Anka Secure API - Datasheet
1. AnkaTech Secure API
Provides cryptographic operations such as encryption, decryption, signing, signature verification, and re-encryption using classical algorithms (RSA, ECC, AES) and post-quantum algorithms (ML-KEM, ML-DSA, Falcon, Sphincs+).
The AnkaSecure API is compatible with the post-quantum cryptographic algorithms approved by NIST, ensuring long-term security in a quantum computing environment.
NIST Standardized Algorithms and FIPS:
- FIPS 203: Kyber (ML-KEM) - Key Encapsulation
- FIPS 204: Dilithium (ML-DSA) - Digital Signatures
- FIPS 205: SPHINCS+ - Digital Signatures (Hash-based)
2. Key Features
Key Creation and Management
- Symmetric Keys: AES-256
-
Asymmetric Keys:
- Classical: RSA (1024, 2048, 4096), ECC (EC-256, EC-384, EC-521)
-
Post-Quantum:
- Kyber: Kyber512, Kyber768, Kyber1024 (ML-KEM)
- Dilithium: ML-DSA-44 (Dilithium2), ML-DSA-65 (Dilithium3), ML-DSA-87 (Dilithium5)
- Falcon: Falcon-512, Falcon-1024
- Sphincs+: SHA2-128F, SHA2-128S, SHA2-192F, SHA2-192S, SHA2-256F, SHA2-256S, SHAKE-128F, SHAKE-128S, SHAKE-192F, SHAKE-192S, SHAKE-256F, SHAKE-256S
Encryption and Decryption Operations
- Symmetric Encryption: AES (block and streaming mode)
-
Asymmetric Encryption:
- RSA, ECC (ECIES)
- Kyber (Kyber512, Kyber768, Kyber1024) — also referred to as ML-KEM
- Decryption support for all algorithms above
Signing and Verification Operations
-
Digital signing:
- RSA, ECC (ECDSA)
- Dilithium (ML-DSA-44, ML-DSA-65, ML-DSA-87)
- Falcon (Falcon-512, Falcon-1024)
- Sphincs+ (all supported parameter sets)
- Signature verification with the corresponding public keys
- Re-signing (resign) for migrating signatures from RSA/ECC to post-quantum algorithms (Kyber, Dilithium, Falcon, Sphincs+)
Re-Encryption
- Migrate encrypted data from an old key (RSA/ECC) to a new one (Kyber) without exposing plaintext
Re-Signing
- Similar to re-encryption, re-signing (resign) seamlessly migrates existing signatures from classical algorithms (e.g., RSA, ECC) to a chosen post-quantum algorithm (e.g., Dilithium, Falcon, Sphincs+), ensuring forward security without re-uploading or re-verifying the original data.
Streaming and Multipart Support
- Large file encryption/signing without loading full data in memory
- Multipart/form-data support for binary data (file) and metadata (JSON)
Authentication and Security
- JWT-based authentication (Bearer Token)
- Separate roles for users and applications (clientId + clientSecret)
- All endpoints require a valid token
3. Post-Quantum Algorithm Selection
The AnkaSecure API is designed to be cryptoagile, allowing for the selection and integration of any of the four post-quantum algorithms that NIST has approved for standardization. This flexibility enables organizations to choose the most suitable cryptographic mechanism based on their performance, security, and key size requirements.
The following tables provide a comparison of all supported algorithms, which can be used as a reference when selecting the most appropriate one for a given use case.
Key Encapsulation Mechanisms (KEM)
| Algorithm | Type | Performance | Security | Key Size |
|---|---|---|---|---|
| Kyber512 | Key Encapsulation (KEM) | Fast | 128-bit quantum security | Small |
| Kyber768 | Key Encapsulation (KEM) | Medium | 192-bit quantum security | Moderate |
| Kyber1024 | Key Encapsulation (KEM) | Slower | 256-bit quantum security | Large |
Digital Signature Algorithms
| Algorithm | Type | Signature Speed | Verification Speed | Signature Size |
|---|---|---|---|---|
| Dilithium2 | Signature (ML-DSA) | Fast | Slow | Medium |
| Dilithium3 | Signature (ML-DSA) | Moderate | Moderate | Medium-Large |
| Dilithium5 | Signature (ML-DSA) | Slower | Slower | Large |
| Falcon-512 | Signature (Lattice-based) | Very Fast | Fast | Small |
| Falcon-1024 | Signature (Lattice-based) | Fast | Moderate | Medium |
| SPHINCS+-SHA2-128F | Signature (Hash-based) | Very Slow | Slow | Large |
| SPHINCS+-SHA2-128S | Signature (Hash-based) | Very Slow | Slow | Large |
| SPHINCS+-SHA2-192F | Signature (Hash-based) | Very Slow | Slow | Large |
| SPHINCS+-SHA2-192S | Signature (Hash-based) | Very Slow | Slow | Large |
| SPHINCS+-SHA2-256F | Signature (Hash-based) | Very Slow | Slow | Very Large |
| SPHINCS+-SHA2-256S | Signature (Hash-based) | Very Slow | Slow | Very Large |
| SPHINCS+-SHAKE-128F | Signature (Hash-based) | Very Slow | Slow | Large |
| SPHINCS+-SHAKE-128S | Signature (Hash-based) | Very Slow | Slow | Large |
| SPHINCS+-SHAKE-192F | Signature (Hash-based) | Very Slow | Slow | Large |
| SPHINCS+-SHAKE-192S | Signature (Hash-based) | Very Slow | Slow | Large |
| SPHINCS+-SHAKE-256F | Signature (Hash-based) | Very Slow | Slow | Very Large |
| SPHINCS+-SHAKE-256S | Signature (Hash-based) | Very Slow | Slow | Very Large |
4. Cryptoagility
The AnkaSecure API follows a cryptoagile approach, allowing for seamless integration of new cryptographic algorithms as standards evolve.
- Support for both classical and post-quantum cryptography
- Easy algorithm migration without breaking existing workflows
5. Final Summary
AnkaTech Secure API provides a future-proof cryptographic solution by integrating post-quantum algorithms such as Kyber, Dilithium, Falcon, and SPHINCS+. The API is designed for high security, performance, and compatibility, allowing seamless migration from classical cryptographic systems.
6. API Endpoints (Excluding Authentication)
Below is a brief overview of the key endpoints supported by the Anka Secure API. Each endpoint handles a specific cryptographic operation (symmetric or asymmetric), leveraging both classical and post-quantum algorithms.
6.1 Key Management
- POST /api/key-management/symmetric – Generate a symmetric key
- POST /api/key-management/public-keys – Import a public key
- POST /api/key-management/private-keys – Import a private key (PKCS#12)
- POST /api/key-management/asymmetric – Generate an asymmetric key pair
- GET /api/key-management/public-keys/{alias} – Export a public key
- GET /api/key-management/keys – List keys
- DELETE /api/key-management/{alias} – Remove a key
6.2 Secure (Non-Streaming)
- POST /api/crypto/verify – Verify a digital signature
- POST /api/crypto/symmetric/encrypt – Encrypt data with a symmetric key
- POST /api/crypto/symmetric/decrypt – Decrypt data with a symmetric key
- POST /api/crypto/sign – Sign data
- POST /api/crypto/resign – Re-sign data using a new key
- POST /api/crypto/reencrypt – Re-encrypt data using a new key
- POST /api/crypto/asymmetric/encrypt – Encrypt data with an asymmetric key
- POST /api/crypto/asymmetric/decrypt – Decrypt data with an asymmetric key
6.3 Secure Streaming
- POST /api/crypto/stream/verify – Verify a signature (streaming)
- POST /api/crypto/stream/symmetric/encrypt – Encrypt data with a symmetric key (streaming)
- POST /api/crypto/stream/symmetric/decrypt – Decrypt data with a symmetric key (streaming)
- POST /api/crypto/stream/sign – Sign data (streaming)
- POST /api/crypto/stream/resign – Re-sign data (streaming)
- POST /api/crypto/stream/reencrypt – Re-encrypt data (streaming)
- POST /api/crypto/stream/asymmetric/publickey-verify – Verify signature with a provided public key (streaming)
- POST /api/crypto/stream/asymmetric/publickey-encrypt – Encrypt data with a provided public key (streaming)
- POST /api/crypto/stream/asymmetric/encrypt – Encrypt data with an asymmetric key (streaming)
- POST /api/crypto/stream/asymmetric/decrypt – Decrypt data with an asymmetric key (streaming)