Supported Algorithms — Encryption, Key Exchange & Signatures
ANKASecure release: v2.0
last update: 2025-05-09
1 • Algorithms for Encryption and Key Exchange
| Algorithm | Variant | Type | Security Level | Recommended Use-Cases | Standards |
|---|---|---|---|---|---|
| ML-KEM | ML-KEM-512 | Lattice-based (PQC) | Level 1 (medium) | General-purpose communications & IoT gateways. | NIST, BSI, ANSSI, ENISA |
| ML-KEM-768 | Lattice-based (PQC) | Level 3 (high) | Finance, healthcare records, confidential SaaS workloads. | NIST, BSI, ANSSI, ENISA | |
| ML-KEM-1024 | Lattice-based (PQC) | Level 5 (very-high) | Government, defence, critical infrastructure, long-term archives. | NIST, NSA, BSI, ANSSI, ENISA | |
| HQC | HQC-128 | Code-based (PQC) | Level 1 (medium) | Quantum-resistant VPN tunnels, e-mail encryption. | ETSI |
| HQC-192 | Code-based (PQC) | Level 3 (high) | Enterprise B2B links, PKI root key establishment. | ETSI | |
| HQC-256 | Code-based (PQC) | Level 5 (very-high) | National security, highly regulated sectors demanding maximal assurances. | ETSI | |
| FrodoKEM | Frodo | Lattice-based (PQC) | Level 5 (very-high) | Ultra-sensitive data centres, research archives exceeding 30-year lifetime. | BSI |
| RSA | RSA-2048 | Traditional (non-PQC) | Medium | Short-term certificates, backward compatibility. | NIST, ISO, ETSI, BSI, ANSSI, ENISA |
| RSA-3072 | Traditional (non-PQC) | Medium-high | Near-term confidentiality during PQC migration. | NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA | |
| RSA-4096 | Traditional (non-PQC) | High | Medium-term signed documents (start PQC dual-certs). | NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA | |
| RSA-6144 / 8192 | Traditional (non-PQC) | Very-high | Long-term archival integrity until PQC switch-over. | NIST, ISO, ETSI, BSI, ANSSI, ENISA | |
| Elliptic Curves (EC) | EC-256 / EC-384 / EC-521 | Traditional (non-PQC) | Medium-high | Mobile & web apps expecting refresh < 2 years; dual-stack with PQC advised. | EC-256 / 521: NIST, ISO, ETSI, BSI, ANSSI, ENISA • EC-384: + NSA |
| AES (Symmetric) | AES-128 / AES-GCM-128 / AES-CCM-128 | Symmetric (part-quantum-safe) | Medium | High-throughput data pipelines, streaming media. | NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA |
| AES-192 / AES-GCM-192 / AES-CCM-192 | Symmetric (part-quantum-safe) | High | Balance between performance & longevity, enterprise DB encryption. | NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA | |
| AES-256 / AES-GCM-256 / AES-CCM-256 | Symmetric (quantum-secure) | Very-high | Long-term storage, regulated archives, zero-trust file systems. | NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA |
2 • Algorithms for Digital Signatures
| Algorithm | Variant | Type | Security Level | Recommended Use-Cases | Standards |
|---|---|---|---|---|---|
| ML-DSA | ML-DSA-44 | Lattice-based (PQC) | Level 2 (medium-high) | General business documents, DevOps artefact signing. | NIST, BSI, ANSSI, ENISA |
| ML-DSA-65 | Lattice-based (PQC) | Level 3 (high) | High-value transactions, financial ledgers, CA leaf certs. | NIST, BSI, ANSSI, ENISA | |
| ML-DSA-87 | Lattice-based (PQC) | Level 5 (very-high) | Government records, eID, regulation-bound digital archives. | NIST, NSA, BSI, ANSSI, ENISA | |
| FALCON | FALCON-512 | Lattice-based NTRU (PQC) | Level 1 (medium-high) | IoT firmware, blockchain smart-contracts, X.509 leaf certs. | ANSSI, ENISA |
| FALCON-1024 | Lattice-based NTRU (PQC) | Level 5 (very-high) | Low-bandwidth critical channels, inter-satellite links. | ANSSI, ENISA | |
| SLH-DSA | SHA2-128S/F & SHAKE-128S/F | Hash-based (PQC) | Level 1 (medium-high) | Long-term signatures where larger sizes are acceptable. | NIST, BSI, ANSSI, ENISA |
| SHA2-192S/F & SHAKE-192S/F | Hash-based (PQC) | Level 3 (high) | Legal archives, power-grid firmware signing. | NIST, BSI, ANSSI, ENISA | |
| SHA2-256S/F & SHAKE-256S/F | Hash-based (PQC) | Level 5 (very-high) | Military classified data, e-voting audits. | NIST, BSI, ANSSI, ENISA | |
| XMSS | XMSS | Hash-based (PQC) | Level 3 (high) | Stateful hardware tokens, tamper-evident logs. | NIST, ISO, ETSI, NSA, BSI |
| LMS | LMS | Hash-based (PQC) | Level 3 (high) | Smart-grid devices, secure boot chains for embedded systems. | NIST, ISO, ETSI, NSA, BSI |
| RSA | RSA-2048 / 3072 / 4096 / 6144 / 8192 | Traditional (non-PQC) | Medium-high → very-high | Legacy PKI, dual-signature migration bundles (PQC + RSA). | see respective RSA row in §1 |
| Elliptic Curves (EC) | EC-256 / EC-384 / EC-521 | Traditional (non-PQC) | Medium-high | JWT tokens, TLS 1.2/1.3 handshakes (deploy PQC hybrid suites ASAP). | see respective EC row in §1 |
| Symmetric MACs | CMAC-AES-128/192/256 – HMAC-SHA2/3-256/384/512 – KMAC128/256 | Symmetric (MAC) | High → very-high | Authenticated logs, API request signing within a trusted domain. | NIST, ISO, ETSI, NSA, BSI, ANSSI, ENISA |
✍️ Implementation Guidance
Encryption & Key Exchange
-
Prioritise PQC KEMs (
ML‑KEM,HQC,FrodoKEM) for all new applications. -
Use classical RSA/ECC only for backward compatibility during a defined migration window (sunsets published Q4 2025).
-
Symmetric ciphers AES‑256‑GCM or AES‑256‑CCM are mandatory where data must remain confidential beyond 2030.
Digital Signatures
-
ML‑DSA provides the best size‑to‑security ratio for general‑purpose PQC signatures.
-
FALCON‑512 is recommended where signature size is the primary constraint (e.g. blockchain blocks, embedded firmware).
-
SLH‑DSA delivers hash‑based conservation --- choose the appropriate parameter set based on retention years.
-
XMSS/LMS are stateful; deploy only when device storage permits reliable state management.
Symmetric Authentication
-
Prefer HMAC‑SHA‑256 for high‑throughput API messages.
-
KMAC256 is available for NIST SP‑800‑185 compliance.
-
CMAC‑AES‑128 is legacy; plan upgrade to ≥ 192‑bit keys.
3 • Regulatory Standards at a Glance
| Abbr. | Body / Region | Scope & Typical Applicability |
|---|---|---|
| NIST | U.S. National Institute of Standards and Technology (FIPS / SP-800 series) | Federal agencies, U.S. critical infrastructure, organisations seeking worldwide interoperability. |
| ETSI | European Telecommunications Standards Institute (EN, TS) | EU-wide telecoms & IoT, compliance with RED / Cyber-Resilience Act. |
| NSA CNSA 2.0 | U.S. National Security Agency – Commercial National Security Algorithm Suite 2.0 | U.S. national-security systems, defence contractors, export-controlled products. |
| ISO / IEC | International Organization for Standardization & International Electrotechnical Commission | Global enterprises needing vendor-neutral, country-agnostic compliance. |
| BSI | Bundesamt für Sicherheit in der Informationstechnik (Germany) – TR-02102 series | German federal authorities, KRITIS operators, EU GDPR data processors. |
| ANSSI | Agence nationale de la sécurité des systèmes d’information (France) – RGS / PRIS | French governmental entities, OIV, defence-related industries. |
| ENISA | European Union Agency for Cybersecurity – good-practice & candidate schemes | EU Member-State digital-service providers, cloud security certifications. |
© 2025 AnkaTech Co. All rights reserved.