
Zuletzt geändert: on 2026/01/29 at 11:34 PM
