Supported Algorithms — Encryption, Key Exchange & Signatures

ANKASecure release: v3.0.0

Last update: 2025-01-18 (Policy templates expansion: 15 → 20 templates, ARIA support added)

Algorithm Coverage Summary

Category	Algorithm Families	Total Variants	Highlights
Post-Quantum KEM	8 families	21 algorithms	ML-KEM ✅, HQC (NIST backup), CMCE, BIKE, SABER, NTRU, FrodoKEM
Post-Quantum Signatures	3 families	11 algorithms	ML-DSA ✅, Falcon, SLH-DSA ✅
Symmetric AEAD	7 families	19 algorithms	AES-GCM ✅, ChaCha20, Camellia, ARIA (Korea), SEED, SM4
Classical Asymmetric	3 families	10 algorithms	RSA-OAEP, ECDH-ES (P-384 ✅), XDH (X448), EdDSA (Ed448)
Classical Signatures	4 families	10 algorithms	ECDSA (P-384 ✅), SM2, GOST R 34.10-2012, RSA-PSS
Symmetric MACs	4 constructions	14 algorithms	HMAC (SHA-2/3/SM3/Streebog), CMAC ✅, KMAC
Stateful Signatures	2 families	2 algorithms	XMSS ✅, LMS ✅ (NSA firmware signing)
TOTAL	28 families	81 algorithms	8 CNSA 2.0 approved ✅ (no transitional - EC removed)

Market Coverage (20 Policy Templates Available):

🌎 Global: NIST (15 families), ISO (all certified), IETF (Internet protocols)
🇺🇸 USA Federal: NIST_APPROVED template (all FIPS + PQC finalists)
🇺🇸 USA Defense: US_NSA_CNSA template (CNSA 2.0 quantum-resistant suite)
🇪🇺 European Union: EU_COMPLIANT template (ENISA levels 3-5)
🇩🇪 Germany: BSI_COMPLIANT template (TR-02102-1, includes FRODO)
🇫🇷 France: ANSSI_COMPLIANT template (Defense, includes FALCON)
🇪🇺 EU Telecom: ETSI_QSC template (5G/6G, includes HQC)
🇯🇵 Japan: JAPAN_CRYPTREC template (e-Government Recommended Ciphers)
🇨🇳 China: CHINA_GMT_COMPLIANT template (SM2, SM3, SM4 mandatory)
🇰🇷 South Korea: KOREA_KCMVP template (SEED, ARIA, AES via KISA/ISO)
🇲🇾 Malaysia: MALAYSIA_MYSEAL template (23 algorithms approved)
🇷🇺 Russia: GOST_COMPLIANT template (Federal Law 149-FZ mandatory)
🇸🇦 Saudi Arabia: SAUDI_NCA_COMPLIANT template (NCA-NCS-1:2020)
🏦 Finance Sector: FINANCE_COMPLIANT template (PCI-DSS, SOC2, ISO 27001)
🔄 PQC Migration: PQC_TRANSITION template (Hybrid classical+PQC)

Security Posture:

✅ 100% symmetric encryption is AEAD (authenticated)
✅ 20 post-quantum algorithms (quantum-safe)
✅ FIPS 140-3 ready (NIST SP 800-90A DRBG, requires FIPS-certified HSM for operational compliance)
✅ RFC 7515/7516/7518 compliant (JWS/JWE/JWA)

Quick Start Guide

For Encryption (Confidentiality)

Quantum-safe: Use ML-KEM-768 ✅ (CNSA 2.0)
High performance: Use AES-256-GCM ✅ or ChaCha20-Poly1305
Japan market: Use Camellia-GCM-256 (CRYPTREC)
Korea market: Use ARIA-GCM-256 (modern, ISO) or SEED-GCM-128 (legacy)
China market: Use SM4-GCM-128 or AES-256-GCM (GM/T compliance)
Russia market: Use HMAC-Streebog for MAC, GOST-R34.10-2012 for signatures (encryption pending MGM implementation)
Saudi Arabia market: Use AES-256-GCM or Camellia-GCM-256 (NCA NCS)

For Digital Signatures (Non-repudiation)

Quantum-safe: Use ML-DSA-65 ✅ (CNSA 2.0)
Compact size: Use Falcon-512
Classical: Use ECDSA P-384 ✅ (CNSA 2.0 transitional)
China market: Use SM2
Russia market: Use GOST-R34.10-2012-256

For Message Authentication (Integrity, Shared Key)

General use: Use HMAC-SHA384 ✅ (CNSA 2.0)
High throughput: Use HMAC-SHA256
China market: Use HMAC-SM3
Russia market: Use HMAC-Streebog-512

1 • Encryption and Key Exchange (Confidentiality)

Purpose: Protect data confidentiality using encryption Key Characteristic: Prevents unauthorized reading of data

1.1 • Post-Quantum Key Encapsulation (Quantum-safe)

Algorithm	Variant	NIST Level	Use Cases	Standards	Policy Templates
ML-KEM	ML-KEM-512	I (128-bit)	IoT gateways	NIST FIPS 203, BSI, ANSSI, ENISA, IETF, CRYPTREC	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, ETSI_QSC, IETF_RFC, JAPAN_CRYPTREC, PQC_TRANSITION
	ML-KEM-768 ✅	III (192-bit)	Finance, healthcare, CNSA 2.0	NIST FIPS 203, NSA, BSI, ANSSI, ENISA, IETF, CRYPTREC	US_NSA_CNSA, NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, ETSI_QSC, JAPAN_CRYPTREC, EU_COMPLIANT, PQC_TRANSITION
	ML-KEM-1024	V (256-bit)	Government, defense	NIST FIPS 203, NSA, BSI, ANSSI, ENISA, IETF, CRYPTREC	US_NSA_CNSA, NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, EU_COMPLIANT, PQC_TRANSITION
HQC	HQC-128	I (128-bit)	VPN endpoints, email gateways	NIST (backup Mar 2025), ETSI	NIST_APPROVED, ETSI_QSC
	HQC-192	III (192-bit)	Enterprise VPN, secure communications	NIST (backup Mar 2025), ETSI	NIST_APPROVED, ETSI_QSC
	HQC-256	V (256-bit)	Defense, high-security VPN	NIST (backup Mar 2025), ETSI	NIST_APPROVED, ETSI_QSC
FrodoKEM	FRODO-640	I (128-bit)	Conservative PQC, general use (Note: BSI recommends FRODO-976 or higher for long-term protection)	BSI TR-02102	BSI_COMPLIANT
	FRODO-976	III (192-bit)	BSI recommended, long-term archives	BSI TR-02102	BSI_COMPLIANT
	FRODO-1344	V (256-bit)	Maximum security, archives >50yr	BSI TR-02102	BSI_COMPLIANT
Classic McEliece	CMCE-460896	III (192-bit)	Ultra-conservative, 40+ yrs research (Note: NIST notes this parameter set may not fully meet Category 3 security target)	NIST PQC Round 4 Finalist	NIST_APPROVED, BSI_COMPLIANT
	CMCE-6688128	V (256-bit)	Defense, long-term state secrets	NIST PQC Round 4 Finalist	NIST_APPROVED, BSI_COMPLIANT
BIKE	BIKE-128	I (128-bit)	VPN endpoints, TLS experiments (⚠️ EXPERIMENTAL - NIST selected HQC in Round 4)	None (not standardized)	None
	BIKE-192	III (192-bit)	Enterprise VPN, secure comms (⚠️ EXPERIMENTAL - NIST selected HQC in Round 4)	None (not standardized)	None
	BIKE-256	V (256-bit)	High-security networks (⚠️ EXPERIMENTAL - NIST selected HQC in Round 4)	None (not standardized)	None
SABER	LIGHTSABER-128	I (128-bit)	IoT, embedded systems (⚠️ EXPERIMENTAL - Lost to Kyber/ML-KEM)	None (not standardized)	None
	SABER-192	III (192-bit)	General enterprise use (⚠️ EXPERIMENTAL - Lost to Kyber/ML-KEM)	None (not standardized)	None
	FIRESABER-256	V (256-bit)	High-security deployments (⚠️ EXPERIMENTAL - Lost to Kyber/ML-KEM)	None (not standardized)	None
NTRU	NTRU-701	III (192-bit)	Fast KEM, IoT gateways (⚠️ EXPERIMENTAL - NTRU KEM not standardized by NIST)	ISO/IEC 18033-2 only	None
	NTRU-1373	V (256-bit)	High-speed secure comms (⚠️ EXPERIMENTAL - NTRU KEM not standardized by NIST)	ISO/IEC 18033-2 only	None
NTRU Prime	NTRUPRIME-761	III (192-bit)	NTRU with cleaner proofs (⚠️ EXPERIMENTAL - Did not advance to NIST Round 4)	None (not standardized)	None
	NTRUPRIME-857	III (192-bit)	Conservative NTRU variant (⚠️ EXPERIMENTAL - Did not advance to NIST Round 4)	None (not standardized)	None

1.2 • Classical Asymmetric Encryption

Algorithm	Key Size	Encryption Method	Standards	Policy Templates
RSA	2048 bits ⚠️	RSA-OAEP-512 (SHA-512 + MGF1)	NIST, ISO, ETSI, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, JAPAN_CRYPTREC, IETF_RFC, SAUDI_NCA_COMPLIANT, MALAYSIA_MYSEAL, GLOBAL_ISO_COMPLIANT, EU_COMPLIANT (deprecated 2030-12-31)
	3072-8192 bits	RSA-OAEP-512 (SHA-512 + MGF1)	NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All above templates
EC	P-256	ECDH-ES+A256KW	NIST, ISO, ETSI, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, JAPAN_CRYPTREC, ETSI_QSC, IETF_RFC, SAUDI_NCA_COMPLIANT, MALAYSIA_MYSEAL, GLOBAL_ISO_COMPLIANT, EU_COMPLIANT, PQC_TRANSITION
	P-384 ⚠️	ECDH-ES+A256KW	NIST, ISO, ETSI, NSA (transitional), BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All above templates (NSA CNSA 2.0 transitional until 2030)
	P-521	ECDH-ES+A256KW	NIST, ISO, ETSI, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All above templates
OKP	X25519	X25519	Curve25519 ECDH (key agreement)	NIST, IETF, ISO
OKP	X448	X448	Curve448 ECDH (key agreement, high security)	NIST, IETF, ISO

1.3 • Symmetric Authenticated Encryption (AEAD)

Note: All symmetric encryption in ANKASecure is AEAD (provides confidentiality + integrity)

Algorithm	Variants	Block Size	Use Cases	Standards	Policy Templates
AES-GCM	128/192/256-bit	128-bit	General-purpose, streaming media	NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All templates with "oct" family (15 templates)
AES-CCM	128/192/256-bit	128-bit	Constrained devices, IoT	NIST, ISO, ETSI, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All templates with "oct" family (15 templates)
ARIA-GCM	128/192/256-bit	128-bit	Korean government/industry	ISO, IETF, KISA	KOREA_KCMVP, GLOBAL_ISO_COMPLIANT, IETF_RFC
ARIA-CCM	128/192/256-bit	128-bit	Korean IoT, embedded	ISO, KISA	KOREA_KCMVP, GLOBAL_ISO_COMPLIANT
ChaCha20-Poly1305	256-bit	Stream	Mobile, web, TLS 1.3	IETF RFC 8439, MYSEAL	IETF_RFC, MALAYSIA_MYSEAL, GLOBAL_ISO_COMPLIANT
Camellia-GCM	128/192/256-bit	128-bit	Asian markets (Japan)	ISO, IETF, NESSIE, CRYPTREC, MYSEAL	JAPAN_CRYPTREC, MALAYSIA_MYSEAL, SAUDI_NCA_COMPLIANT, GLOBAL_ISO_COMPLIANT
SEED-GCM	128-bit	128-bit	Korean government (legacy)	KISA, CRYPTREC, ISO, IETF, MYSEAL	KOREA_KCMVP, JAPAN_CRYPTREC, MALAYSIA_MYSEAL, GLOBAL_ISO_COMPLIANT, IETF_RFC
SM4-GCM	128-bit	128-bit	Chinese government, GM/T	GMT, ISO	CHINA_GMT_COMPLIANT, GLOBAL_ISO_COMPLIANT
SM4-CCM	128-bit	128-bit	Chinese government, IoT	GMT, ISO	CHINA_GMT_COMPLIANT, GLOBAL_ISO_COMPLIANT

2 • Digital Signatures (Non-repudiation, Asymmetric)

Purpose: Prove WHO signed a document (non-repudiation)

Key Characteristic: Requires private key to sign, anyone can verify with public key

2.1 • Post-Quantum Signatures (Quantum-safe)

Algorithm	Variant	NIST Level	Signature Size	Use Cases	Standards	Policy Templates
ML-DSA	ML-DSA-44	II	Medium	Business docs, DevOps	NIST FIPS 204, BSI, ANSSI, ENISA, CRYPTREC	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, JAPAN_CRYPTREC, PQC_TRANSITION
(Dilithium)	ML-DSA-65 ✅	III	Medium	Financial, CA certs, CNSA 2.0	NIST FIPS 204, NSA, BSI, ANSSI, ENISA, CRYPTREC	US_NSA_CNSA, NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, JAPAN_CRYPTREC, EU_COMPLIANT, PQC_TRANSITION
	ML-DSA-87	V	Large	Government, eID	NIST FIPS 204, NSA, BSI, ANSSI, ENISA, CRYPTREC	US_NSA_CNSA, NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, EU_COMPLIANT, PQC_TRANSITION
Falcon	Falcon-512	I	Smallest	IoT, blockchain	ANSSI, ENISA, NIST	ANSSI_COMPLIANT, NIST_APPROVED, BSI_COMPLIANT, EU_COMPLIANT
	Falcon-1024	V	Small	Satellite, low-bandwidth	ANSSI, ENISA, NIST	ANSSI_COMPLIANT, NIST_APPROVED, BSI_COMPLIANT, EU_COMPLIANT
SLH-DSA	SHA2-128S/F	I	Largest	Long-term where size OK	NIST FIPS 205, BSI, ANSSI, ENISA	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT
(SPHINCS+)	SHA2-192S/F ✅	III	Very Large	Legal archives, CNSA 2.0	NIST FIPS 205, NSA, BSI, ANSSI, ENISA	US_NSA_CNSA, NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, EU_COMPLIANT
	SHA2-256S/F ✅	V	Huge	Military, CNSA 2.0	NIST FIPS 205, NSA, BSI, ANSSI, ENISA	US_NSA_CNSA, NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, EU_COMPLIANT

2.2 • Classical Asymmetric Signatures

Algorithm	Curve/Key	Hash Function	JWS Algorithm	Use Cases	Standards	Policy Templates
ECDSA	P-256	SHA-256	ES256	Mobile apps, JWT	NIST, ISO, ETSI, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, JAPAN_CRYPTREC, ETSI_QSC, IETF_RFC, SAUDI_NCA_COMPLIANT, MALAYSIA_MYSEAL, GLOBAL_ISO_COMPLIANT, EU_COMPLIANT, PQC_TRANSITION
	P-384 ⚠️	SHA-384	ES384	Enterprise, CNSA 2.0 transitional (until 2030)	NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All above templates (note: NSA deprecated post-2030)
	P-521	SHA-512	ES512	High-security classical	NIST, ISO, ETSI, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All above templates
EdDSA	Ed25519	Ed25519	EdDSA (compact signatures)	NIST, IETF, ISO, BSI, ANSSI, ENISA	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, ETSI_QSC, IETF_RFC, EU_COMPLIANT, PQC_TRANSITION
EdDSA	Ed448	Ed448	EdDSA (high-security signatures)	NIST, IETF, ISO, BSI, ANSSI, ENISA	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, EU_COMPLIANT, PQC_TRANSITION
SM2	256-bit EC	SM3	SM2	Chinese government, GB/T	ISO, GMT, MYSEAL	CHINA_GMT_COMPLIANT, MALAYSIA_MYSEAL, GLOBAL_ISO_COMPLIANT
GOST R 34.10-2012	256-bit EC	Streebog-256	GOST-R34.10-2012-256	Russian government, GOST	GOST, ISO	GOST_COMPLIANT, GLOBAL_ISO_COMPLIANT
RSA-PSS	2048-8192	SHA-256	PS256	Legacy PKI, dual-signatures	NIST, ISO, ETSI, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, JAPAN_CRYPTREC, IETF_RFC, SAUDI_NCA_COMPLIANT, MALAYSIA_MYSEAL, GLOBAL_ISO_COMPLIANT, EU_COMPLIANT, PQC_TRANSITION

2.3 • Stateful Hash-based Signatures ⚠️

Critical Warning: These algorithms maintain state (signature counter) and are incompatible with stateless REST APIs.

Algorithm	Max Signatures	State Management	Standards	Policy Templates	Recommendation
XMSS	2²⁰ (1,048,576)	Required	NIST SP 800-208, ISO, ETSI, NSA, BSI, IETF, CRYPTREC, MYSEAL	US_NSA_CNSA, NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, JAPAN_CRYPTREC, ETSI_QSC, IETF_RFC, MALAYSIA_MYSEAL	⚠️ Use ML-DSA instead (stateless)
LMS	2²⁰ (1,048,576)	Required	NIST SP 800-208, ISO, ETSI, NSA, BSI, IETF, CRYPTREC, MYSEAL	US_NSA_CNSA, NIST_APPROVED, BSI_COMPLIANT, ANSSI_COMPLIANT, JAPAN_CRYPTREC, ETSI_QSC, IETF_RFC, MALAYSIA_MYSEAL	⚠️ Use SLH-DSA instead (stateless)

Why not recommended: ANKASecure is a stateless REST API. Stateful signatures require: - Persistent counter storage across requests - State backup and recovery mechanisms - No support for distributed/load-balanced deployments

Alternatives: Use ML-DSA or SLH-DSA (stateless post-quantum signatures)

3 • Message Authentication Codes - MACs (Integrity, Symmetric)

Purpose: Verify message integrity and authenticity with shared secret key

Key Characteristic: Fast authentication, but BOTH parties share the same key (repudiable)

When to use MACs vs Signatures:

✅ Use MACs: Internal APIs, JWT between your services, high-throughput
❌ Use Signatures: Contracts, third-party verification, non-repudiation needed

3.1 • HMAC (Hash-based Message Authentication Code)

How it works: Combines a hash function with a secret key using nested hashing

Standard: RFC 2104 (HMAC), NIST FIPS 198-1

Variants (different hash functions):

Hash Family	Variant	Output Size	Performance	Use Cases	Standards	Policy Templates
SHA-2	HMAC-SHA256	256-bit	Fast	API auth, JWT	NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All templates with "oct" family (15 templates)
	HMAC-SHA384 ✅	384-bit	Fast	Enterprise, CNSA 2.0	NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	US_NSA_CNSA, All templates with "oct" family
	HMAC-SHA512	512-bit	Fast	Maximum strength	NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	US_NSA_CNSA, All templates with "oct" family
SHA-3	HMAC-SHA3-256	256-bit	Medium	SHA-3 compliance	NIST, ISO, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All templates with "oct" family (15 templates)
	HMAC-SHA3-384	384-bit	Medium	SHA-3 high security	NIST, ISO, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All templates with "oct" family
	HMAC-SHA3-512	512-bit	Medium	SHA-3 maximum	NIST, ISO, BSI, ANSSI, ENISA, IETF, CRYPTREC, MYSEAL	All templates with "oct" family
SM3	HMAC-SM3	256-bit	Fast	Chinese GB/T compliance	ISO, GMT	CHINA_GMT_COMPLIANT, GLOBAL_ISO_COMPLIANT
Streebog	HMAC-Streebog-256	256-bit	Fast	Russian GOST compliance	GOST, ISO	GOST_COMPLIANT, GLOBAL_ISO_COMPLIANT
	HMAC-Streebog-512	512-bit	Fast	Russian GOST maximum	GOST, ISO	GOST_COMPLIANT, GLOBAL_ISO_COMPLIANT

All HMAC variants:

✅ Quantum-resistant (Grover bounded)
✅ Fast (software optimized)
✅ Widely supported

3.2 • CMAC (Cipher-based Message Authentication Code)

How it works: Uses a block cipher (AES) in CBC mode to create MAC

Standard: NIST SP 800-38B, RFC 4493

Variants (different key sizes):

Cipher	Variant	Key Size	Use Cases	Standards	Policy Templates	Note
AES	CMAC-AES-128	128-bit	Legacy systems	NIST, ISO, BSI, ANSSI, ENISA, IETF, CRYPTREC	All templates with "oct" family	⚠️ LEGACY - upgrade to ≥192-bit recommended
	CMAC-AES-192	192-bit	Enhanced security	NIST, ISO, BSI, ANSSI, ENISA, IETF, CRYPTREC	All templates with "oct" family	✅ Recommended
	CMAC-AES-256 ✅	256-bit	CNSA 2.0, zero-trust	NIST, ISO, BSI, ANSSI, ENISA, IETF, CRYPTREC, NSA	US_NSA_CNSA, All templates with "oct" family	✅ Maximum security

When to use CMAC:

✅ Hardware with AES acceleration
✅ Existing AES infrastructure
⚠️ Otherwise prefer HMAC (more flexible, easier to implement)

3.3 • KMAC (Keccak Message Authentication Code)

How it works: SHA-3 derived function with variable-length output

Standard: NIST SP 800-185

Variants:

Variant	Security Strength	Key Size	Use Cases	Standards	Policy Templates
KMAC128	128-bit	256-bit	SHA-3 compliance	NIST, BSI, ANSSI, ENISA, CRYPTREC	All templates with "oct" family (15 templates)
KMAC256	256-bit	512-bit	SHA-3 maximum security	NIST, BSI, ANSSI, ENISA, CRYPTREC	All templates with "oct" family (15 templates)

When to use KMAC:

✅ Require SHA-3 family (FIPS 202)
✅ Need customizable output length
⚠️ Otherwise prefer HMAC-SHA384 (more widely supported)

4 • Understanding Cryptographic Constructions

What is a Construction?

A construction is a cryptographic recipe that takes a base primitive (hash, cipher) and builds a higher-level operation:

HMAC (Construction):
├─ Input: Hash function + secret key
├─ Process: Nested hashing with key mixing
├─ Output: Message authentication code
└─ Variants: HMAC-SHA256, HMAC-SHA384, HMAC-SM3, etc.
    (Same construction, different hash functions)

CMAC (Construction):
├─ Input: Block cipher + secret key
├─ Process: CBC-MAC with cipher
├─ Output: Message authentication code
└─ Variants: CMAC-AES-128, CMAC-AES-256
    (Same construction, different key sizes)

Algorithm vs Construction vs Variant

Term	Definition	Examples	Count
Base Algorithm	Fundamental primitive	SHA-256, AES, ECDSA	~15
Construction	Recipe using base algorithm	HMAC, CMAC, KMAC, GCM	~5
Variant	Specific configuration	HMAC-SHA256, AES-GCM-256	~50

Key Insight: ANKASecure has ~15 base algorithms but ~50 variants (configurations).

Why Multiple Variants?

1. Security Strength Matching:

HMAC-SHA256: 128-bit security (good for most uses)
HMAC-SHA384: 192-bit security (CNSA 2.0 requirement)
HMAC-SHA512: 256-bit security (maximum classical)

2. Regional Compliance:

HMAC-SHA256: Global (NIST, ISO)
HMAC-SM3: China (GB/T mandatory)

3. Performance Trade-offs:

HMAC-SHA256: Fastest
HMAC-SHA512: Slightly slower, stronger
CMAC-AES-256: Hardware accelerated if AES-NI available

5 • Algorithm Selection Guide

5.1 • For Encryption Decision Tree

graph TD
    Start(["What security model?"])

    Start --> QSafe{"Need quantum-safe<br/>future-proof?"}
    Start --> Classical{"Classical asymmetric<br/>pre-2030?"}
    Start --> Symmetric{"Symmetric bulk<br/>encryption?"}

    QSafe -->|YES| MLKEM["ML-KEM-768 ✅<br/>CNSA 2.0"]

    Classical -->|RSA Legacy| RSAOAEP["RSA-OAEP-512<br/>All key sizes 2048-8192"]
    Classical -->|EC Modern| ECDH["ECDH-ES+A256KW<br/>P-384 ✅ CNSA 2.0"]

    Symmetric --> Market{"Which market?"}
    Market -->|Global Standard| AES["AES-256-GCM ✅<br/>CNSA 2.0"]
    Market -->|High Performance| ChaCha["ChaCha20-Poly1305<br/>Mobile/Web optimized"]
    Market -->|Japan| Camellia["Camellia-GCM-256<br/>CRYPTREC certified"]
    Market -->|Korea| SEED["SEED-GCM-128<br/>KISA compliance"]
    Market -->|China| AESChina["AES-256-GCM<br/>GB/T compatible"]

    style MLKEM fill:#90EE90
    style AES fill:#90EE90
    style ECDH fill:#90EE90
    style ChaCha fill:#87CEEB
    style Camellia fill:#FFD700
    style SEED fill:#FFA500
    style AESChina fill:#FF6B6B
    style RSAOAEP fill:#D3D3D3

5.2 • For Signatures Decision Tree

graph TD
    Start(["Need to authenticate<br/>a message or document?"])

    Start --> NonRepud{"Need non-repudiation?<br/>Prove WHO signed?"}

    NonRepud -->|YES - Asymmetric| AsymType{"Quantum-safe<br/>or Classical?"}
    NonRepud -->|NO - MAC OK| MACType{"Which MAC<br/>construction?"}

    AsymType -->|Quantum-Safe| PQC{"Primary use case?"}
    AsymType -->|Classical| Classic{"Which market?"}

    PQC -->|General/Financial| MLDSA["ML-DSA-65 ✅<br/>CNSA 2.0"]
    PQC -->|Compact signatures| Falcon["Falcon-512<br/>Smallest size"]
    PQC -->|Hash-based backup| SLHDSA["SLH-DSA-192s/256s ✅<br/>CNSA 2.0"]

    Classic -->|Global| ECDSA384["ECDSA P-384 ✅<br/>CNSA 2.0 transitional"]
    Classic -->|China GB/T| SM2["SM2<br/>GB/T 32918 required"]
    Classic -->|Legacy PKI| RSAPSS["RSA-PSS<br/>PS256"]

    MACType -->|CNSA 2.0?| CNSAMAC{"NSA compliance?"}
    MACType -->|General| GeneralMAC["HMAC-SHA256<br/>Fast, widely supported"]
    MACType -->|Regional| Regional{"Which region?"}

    CNSAMAC -->|YES| CNSACHOICE{"HMAC or CMAC?"}
    CNSACHOICE -->|HMAC preferred| HMAC384["HMAC-SHA384 ✅<br/>CNSA 2.0"]
    CNSACHOICE -->|AES hardware| CMAC256["CMAC-AES-256 ✅<br/>CNSA 2.0"]

    Regional -->|China| HMAC_SM3["HMAC-SM3<br/>GB/T compliance"]
    Regional -->|SHA-3 required| KMAC["KMAC256<br/>NIST SP 800-185"]

    style MLDSA fill:#90EE90
    style SLHDSA fill:#90EE90
    style ECDSA384 fill:#90EE90
    style HMAC384 fill:#90EE90
    style CMAC256 fill:#90EE90
    style Falcon fill:#87CEEB
    style SM2 fill:#FF6B6B
    style HMAC_SM3 fill:#FF6B6B
    style GeneralMAC fill:#D3D3D3
    style RSAPSS fill:#D3D3D3
    style KMAC fill:#FFB6C1

5.3 • Key Differences: MACs vs Signatures

Aspect	Symmetric MAC (HMAC/CMAC)	Asymmetric Signature (ECDSA/SM2/ML-DSA)
Keys	1 shared secret	2 keys: private (sign) + public (verify)
Non-repudiation	❌ NO (both parties have same key)	✅ YES (only signer has private key)
Performance	✅ Very fast (~1000x)	⚠️ Slower
Key Distribution	⚠️ Must securely share key	✅ Public key can be distributed openly
Use Cases	Internal APIs, microservices	Contracts, certificates, blockchain
Examples	HMAC-SHA384, CMAC-AES-256	ECDSA P-384, SM2, ML-DSA-65

6 • Detailed Algorithm Specifications

6.1 • Symmetric AEAD Algorithms

AES-GCM (Advanced Encryption Standard - Galois/Counter Mode):

Mode: AEAD (Authenticated Encryption with Associated Data)
IV: 12 bytes (96 bits), automatically generated
Tag: 16 bytes (128 bits), automatically appended
Standards: NIST SP 800-38D, ISO/IEC 19772, RFC 5288
Cipher: Cipher.getInstance("AES/GCM/NoPadding")

ChaCha20-Poly1305:

Type: Stream cipher with Poly1305 MAC (AEAD)
Nonce: 12 bytes, automatically generated
Tag: 16 bytes (Poly1305 MAC)
Standards: IETF RFC 8439
Performance: Optimized for software, excellent on ARM/mobile

Camellia-GCM:

Type: Block cipher (128-bit blocks) with GCM mode
Origin: Japan (NTT, Mitsubishi)
Standards: ISO/IEC 18033-3, CRYPTREC, NESSIE, MySEAL AKSA
Purpose: Asian market alternative to AES (Japan, Malaysia)

ARIA-GCM and ARIA-CCM:

Type: Block cipher (128-bit blocks) with GCM/CCM modes
Origin: Korea (developed by KISA, standardized 2004)
Standards: ISO/IEC 18033-3 (2010), IETF RFC 5794, KISA
Variants:
- ARIA-GCM-128/192/256: GCM mode for high performance
- ARIA-CCM-128/192/256: CCM mode for constrained devices
IV: 12 bytes (96 bits), automatically generated
Tag: 16 bytes (128 bits), authenticated encryption
Cipher: Cipher.getInstance("ARIA/GCM/NoPadding") or ARIA/CCM/NoPadding
Purpose: Korean government and industry compliance (selected as Korean standard 2004)
Use Cases: Korean market alternative to AES, KCMVP certification requirements
History: Winner of Korean cipher competition, now ISO standard

SEED-GCM:

Type: Block cipher (128-bit blocks) with GCM mode
Origin: Korea (KISA, 1998)
Standards: KISA, CRYPTREC, ISO/IEC 18033-3, IETF RFC 4269
Purpose: Korean government compliance (first Korean cipher standard, now legacy)
Note: ARIA is the modern Korean standard (2004), SEED maintained for compatibility

SM4-GCM and SM4-CCM:

Type: Block cipher (128-bit blocks) with GCM/CCM modes
Origin: China (State Cryptography Administration)
Standards: GM/T 0002-2012 (Chinese national standard), ISO/IEC 18033-3:2010/Amendment 1:2021
Variants:
- SM4-GCM-128: GCM mode (Galois/Counter) for high performance
- SM4-CCM-128: CCM mode (Counter with CBC-MAC) for constrained devices
IV: 12 bytes (96 bits), automatically generated
Tag: 16 bytes (128 bits), authenticated encryption
Cipher: Cipher.getInstance("SM4/GCM/NoPadding") or SM4/CCM/NoPadding
Purpose: Chinese government GM/T (Guó Mì / 国密) compliance
Use Cases: Chinese market, cross-border data, GB/T regulatory requirements

6.2 • Asymmetric Encryption Methods

RSA-OAEP-512:

Method: RSA with OAEP padding using SHA-512 and MGF1
JWE Algorithm: RSA-OAEP-512
All key sizes (2048-8192) use SHA-512 (CNSA 2.0 hash function)
Standards: RFC 8017, RFC 7518

ECDH-ES+A256KW:

Method: Elliptic Curve Diffie-Hellman Ephemeral-Static + AES-256 Key Wrap
JWE Algorithm: ECDH-ES+A256KW
KDF: Concat KDF with SHA-256 (NIST SP 800-56A)
Key Wrap: AES-256-KW (RFC 3394)
Ephemeral key included in JWE "epk" header field
Standards: RFC 7518 Section 4.6, NIST SP 800-56A
Supported in: Both compact and streaming (detached) JWE modes

ML-KEM (Kyber):

Method: Lattice-based Key Encapsulation Mechanism
JWE Algorithm: ML-KEM-512/768/1024
Standards: NIST FIPS 203
CNSA 2.0: ML-KEM-768 approved for 2030+ PQC transition

FrodoKEM (Conservative Lattice-based KEM):

Method: Learning With Errors (LWE) based Key Encapsulation
JWE Algorithm: FRODO-640/976/1344
Standards: BSI TR-02102-1 (German Federal Office for Information Security)
Parameter Variants:
- FRODO-640: 128-bit security (conservative mapping to Level III)
- FRODO-976: 192-bit security (BSI recommended, Level III)
- FRODO-1344: 256-bit security (maximum strength, Level V)
PRF: AES-based (all variants use -AES suffix internally)
Use Cases: Long-term archives (>30-50 years), conservative PQC deployments
Trade-off: Larger keys/ciphertexts than ML-KEM (more conservative security assumption)
Why FrodoKEM?: Based on well-studied LWE problem (older research than ML-KEM's Module-LWE)
Technical: Uses FrodoParameterSpec.frodokem{640|976|1344}aes in Bouncy Castle

HQC (Hamming Quasi-Cyclic):

Method: Code-based Key Encapsulation Mechanism
JWE Algorithm: HQC-128/192/256
Standards: ETSI Quantum-Safe Cryptography (not NIST-standardized)
Parameter Variants:
- HQC-128: 128-bit security (Level I)
- HQC-192: 192-bit security (Level III)
- HQC-256: 256-bit security (Level V)
Use Cases: European markets, VPN endpoints, email encryption
Trade-off: Fast key generation, moderate ciphertext size
Why HQC?: Alternative mathematical foundation (code-based vs lattice-based)

Classic McEliece (CMCE - Code-based KEM):

Method: Goppa code-based Key Encapsulation (oldest PQC approach)
JWE Algorithm: CMCE-460896/6688128
Standards: NIST PQC Round 4 Finalist, BSI TR-02102 recommended fallback
Parameter Variants:
- CMCE-460896: 192-bit security (Level III)
- CMCE-6688128: 256-bit security (Level V)
Technical: Uses CMCEParameterSpec.mceliece{460896|6688128} in Bouncy Castle
Use Cases: Ultra-conservative deployments, defense, 40+ year archives
Trade-off: Largest keys/ciphertexts (>250 KB public keys) but 40+ years of cryptanalysis
Why CMCE?: Most conservative PQC choice (oldest mathematical foundation, 1978)
Regional: Germany (BSI high-assurance), Netherlands (NLNCSA), EU defense

BIKE (Code-based KEM):

Method: Quasi-Cyclic Moderate Density Parity Check codes
JWE Algorithm: BIKE-128/192/256
Standards: NIST PQC Round 4 Alternate, ETSI experiments
Parameter Variants:
- BIKE-128: 128-bit security (Level I)
- BIKE-192: 192-bit security (Level III)
- BIKE-256: 256-bit security (Level V)
Technical: Uses BIKEParameterSpec.bike{128|192|256} in Bouncy Castle
Use Cases: VPN, TLS experiments, low-memory systems
Trade-off: Fast, low CPU usage, moderate ciphertext size
Why BIKE?: Lightweight code-based alternative with good performance
Regional: EU (ETSI TLS PQC trials), Canada (CMC research)

SABER (Lattice Module-LWR KEM):

Method: Module Learning With Rounding (not LWE)
JWE Algorithm: LIGHTSABER-128/SABER-192/FIRESABER-256
Standards: NIST PQC Round 3 Finalist, Horizon Europe projects
Parameter Variants:
- LIGHTSABER-128: 128-bit security (Level I)
- SABER-192: 192-bit security (Level III)
- FIRESABER-256: 256-bit security (Level V)
Technical: Uses SABERParameterSpec.{light|saber|fire}saberkem{...}r3 in Bouncy Castle
Use Cases: IoT, embedded systems, hardware-efficient deployments
Trade-off: Excellent performance on ARM/embedded, smaller than ML-KEM
Why SABER?: Optimized for resource-constrained devices
Regional: EU (Belgium - Université Catholique de Louvain), India (academic research)

NTRU (Lattice-based KEM):

Method: NTRU lattice polynomials (historical PQC)
JWE Algorithm: NTRU-701/1373
Standards: NIST PQC Round 3 Finalist, ISO/IEC 18033-2, IEEE P1363.1
Parameter Variants:
- NTRU-701: 192-bit security (Level III - HRSS variant)
- NTRU-1373: 256-bit security (Level V - HRSS variant)
Technical: Uses NTRUParameterSpec.ntruhrss{701|1373} in Bouncy Castle
Use Cases: High-speed applications, IoT gateways, low-latency networks
Trade-off: Fastest PQC KEM, compact ciphertexts
Why NTRU?: Speed advantage, basis for South Korea's NTRU+ national standard
Regional: USA (historical), South Korea (NTRU+ base), EU (academic)

NTRU Prime (Lattice-based KEM):

Method: Prime-degree NTRU with cleaner security proofs
JWE Algorithm: NTRUPRIME-761/857
Standards: NIST PQC Round 3 Alternate, IETF draft
Parameter Variants:
- NTRUPRIME-761: 192-bit security (Level III)
- NTRUPRIME-857: 256-bit security (Level V)
Technical: Uses NTRULPRimeParameterSpec.ntrulpr{761|857} in Bouncy Castle
Use Cases: Conservative NTRU deployments without structured assumptions
Trade-off: Similar speed to NTRU, simpler parameter generation
Why NTRU Prime?: NTRU without structured ring assumptions (cleaner proofs)
Regional: USA/Canada research, EU cryptography labs

6.3 • MAC Constructions Explained

HMAC Construction (RFC 2104):

HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m))

Where:
- K = secret key
- m = message
- H = hash function (SHA-256, SHA-384, SM3, etc.)
- opad, ipad = padding constants

Why different variants:

HMAC-SHA256: Uses SHA-256 as H (fast, 128-bit security)
HMAC-SHA384: Uses SHA-384 as H (CNSA 2.0, 192-bit security)
HMAC-SM3: Uses SM3 as H (China GB/T, 256-bit)

They are the SAME algorithm (HMAC), just with different hash functions.

7 • NSA CNSA 2.0 Approved Algorithms

The U.S. National Security Agency (Sep 2022) requires these specific algorithms for national security systems:

Category	CNSA 2.0 Requirement	ANKASecure Algorithm	Policy Template	Mark
Symmetric Encryption	AES-256	AES-256-GCM, AES-256-CCM	US_NSA_CNSA	✅
Symmetric MAC (option 1)	HMAC-SHA384/512	HMAC-SHA384, HMAC-SHA512	US_NSA_CNSA	✅
Symmetric MAC (option 2)	CMAC-AES-256	CMAC-AES-256	US_NSA_CNSA	✅
PQC Key Exchange	ML-KEM-768/1024	ML-KEM-768, ML-KEM-1024	US_NSA_CNSA	✅
PQC Signature (primary)	ML-DSA-65/87	ML-DSA-65, ML-DSA-87	US_NSA_CNSA	✅
PQC Signature (backup)	SLH-DSA-192s/f, 256s/f	SLH-DSA-192S/F, SLH-DSA-256S/F	US_NSA_CNSA	✅
Firmware Signing	XMSS, LMS	XMSS, LMS	US_NSA_CNSA	✅
Elliptic Curve	❌ P-384 deprecated	ECDH P-384, ECDSA P-384	⚠️ Not in US_NSA_CNSA	⚠️ Removed from CNSA 2.0

CNSA 2.0 Restrictions:

❌ NO 128-bit symmetric algorithms (only AES-256)
❌ NO RSA (quantum-vulnerable, removed from CNSA 2.0)
❌ NO Elliptic Curve (P-384 deprecated in Sep 2022, removed from CNSA 2.0)
❌ NO Level I or Level II PQC (only Level III or V)
❌ NO SLH-DSA (explicitly not approved by NSA for NSS)

US_NSA_CNSA Template Configuration:

{
  "allowedFamilies": ["ML-KEM", "ML-DSA", "XMSS", "LMS", "oct"],
  "allowedLevels": [5],
  "explicitAlgorithms": ["AES-GCM-256", "AES-CCM-256"],
  "mandatoryStandards": ["NSA"]
}

Effective Timeline:

Sep 2022 - 2030: Transition period (EC P-384 allowed in other templates, but not CNSA 2.0)
2030+: Pure PQC (ML-KEM, ML-DSA, XMSS/LMS)

8 • Regional Compliance Matrix

Market	Mandatory Algorithms	Optional/Recommended	ANKASecure Coverage
USA (NSA)	CNSA 2.0 (ML-KEM-768, ML-DSA-65)	NTRU (historical), SABER (research)	✅ 100%
Germany (BSI)	-	FrodoKEM, Classic McEliece (high-assurance)	✅ 100%
Netherlands	-	Classic McEliece (NLNCSA)	✅ 100%
EU (ETSI)	-	HQC, BIKE (TLS experiments)	✅ 100%
EU (Belgium)	-	SABER (Horizon Europe)	✅ 100%
South Korea	SEED (KISA), ARIA (KISA)	NTRU (NTRU+ base)	✅ 100%
Malaysia	MySEAL AKSA (AES, Camellia, ChaCha20)	ISO/NIST standards	✅ 100%
Russia (GOST)	HMAC-Streebog-256/512, GOST R 34.10-2012 signatures	Grasshopper encryption (pending MGM mode)	✅ 75%
Saudi Arabia (NCA)	AES-256, Camellia (NCS)	PQC (NIST alignment)	✅ 100%
UAE (TDRA)	AES-256, HSM/KMS (IA Regulation)	ISO 27001, NIST CSF	✅ 100%
Qatar (NCSA)	ISO 27001, NIST SP 800-53 (NIA)	-	✅ 100%
Australia (ASD ISM)	AES-192/256, ECDSA P-384/521	ML-KEM-1024, ML-DSA-87 (2030+)	✅ 100%
UK (NCSC)	AES, ECDSA, RSA	ML-KEM, ML-DSA (2035+)	✅ 100%
New Zealand (NZISM)	AES, ECDSA, RSA, SHA-2	PQC planning	✅ 100%
Canada (CSE ITSP.40.111)	AES, ECDSA, EdDSA	ML-KEM, ML-DSA, BIKE research	✅ 100%
India	-	SABER (academic research)	✅ 100%
China	SM2, SM3, SM4 (GM/T)	AES, RSA	✅ 100%
Japan	CRYPTREC approved	Camellia	✅ 100%
Global	NIST FIPS, ISO/IEC	All PQC candidates	✅ 100%

Policy Template Coverage by Region:

🇺🇸 USA Federal: NIST_APPROVED template (all FIPS + PQC finalists)
🇺🇸 USA Defense: US_NSA_CNSA template (CNSA 2.0 - 8 algorithms Level 5 only)
🇩🇪 Germany: BSI_COMPLIANT template (FRODO, CMCE for high-assurance)
🇫🇷 France: ANSSI_COMPLIANT template (FALCON for defense/eID)
🇪🇺 EU Telecom: ETSI_QSC template (HQC backup for 5G/6G)
🇪🇺 EU General: EU_COMPLIANT template (ENISA levels 3-5)
🇯🇵 Japan: JAPAN_CRYPTREC template (Camellia, ARIA national ciphers)
🇰🇷 South Korea: KOREA_SEED template (SEED, ARIA via KISA tags)
🇨🇳 China: CHINA_GMT_COMPLIANT template (SM2/3/4 mandatory by law)
🇷🇺 Russia: GOST_COMPLIANT template (Streebog, GOST-EC mandatory by Federal Law)
🇸🇦 Saudi Arabia: SAUDI_NCA_COMPLIANT template (NCA-NCS-1:2020 classical only)
🇲🇾 Malaysia: MALAYSIA_MYSEAL template (23 approved algorithms)
🌐 Internet: IETF_RFC template (TLS, VPN, SSH protocols)
🌐 International: GLOBAL_ISO_COMPLIANT template (all ISO-certified algorithms)
🏦 Finance: FINANCE_COMPLIANT template (PCI-DSS, SOC2, ISO 27001)

9 • NIST Post-Quantum Security Levels

NIST Level	Classical Equivalent	Quantum Resistance	ANKASecure KEM Algorithms
Level I	AES-128 (128-bit)	~64-bit	ML-KEM-512, HQC-128, BIKE-128, LIGHTSABER-128
Level II	SHA-384 (192-bit)	~96-bit	(No KEM at Level II)
Level III ✅	AES-192 (192-bit)	~96-bit	ML-KEM-768 ✅, HQC-192, FRODO-640, FRODO-976, CMCE-460896, BIKE-192, SABER-192, NTRU-701, NTRUPRIME-761
Level V ✅	AES-256 (256-bit)	~128-bit	ML-KEM-1024, HQC-256, FRODO-1344, CMCE-6688128, BIKE-256, FIRESABER-256, NTRU-1373, NTRUPRIME-857

CNSA 2.0: Only Level III and V approved

10 • Regulatory Standards Reference

Standard	Organization	Region	Focus	ANKASecure Algorithms
NIST FIPS 203/204/205	USA Federal	USA, Global	PQC standards (ML-KEM, ML-DSA, SLH-DSA)	3 PQC families (9 variants)
NIST PQC Round 3/4	USA Federal	USA, Global	PQC candidates evaluation	CMCE, BIKE, SABER, NTRU, NTRU Prime (12 variants)
CNSA 2.0	NSA	USA Defense	National security systems	6 approved + 2 transitional (ML-KEM-768, ML-DSA-65, SLH-DSA, P-384 transitional, AES-256)
ISO/IEC 18033-2	International	Global	Asymmetric encryption specs	NTRU, RSA, EC
IEEE P1363.1	USA	Global	NTRU cryptography standard	NTRU
IETF RFC	Internet	Global	Internet protocols (TLS, JOSE)	25+ algorithms
CRYPTREC	Japan	Japan, Asia	Gov + industry approved	Camellia, SEED, ML-KEM/DSA
GM/T (GB/T)	China	China	National cryptographic standards	SM2, SM3, SM4
MySEAL	Malaysia	Malaysia	National trusted algorithms (AKSA)	AES, Camellia, ChaCha20
GOST	Russia	Russia	National cryptographic standards	Streebog (hash/HMAC), GOST R 34.10-2012 (signatures), Grasshopper (pending)
NCA NCS	Saudi Arabia	Saudi Arabia, GCC	National cryptographic standards	AES, Camellia, PQC (NIST alignment)
TDRA IA	UAE	UAE, GCC	Information assurance regulation	AES-256, HSM/KMS requirements
NCSA NIA	Qatar	Qatar, GCC	National information assurance	ISO 27001, NIST SP 800-53 compliance
KISA (KCMVP)	Korea	Korea	National cryptographic validation	SEED, ARIA (national ciphers), AES, RSA, EC
NESSIE	EU (historical)	Europe	Evaluated algorithms (2000-2003)	Camellia
BSI TR-02102	Germany	Germany, EU	Technical cryptographic profiles	FrodoKEM, Classic McEliece, ML-KEM/DSA
ANSSI	France	France, EU	Government cryptographic recommendations	Falcon (preferred), ML-KEM/DSA
ENISA	EU	EU	Cybersecurity agency guidance	PQC migration strategies (levels 3-5)
ETSI QSC	EU Telecom	EU	Quantum-safe cryptography (TS 103 744)	HQC (primary), ML-KEM, BIKE experiments

PQC Round Classification:

NIST FIPS (Standardized): ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205)
Round 4 Finalists: Classic McEliece
Round 4 Alternates: BIKE
Round 3 Finalists: SABER, NTRU
Round 3 Alternates: NTRU Prime
Non-NIST: FrodoKEM (BSI), HQC (ETSI)

11 • Implementation Notes

Crypto-Agility in ANKASecure

Key Generation (algorithm-agnostic):

POST /api/keys/generate
{
  "alg": "<any-algorithm>",  // ML-KEM-768, HMAC-SM3, SM2, etc.
  "kid": "<unique-id>",
  "key_ops": ["sign", "verify"]  // or ["encrypt", "decrypt"]
}

Usage (algorithm-agnostic):

POST /api/crypto/sign
{
  "kid": "<the-kid-you-generated>",  // System auto-detects algorithm
  "data": "<base64-data>"
}

System Behavior:

Reads key metadata from keystore
Detects key type (kty: "oct" = symmetric, "EC" = asymmetric, etc.)
Routes to appropriate service (SymmetricCryptoService or AsymmetricCryptoService)
Selects correct cryptographic primitive based on alg field
Performs operation
Returns result in standard format (JWE, JWS)

You can switch algorithms without changing client code - just change alg during key generation.

Automatic Security Features

✅ IV/Nonce Generation: Automatically generated per operation (no user management)
✅ Key Size Validation: System enforces correct key sizes per algorithm
✅ Operation Validation: key_ops enforced (can't encrypt with sign-only key)
✅ Algorithm Matching: Header alg must match key's actual algorithm
✅ FIPS Mode: Enable with -Dcrypto.random.fips-mode=true (NIST SP 800-90A DRBG)

Supported Modes

Mode	Format	Use Case	Supported Algorithms
Compact	JWE/JWS (single string)	Data ≤5 MB, in-memory	All algorithms
Streaming	Detached JWE/JWS (JSON + binary)	Large files, no buffering	All algorithms

Both modes use the same cryptographic algorithms - only packaging differs.

12 • Security Considerations

Quantum Resistance (Grover's Algorithm)

Symmetric algorithms are quantum-resistant but with reduced effective security:

Classical Security	Post-Quantum (Grover)	Recommendation
AES-128	~64-bit	⚠️ May not be sufficient post-quantum
AES-192	~96-bit	✅ Adequate for most uses
AES-256	~128-bit	✅ Maximum post-quantum security

CNSA 2.0 Guidance: Use ≥256-bit symmetric keys for post-2030 security.

Key Lifecycle

ANKASecure enforces key usage limits based on operation type:

Operation Type	Usage Limit	Operations/Day (1 year)	Cryptographic Maximum	Safety Margin
Encrypt/Verify	5,000,000	~13,698	268M (NIST SP 800-38D)	50x
Decrypt/Unwrap	50,000	~137	268M (NIST SP 800-38D)	5,000x
Sign	100,000	~274	Millions (algorithm dependent)	>10,000x

Key Features:

✅ Automatic expiration: Keys marked as EXPIRED when limit reached
✅ Soft limits: Warning at 80% of max usage (40K decrypt, 80K sign, 4M encrypt)
✅ Time-based expiration: Default 2 years, with 2-month grace period
✅ Thread-safe: Atomic counters for concurrent operations
✅ NIST compliant: All limits well below NIST SP 800-38D recommendations

Why different limits?:

Decrypt (most conservative): Higher exposure to chosen-ciphertext attacks
Sign (moderate): Balances security with CA and signing service needs
Encrypt/Verify (least restrictive): Minimal security risk, supports high-volume APIs

These limits provide strong security while supporting production workloads and are based on NIST SP 800-38D, SP 800-57, and BSI TR-02102-1 guidelines.

13 • Algorithm Availability Policy Templates

ANKASecure provides 20 pre-configured policy templates that control which algorithms tenants can use. Each template aligns with specific regulatory standards or use cases.

13.1 • Core Templates (Basic Filtering)

Template	Description	Configuration	Use Case
DEFAULT	All 81 algorithms allowed	No restrictions	Development, testing, maximum flexibility
CLASSICAL	Classical algorithms only	`categories: ["CLASSICAL"]`	Legacy systems, pre-PQC infrastructure
POST_QUANTUM	Post-quantum algorithms only	`categories: ["POST_QUANTUM"]`	PQC-only deployments, future-proof
HIGH_SECURITY	Level 3-5 algorithms only	`levels: [3, 5]`	Eliminate weak 128-bit classical

13.2 • Regional Compliance Templates

Template	Region/Standard	Algorithms Included	Mandatory Compliance	Unique Algorithms
NIST_APPROVED	🇺🇸 USA Federal	All FIPS + PQC finalists (15 families)	FIPS 140-3, FedRAMP	HQC, CMCE, BIKE, SABER, NTRU
US_NSA_CNSA	🇺🇸 Defense/IC	8 algorithms (Level 5 only)	NSS systems (Top Secret)	XMSS, LMS (firmware signing)
EU_COMPLIANT	🇪🇺 European Union	Level 3-5 with ENISA tags	GDPR, NIS2, eIDAS 2.0	Policy-based (no PQC mandate yet)
BSI_COMPLIANT	🇩🇪 Germany	All BSI TR-02102-1 approved	Federal contracts	FRODO (LWE-based KEM)
ANSSI_COMPLIANT	🇫🇷 France	Level 3-5 with ANSSI tags	Defense, OIV	FALCON (compact signatures)
ETSI_QSC	🇪🇺 Telecom	Quantum-safe for 5G/6G	Telecom operators	HQC (ML-KEM backup)
JAPAN_CRYPTREC	🇯🇵 Japan	e-Government Recommended List	Procurement, JCMVP	Camellia (national cipher)
CHINA_GMT_COMPLIANT	🇨🇳 China	SM2, SM3, SM4 only	Mandatory by law (2020)	SM2, SM4, HMAC-SM3
KOREA_KCMVP	🇰🇷 South Korea	SEED, ARIA, AES, RSA, EC (KISA/ISO)	KCMVP certification	SEED, ARIA (national ciphers)
GOST_COMPLIANT	🇷🇺 Russia	GOST algorithms	Mandatory by Federal Law 149-FZ	Streebog, GOST-EC
SAUDI_NCA_COMPLIANT	🇸🇦 Saudi Arabia	Classical only (RSA, EC, AES)	NCA-NCS-1:2020	No PQC (standard predates NIST)
MALAYSIA_MYSEAL	🇲🇾 Malaysia	23 MySEAL approved algorithms	CyberSecurity Malaysia	ChaCha20, SM2
GLOBAL_ISO_COMPLIANT	🌐 International	All ISO-certified algorithms	ISO 27001, global interop	Wide coverage (165+ countries)

13.3 • Sector-Specific Templates

Template	Sector	Configuration	Use Case
FINANCE_COMPLIANT	Banking, Fintech	Dual NIST+ISO, Levels 3-5	PCI-DSS 4.0, SOC2 Type II, ISO 27001
PQC_TRANSITION	Cross-sector	Hybrid classical+PQC, Levels 3-5	2024-2030 migration period
IETF_RFC	Internet	All IETF RFC algorithms	TLS 1.3, VPN, SSH, WireGuard

13.4 • Template Selection Guide

For USA Government: - Federal agencies → NIST_APPROVED - DoD/IC/NSS → US_NSA_CNSA

For European Market: - General EU → EU_COMPLIANT - Germany → BSI_COMPLIANT - France → ANSSI_COMPLIANT - Telecom → ETSI_QSC

For Asian Markets: - China → CHINA_GMT_COMPLIANT (mandatory by law) - Japan → JAPAN_CRYPTREC - South Korea → KOREA_KCMVP (SEED, ARIA national ciphers) - Malaysia → MALAYSIA_MYSEAL

For Russia/CIS: - All sectors → GOST_COMPLIANT (mandatory by law)

For Global Operations: - Multi-national → GLOBAL_ISO_COMPLIANT - Internet services → IETF_RFC - Financial services → FINANCE_COMPLIANT - PQC migration → PQC_TRANSITION

13.5 • How Templates Work

Templates filter algorithms using 6 criteria (evaluated in priority order):

explicitAlgorithms (override): If specified, ONLY these algorithms are allowed
allowedFamilies (filter): Algorithm family must match (e.g., "ML-KEM", "oct" for symmetric)
allowedCategories (filter): Must be POST_QUANTUM or CLASSICAL
allowedLevels (filter): Security level must match (1, 3, or 5)
mandatoryStandards (filter): Algorithm must have at least ONE matching standard tag
allowedOperations (filter): Operations must be subset of allowed

Example (JAPAN_CRYPTREC template):

{
  "allowedFamilies": ["ML-KEM", "ML-DSA", "RSA", "EC", "XMSS", "LMS", "oct"],
  "mandatoryStandards": ["CRYPTREC"]
}

This allows: - ✅ ML-KEM-512/768/1024 (have CRYPTREC tag, family matches) - ✅ AES-GCM-256 (has CRYPTREC tag, family "oct" matches) - ✅ Camellia-GCM-256 (has CRYPTREC tag, family "oct" matches) - ❌ HQC-128 (has ETSI tag, but NOT CRYPTREC tag)