7. Encryption
Scenarios: 3
FFI Functions: ~25
Status: Planned
This category covers all scenarios for Post-Quantum secure encryption. Hybrid encryption with ML-KEM, key encapsulation, and symmetric encryption.
Scenarios
| ID | Scenario | Description | Complexity | Status |
|---|---|---|---|---|
| 7.1 | Hybrid Encryption | ECDH + ML-KEM combined | Planned | |
| 7.2 | Key Encapsulation | ML-KEM for key exchange | * | Planned | | 7.3 | File Encryption | Encrypt large files | * | Planned |
Hybrid Encryption Workflow
sequenceDiagram
participant A as Alice (Sender)
participant B as Bob (Recipient)
Note over B: Generate key pair
B->>A: Public Key (ECDH + ML-KEM)
Note over A: Key Encapsulation
A->>A: ECDH SharedSecret + ML-KEM Ciphertext
A->>A: HKDF(ECDH || ML-KEM) -> KEK
A->>A: AES-GCM Encrypt(KEK, Plaintext)
A->>B: ECDH Ephemeral PK + ML-KEM Ciphertext + AES Ciphertext
Note over B: Key Decapsulation
B->>B: ECDH SharedSecret + ML-KEM Decapsulate
B->>B: HKDF(ECDH || ML-KEM) -> KEK
B->>B: AES-GCM Decrypt(KEK, Ciphertext)
Algorithms
| Component | Algorithm | Security Level | Standard |
|---|---|---|---|
| Key Encapsulation (PQ) | ML-KEM-768 | 192 bit | NIST FIPS 203 |
| Key Exchange (classical) | ECDH P-384 | 192 bit | NIST SP 800-56A |
| Key Derivation | HKDF-SHA384 | - | RFC 5869 |
| Symmetric Encryption | AES-256-GCM | 256 bit | NIST SP 800-38D |
Hybrid Principle: Both algorithms (ECDH + ML-KEM) must be broken to compromise the encryption.
Usage Scenarios
| Application | Recommended Mode | Rationale |
|---|---|---|
| Long-term archiving | ML-KEM (PQ-only) | Data must remain secure 20+ years |
| Current communication | Hybrid | Compatibility + future-proofing |
| Legacy systems | ECDH (Classic) | No PQ support |
Quick Start Code
Hybrid Encryption
using WvdS.Security.Cryptography.Extensions.PQ; // Recipient: Generate key pair using var recipientKey = ctx.GenerateHybridKeyPair( classicAlgorithm: EcdhCurve.P384, pqAlgorithm: PqAlgorithm.MlKem768 ); var publicKeyPem = recipientKey.ExportPublicKeyPem(); // Sender: Encrypt var (ciphertext, encapsulatedKey) = ctx.HybridEncrypt( plaintext: Encoding.UTF8.GetBytes("Secret message"), recipientPublicKey: publicKeyPem ); // Recipient: Decrypt var plaintext = ctx.HybridDecrypt( ciphertext: ciphertext, encapsulatedKey: encapsulatedKey, privateKey: recipientKey );
File Encryption
// Encrypt large file (streaming) await ctx.EncryptFileAsync( inputPath: "document.pdf", outputPath: "document.pdf.enc", recipientPublicKey: publicKeyPem, mode: CryptoMode.Hybrid ); // Decrypt await ctx.DecryptFileAsync( inputPath: "document.pdf.enc", outputPath: "document-decrypted.pdf", privateKey: recipientKey );
Related Categories
| Category | Relationship |
|---|---|
| 11. Key Management | Manage key pairs |
| 10. TLS/mTLS | Key exchange in TLS handshake |
| 12. Import/Export | Export encrypted keys |
« <- 6. Revocation | ^ Scenarios | 8. Digital Signatures -> »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 12:34 AM
