KEM combiner
A KEM combiner is a construction that merges the shared secrets of two or more key encapsulation mechanisms into a single secret that stays secure as long as at least one input KEM is secure. Combiners are the mechanism behind hybrid cryptography, letting a classical KEM and a post-quantum KEM protect one session together.
How the secrets are combined
A safe combiner does not simply XOR the two secrets. It feeds both shared secrets, and usually the ciphertexts and public keys as well, into a key derivation function so the output binds to the full transcript. Giacon, Heuer, and Poettering analyzed which combiners preserve IND-CCA security in 2018 (KEM Combiners).
In deployed protocols
TLS hybrid key exchange concatenates a classical secret such as X25519 with an ML-KEM secret and hashes them through the handshake key schedule (draft-ietf-tls-hybrid-design). The same transcript-binding idea appears in HPKE (RFC 9180). The approach hedges against both a break of the new post-quantum scheme and a future quantum attack on the classical one.
Sources
- KEM Combiners (IACR ePrint Archive (PKC 2018), 2018)
- Hybrid key exchange in TLS 1.3 (draft-ietf-tls-hybrid-design) (IETF, 2023)
- RFC 9180: Hybrid Public Key Encryption (IETF, 2022)
Cite this entry
"KEM combiner." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/kem-combiner@misc{pqwiki-kem-combiner,
title = {KEM combiner},
howpublished = {\url{https://postquantum.wiki/kem-combiner}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}