KEM combiner

A KEM combiner is a construction that merges the shared secrets of two or more key encapsulation mechanisms into a single secret that stays secure as long as at least one input KEM is secure. Combiners are the mechanism behind hybrid cryptography, letting a classical KEM and a post-quantum KEM protect one session together.

How the secrets are combined

A safe combiner does not simply XOR the two secrets. It feeds both shared secrets, and usually the ciphertexts and public keys as well, into a key derivation function so the output binds to the full transcript. Giacon, Heuer, and Poettering analyzed which combiners preserve IND-CCA security in 2018 (KEM Combiners).

In deployed protocols

TLS hybrid key exchange concatenates a classical secret such as X25519 with an ML-KEM secret and hashes them through the handshake key schedule (draft-ietf-tls-hybrid-design). The same transcript-binding idea appears in HPKE (RFC 9180). The approach hedges against both a break of the new post-quantum scheme and a future quantum attack on the classical one.

Sources

  1. KEM Combiners (IACR ePrint Archive (PKC 2018), 2018)
  2. Hybrid key exchange in TLS 1.3 (draft-ietf-tls-hybrid-design) (IETF, 2023)
  3. RFC 9180: Hybrid Public Key Encryption (IETF, 2022)
Cite this entry
"KEM combiner." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/kem-combiner@misc{pqwiki-kem-combiner, title = {KEM combiner}, howpublished = {\url{https://postquantum.wiki/kem-combiner}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }