Complete algorithm stacks for real-world use cases. Each stack shows which primitives work together, what they protect against, and when to choose alternatives.
💬
Secure Messaging
End-to-end encrypted messaging with forward secrecy, post-quantum readiness, and per-message key isolation. Reference: Signal Protocol with PQXDH.
Primitives
X25519—Classical key agreement. Passive eavesdropping. Provides ephemeral shared secrets for the DH ratchet.
ML-KEM-768—Post-quantum key encapsulation (hybrid). Harvest-now-decrypt-later attacks by future quantum computers.
XChaCha20-Poly1305—Message encryption (AEAD). Confidentiality and integrity of message content. 192-bit nonce eliminates collision risk in high-volume messaging.
HKDF—Key derivation and ratcheting. Key reuse and compromise propagation. Derives per-message keys from chain keys, providing forward secrecy.
🔒
Password Storage
Memory-hard password hashing with tunable cost and key stretching for derived encryption keys. Designed to maximize attacker cost after database breach.
Primitives
Argon2id—Password hashing. Brute-force attacks after database compromise. Memory hardness defeats GPU and ASIC acceleration.
HKDF—Key stretching from password-derived material. Key reuse across contexts. Derives separate encryption and authentication keys from the Argon2id output.
📁
File Encryption
Authenticated encryption at rest with per-file key derivation and optional manifest signing. Protects stored data against unauthorized access and silent tampering.
Primitives
AES-256-GCM—File content encryption (AEAD). Unauthorized read access and content tampering. Hardware-accelerated via AES-NI on most platforms.
XChaCha20-Poly1305—Alternative AEAD (when AES-NI is unavailable). Same confidentiality and integrity guarantees. 192-bit nonce is safe for random generation per file.
Ed25519—Manifest signing. Tampering with file metadata, directory structure, or encrypted blob references.
📦
Code Signing / Software Supply Chain
Signature-based integrity for software artifacts, build manifests, and CI/CD pipelines. Ensures authenticity and non-repudiation of released code.
Primitives
Ed25519—Artifact and manifest signing. Unauthorized code modification, supply chain injection, and build tampering.
SHA-256—Manifest hashing. Collision attacks on file digests. Ensures each artifact has a unique, verifiable fingerprint.
🌐
TLS / Web Transport
Modern transport security with forward secrecy, hybrid post-quantum key exchange, and authenticated encryption. The foundation of all web and API security.
Primitives
X25519—Classical ephemeral key agreement. Passive eavesdropping. Ephemeral keys provide forward secrecy — past sessions remain secure if the server's long-term key is compromised.
ML-KEM-768—Post-quantum key encapsulation (hybrid with X25519). Harvest-now-decrypt-later attacks. Already deployed in Chrome 124+ and Firefox 132+ TLS 1.3.
AES-256-GCM—Record-layer encryption (AEAD). Confidentiality and integrity of all data in transit.
🛡️
Post-Quantum Migration
Layered hybrid approach to post-quantum transition. Combines classical algorithms with PQ algorithms so that security holds if either assumption survives. The migration strategy, not a replacement.
Primitives
ML-KEM-768—Post-quantum key encapsulation. Shor's algorithm applied to classical Diffie-Hellman and RSA key exchange. Provides 192-bit PQ security.
X25519—Classical key agreement (hybrid partner). Acts as a safety net — if ML-KEM's lattice assumptions break, X25519 still provides 128-bit classical security.
ML-DSA-65—Post-quantum digital signatures. Quantum attacks on Ed25519/ECDSA signatures. Provides 192-bit PQ security for long-lived signing keys.