Hybrid cryptography (PQ/T hybrid)

Hybrid cryptography, often written PQ/T hybrid (post-quantum/traditional), combines a classical algorithm and a post-quantum algorithm in a single operation so that the result remains secure as long as at least one component is unbroken. Hybrids hedge two risks at once: quantum computers breaking classical public-key cryptography, and undiscovered flaws in the much younger post-quantum schemes.

Rationale

The case for hybrids runs in both directions. Classical key agreement (elliptic curve Diffie-Hellman, RSA) falls to Shor's algorithm on a large quantum computer, and traffic captured today is already exposed through harvest now, decrypt later. But the post-quantum replacements have decades less cryptanalysis behind them, and the risk is not hypothetical: SIKE, an isogeny-based finalist in the NIST Post-Quantum Cryptography Standardization process, was broken in 2022 with a classical attack that recovered keys in hours on a laptop. A hybrid of X25519 and ML-KEM stays secure against a quantum adversary (via ML-KEM) and against a hypothetical lattice break (via X25519), because an attacker must defeat both.

KEM combiners

The standard construction combines two KEMs by running both and deriving the final key from both shared secrets. The simplest secure pattern concatenates the secrets, usually together with the ciphertexts or public keys, and feeds them through a key derivation function; TLS does exactly this inside its key schedule, as analyzed in draft-ietf-tls-hybrid-design. Getting the details right matters: a combiner should preserve IND-CCA security when either component is sound, which motivates binding the ciphertexts into the derivation. The IETF CFRG has a dedicated combiner draft, and X-Wing defines a concrete, formally analyzed hybrid of X25519 and ML-KEM-768 that exploits ML-KEM's internal structure to keep the combiner cheap. NIST's key derivation recommendation, SP 800-56C Rev. 2, already accommodates a hybrid shared secret, so hybrids can be used inside FIPS-validated deployments.

Hybrid signatures also exist, chiefly as composite certificates studied for PKI migration to post-quantum, but they have less momentum: signatures carry no harvest-time urgency, and running two signature schemes adds size and validation complexity for a smaller benefit.

Where hybrids ship today

Hybrids are the dominant deployment pattern for post-quantum cryptography as of early 2026:

Protocol Hybrid Status as of early 2026
TLS 1.3 ([[post-quantum-tls post-quantum TLS]]) X25519MLKEM768
SSH ([[post-quantum-ssh post-quantum SSH]]) mlkem768x25519, sntrup761x25519
Signal (Signal PQXDH) X25519 plus Kyber in PQXDH Deployed since September 2023
iMessage (Apple iMessage PQ3) ECDH plus Kyber in PQ3 Deployed since March 2024
IPsec/IKEv2 Multiple key exchanges per RFC 9370 Standardized, deployment varies

Standards positions

National authorities disagree on whether hybrids are a transition tool or an unnecessary complication. Germany's BSI recommends deploying ML-KEM in hybrid combinations with classical algorithms in its TR-02102-1 recommendations, and France's ANSSI has taken a similar position for the transition period. The United States is more permissive than prescriptive: NIST allows hybrid key establishment within its existing frameworks, while the NSA's CNSA 2.0 notably specifies pure post-quantum algorithms (ML-KEM-1024, ML-DSA-87) for national security systems and states that hybrid solutions are not required, citing the added complexity. In practice the Internet has voted with its deployments: virtually all shipped post-quantum key exchange is hybrid, and pure ML-KEM modes exist mainly for CNSA-aligned environments.

Costs and criticisms

A hybrid runs two algorithms, so handshakes carry both key shares (roughly 1.2 KB extra for ML-KEM-768 on top of 32 bytes for X25519) and both computations, though the classical component is the cheaper part. The deeper criticisms are engineering ones: combiners add protocol surface that can be misdesigned, negotiation grows more complex, and hybrids can entrench classical code paths that must eventually be removed anyway, a cryptographic agility cost paid later. Proponents answer that the insurance is worth it while post-quantum schemes accumulate cryptanalytic history, and that removal is a planned second step, not a flaw in the design.

Frequently asked questions

Does a hybrid double the security or just the cost?

Neither. The combined scheme is as strong as its strongest surviving component, at the cost of running both. It is insurance against one of the two families being broken.

Sources

  1. Hybrid key exchange in TLS 1.3 (draft-ietf-tls-hybrid-design) (IETF, 2025)
  2. Combiner function for hybrid key encapsulation mechanisms (draft-ounsworth-cfrg-kem-combiners) (IETF, 2024)
  3. X-Wing: The Hybrid KEM You've Been Looking For (IACR ePrint, 2024)
  4. An efficient key recovery attack on SIDH (IACR ePrint, 2022)
  5. Announcing the Commercial National Security Algorithm Suite 2.0 (NSA, 2022)
  6. BSI TR-02102-1, Cryptographic Mechanisms: Recommendations and Key Lengths (BSI (Germany), 2024)
  7. NIST SP 800-56C Rev. 2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes (NIST, 2020)
  8. RFC 9370, Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2) (IETF, 2023)
Cite this entry
"Hybrid cryptography (PQ/T hybrid)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/hybrid-cryptography@misc{pqwiki-hybrid-cryptography, title = {Hybrid cryptography (PQ/T hybrid)}, howpublished = {\url{https://postquantum.wiki/hybrid-cryptography}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }