Table of Contents
Introduction
Quantum computers threaten to upend the cryptographic foundations of our digital world. While post-quantum algorithms promise long-term protection, they are new and still being vetted. How can organizations protect data today against a future quantum adversary, without betting everything on unproven crypto?
Hybrid cryptography offers a potential answer. By combining classical and post-quantum cryptographic primitives in tandem, hybrid schemes provide defense-in-depth during this transition period. In practice, a hybrid approach might mean performing both a traditional elliptic-curve key exchange and a post-quantum key exchange inside the same protocol, or signing a document with both an ECDSA signature and a Dilithium (post-quantum) signature. The result is that an attacker would need to break all the algorithms in the combination – both classical and post-quantum – to compromise the system. This approach hedges our bets: even if one component (say RSA or a new PQC scheme) is eventually broken, the other still stands in the adversary’s way.
For security leaders and engineers, hybrid cryptography has quickly moved from academic discussion to real-world deployment.
Why Hybrid Cryptography? Ensuring Security Through Transition
The need for hybrid cryptography arises from a paradox: we have to deploy quantum-resistant crypto now, before large quantum computers arrive, but we don’t yet fully trust the new algorithms (and neither do all our devices and protocols). Jumping straight to entirely post-quantum algorithms is risky – what if a new lattice-based scheme gets broken next year, or what if older devices can’t support the larger keys? On the other hand, standing still with only RSA or ECC is increasingly dangerous due to the “harvest now, decrypt later” threat. Nation-state attackers could be recording encrypted traffic today, anticipating that in a few years quantum computer might decrypt it. This has raised urgency for forward secrecy against quantum attacks, especially for sensitive data – we need to protect confidentiality now against a future quantum breach.
Hybrid encryption and signatures resolve this dilemma by providing an overlap of safety nets: even if one algorithm fails, the other continues to secure the data. For example, a TLS 1.3 handshake can mix an elliptic-curve Diffie-Hellman (ECDH) exchange with a post-quantum KEM like Kyber; the shared secret is derived from both, so an eavesdropper needs to break both ECDH and Kyber to recover the key. If a quantum computer someday defeats ECDH, the connection stays safe thanks to Kyber, and conversely if Kyber turns out weaker than believed, the classical ECDH (which quantum attackers can’t break yet) still protects in the interim. Likewise, a software update could be signed with a classic ECDSA signature and a post-quantum signature; an attacker would have to forge both to fake the update.
This “belt-and-suspenders” strategy is recommended by many experts as the prudent path forward. The U.S. NSA, for instance, advocates hybrid use during the transition to its new quantum-safe Suite (CNSA 2.0), treating it as a short-term tool for compatibility and risk mitigation. The NSA’s guidance is telling: they prefer single, quantum-safe algorithms for National Security Systems when possible, but allow hybrids in cases where using only a PQC algorithm isn’t yet practical (for example, certain VPN scenarios with strict packet size limits). In other words, use a hybrid only as long as needed – eventually the goal is to trust one robust post-quantum method – but in the interim, hybrids offer an insurance policy. Leading standards bodies echo this. The European ENISA has emphasized the importance of hybrid implementations as a strategy to integrate PQC into existing frameworks without disruption. And the U.S. NIST, in its draft Special Publication 800-227 on KEM use, is developing recommendations for how to securely implement new key exchange mechanisms – which will naturally include options for combining algorithms to address both classical and quantum threats.
In summary, hybrid cryptography buys us time and assurance. It lets organizations begin deploying quantum-resistant crypto today, gaining experience and protection against future threats, while retaining the proven security of classical algorithms as a safety net. Given the stakes – nation-state adversaries, the prospect of cryptanalytic breakthroughs – this layered approach is simply prudent risk management. Now, let’s look at what’s under the hood: the post-quantum primitives that have emerged from the NIST competition, and how they pair with classical counterparts in practice.
The Post-Quantum Toolbox: NIST’s New Algorithms (and How They Pair Up)
After a multi-year global competition, NIST has settled on a core suite of post-quantum algorithms to form the next generation of cryptographic standards. These algorithms span both key encapsulation mechanisms (KEMs) for encryption/key exchange and digital signatures, and they’re the building blocks of most hybrid schemes. It’s worth understanding them – both on their own and in the context of hybrid use. Here’s a quick tour of the main players, but for a more comprehensive analysis see Post-Quantum Cryptography (PQC) Standardization – 2025 Update.
Module-Lattice KEM (ML-KEM) – CRYSTALS-Kyber
A lattice-based KEM for key exchange, selected as NIST’s primary encryption algorithm (now standardized as FIPS 203). Kyber (ML-KEM) offers strong security with relatively small keys and ciphertexts (≈1.5 KB), and efficient operation even on modest hardware.
It forms the post-quantum half of many hybrid TLS and VPN key exchanges today. For example, Kyber’s 768-bit security variant has been combined with classical X25519 in experimental TLS handshakes.
Tech companies like Cloudflare and AWS have implemented hybrid key agreements using Kyber plus ECDH to secure TLS connections.
Module-Lattice DSA (ML-DSA) – CRYSTALS-Dilithium
A lattice-based digital signature (now FIPS 204) and NIST’s primary post-quantum signature scheme. Dilithium produces signatures on the order of 2-3 KB and public keys ~1-1.5 KB – larger than ECDSA, but still quite practical. It’s designed for general use, from TLS certificates to code signing. Many expect Dilithium to be the workhorse PQC signature due to its balanced speed and security.
In hybrid contexts, one might see certificates that are double-signed by both Dilithium and a classical algorithm (e.g. RSA or ECDSA), to maintain compatibility.
Stateless Hash-based DSA (SLH-DSA) – SPHINCS+
A hash-based signature scheme standardized as FIPS 205. SPHINCS+ is valued for its security rooted only in hash functions (no reliance on new math assumptions). It has very large signatures (often 5-17 KB) and slower signing, so NIST views it as a backup in case lattices falter. In practice, SPHINCS+ might be used in specialized cases needing extra trust in maturity (it’s built on decades-old hash fundamentals). Some organizations, for example, consider it for high-assurance certificate authorities or for software signing where signature size is less critical.
However, its performance profile means it’s less common in hybrids except as an extreme hedge. Notably, using a SPHINCS+ certificate in TLS can slow handshakes (one test found ~30% slowdown for SSH handshakes) due to its 17KB signatures causing extra round trips – a trade-off that might be acceptable only for limited scenarios.
FFT-Friendly Lattice DSA (FN-DSA) – FALCON
An upcoming lattice-based signature (anticipated FIPS 206) based on NTRU lattices and using Fast Fourier Transform techniques. FALCON provides smaller signatures (~~666 bytes) and public keys (~~1 KB) than Dilithium, at the cost of a more complex implementation (it’s mathematically intricate and tricky to implement). NIST is standardizing it as FN-DSA (for “FFT over NTRU-Lattice DSA”) as an alternative signature for cases where smaller sizes matter.
In hybrid deployments, FALCON could pair with classical signatures to produce much more compact dual-signature certificates than Dilithium would – helpful for bandwidth-constrained systems. That said, FALCON’s complexity has made some implementers cautious, so its adoption might initially lag Dilithium’s. It’s essentially a safety net if Dilithium (ML-DSA) ever had issues, offering a different lattice construction.
HQC (Hamming Quasi-Cyclic) – Code-Based KEM
In 2025 NIST announced HQC as an additional post-quantum encryption/KEM algorithm to be standardized, making it a backup alongside Kyber. HQC is based on error-correcting code problems (a very different math foundation from lattices). Its keys and ciphertexts are a few kilobytes – larger than Kyber’s, but far smaller than the decades-old McEliece scheme – and it withstood intensive cryptanalysis in NIST’s “Round 4” evaluation. NIST selected HQC to diversify the encryption toolbox in case a breakthrough ever undermines lattices.
In practice, HQC could be deployed in a hybrid mode alongside Kyber: for instance, a critical link could encrypt data with both a lattice KEM and the code-based HQC, ensuring that breaking one or the other isn’t enough. Although HQC is not yet as widely implemented (it’s newer, with a final standard expected by 2027), its inclusion signals that multi-algorithm hybrid encryption (lattice + code-based) will be a strategy for high-assurance environments. We may soon see VPN protocols or storage encryption using parallel HQC and Kyber key exchanges for an extra layer of safety.
Classic McEliece (code-based KEM)
While not part of NIST’s main standardized set, Classic McEliece deserves mention. It’s a code-based encryption scheme, extremely secure in theory (withstand decades of cryptanalysis), but infamous for huge public keys (hundreds of kilobytes). NIST kept McEliece as an “alternate” candidate – effectively a plan C – but has signaled it’s unlikely to be standardized unless a compelling niche for its ultra-large-key approach appears.
Because of its impractical key size, McEliece isn’t being widely deployed in hybrids (imagine trying to fit a 1MB certificate in a TLS handshake!). However, some organizations or protocols could still use it out-of-band for specialized cases (e.g., as a stored offline key to encrypt ultra-sensitive data). Generally, when people speak of hybrid schemes today, Kyber (ML-KEM) is the PQC side for key exchange, and Dilithium (or sometimes FALCON/SPHINCS+) is the PQC side for signatures – with HQC now emerging as another encryption option. McEliece remains more of a theoretical insurance policy, highlighted by experts mainly to note that diversity exists if we truly need it.
Each of these algorithms brings unique strengths and trade-offs. Lattice schemes like Kyber and Dilithium are fast and fairly compact but rest on newer math assumptions; hash-based SPHINCS+ relies on old, trusted hash functions but at a cost in size and speed; code-based HQC offers diversity but with larger payloads. A hybrid strategy can mix these characteristics to balance security against both classical and quantum threats. For example, one might use an ECC (Elliptic Curve) key exchange for speed and small size, and a lattice KEM for quantum safety. Or use a stateful hash signature (LMS/XMSS) for firmware updates today (they’re already standardized and quantum-safe), but plan to transition to Dilithium signatures in a few years when toolchains support it broadly.
It’s an exciting (and challenging) time for crypto architects: we’ve never had to juggle such a menagerie of algorithms. Next, let’s see how these building blocks are being put into practice in real systems – from web browsers to VPNs – and what lessons early adopters have learned about performance and integration along the way.
Hybrid Cryptography in Practice: From TLS and HTTPS to SSH, VPNs, and Beyond
The theory of hybrid cryptography becomes concrete as we implement it in the protocols and systems we use every day. Over the past few years, many major security protocols have gained (or are gaining) hybrid post-quantum modes. Let’s tour the major areas:
1. Web Security – TLS 1.3 (and QUIC)
TLS, the protocol securing HTTPS, is on the frontlines of the PQC transition. A typical TLS 1.3 handshake uses an ephemeral Diffie-Hellman (ECDH) exchange (often X25519 or P-256) to establish a session key. To make this quantum-safe, browsers and servers have been experimenting with adding a second key exchange using a post-quantum KEM.
Google & Cloudflare’s Experiments
All the way back in 2016, Google conducted the first public test (CECPQ1) by adding a lattice-based KEM (New Hope) alongside X25519 in Chrome. This went largely unnoticed by users, which was a good sign.
In 2018, a larger experiment called CECPQ2 by Google and Cloudflare tried two hybrid pairs: X25519+NTRU-HRSS (a lattice KEM), and X25519+SIKE (an isogeny-based KEM). Performance was encouraging – the hybrid handshakes were almost as quick as ordinary ones – but an interesting issue cropped up: the larger PQ key shares caused some network middleboxes to choke. Specifically, the client’s “Hello” message got bigger than one packet, which some old routers/firewalls didn’t expect, leading them to drop or mis-handle the connections.
This kind of protocol ossification (network gear assuming TLS messages will be a certain size) slowed down early adoption. In fact, Chrome kept its post-quantum trial running at a low volume for years, methodically identifying and working around these compatibility issues.
Today’s Deployment
As of 2023-2024, we’re seeing real progress. Google’s Chrome has enabled a hybrid X25519+Kyber exchange for a subset of users, and Cloudflare reported that by early 2024 about 1.8% of all TLS 1.3 connections to its servers were being secured with post-quantum cryptography (mostly thanks to Chrome’s experiment at 10% rollout). Cloudflare expects this to jump to double-digit percentages by end of 2024 as Chrome, Firefox, and others broaden support.
Mozilla has code in Nightly builds of Firefox for hybrid key agreement (likely also X25519+Kyber). In short, the post-quantum hybrid TLS is moving from experiment to mainstream.
Apple even announced in Feb 2024 that it will secure iMessage with post-quantum cryptography within the year, and the Signal protocol (used in Signal Messenger and WhatsApp) has already integrated PQC (Signal added X25519+Kyber for its key exchanges). These real-world moves underscore that hybrid key exchanges are no longer theoretical – they’re becoming the new baseline for Internet security.
Standards and Performance
The IETF is actively standardizing how to do hybrid key exchange in TLS. Drafts like IETF TLS Hybrid Design (and the older RFC 8773 for using external pre-shared keys in TLS) provide a roadmap for implementers. Notably, an IETF draft exists to formally define a hybrid ECDH+Kyber mechanism for TLS 1.3.
Performance-wise, multiple studies have found that using a fast lattice KEM (Kyber or NTRU) alongside ECDH adds only a millisecond or two to the TLS handshake latency in most cases. The overhead primarily comes from transmitting the additional PQC public key and ciphertext (roughly an extra 1-2 KB for Kyber). Modern networks handle that just fine, though some tuning (like increasing initial congestion windows in TCP) can further smooth out the impact.
The bottom line: hybrid TLS can be deployed with minimal performance penalty, and field trials by Cloudflare, Google, and others have shown it’s feasible at scale. The key is careful engineering to avoid corner-case incompatibilities and ensure fallback to classical TLS for any clients that don’t yet support the new algorithms (clients will simply ignore the PQC part if they don’t understand it, and the connection continues with classical crypto).
QUIC and others
QUIC, the UDP-based transport protocol used in HTTP/3, uses a TLS 1.3 handshake under the hood – so it inherits the same hybrid capabilities. Google has indeed been testing hybrid key agreements in QUIC as well, with similar success. We’re also seeing interest in post-quantum for other secure transport layers – for example, the SSH replacement within HTTP/3 (MASQUE) and even things like secure WebSockets could all leverage the same library support developed for TLS.
2. SSH (Secure Shell) – Case Study: OpenSSH’s Hybrid by Default
Secure Shell (SSH) is ubiquitous for remote login and secure Git access. In 2022, it took a major leap into the post-quantum world. OpenSSH 9.0, released April 2022, made a hybrid post-quantum key exchange the default method for all SSH connections. Specifically, OpenSSH combined its long-time default ECDH (Curve25519) with a lattice-based scheme called Streamlined NTRU Prime (sntrup761), forming a hybrid KEX dubbed “[email protected]”. This means that whenever both client and server support it (which, by now, all up-to-date OpenSSH installations do), the SSH session keys are derived from both X25519 and NTRU Prime. The developers made this proactive change “ahead of cryptographically-relevant quantum computers” to preempt the record-now/decrypt-later threat for SSH sessions. With so much sensitive admin traffic and code transfers happening via SSH, this was a big win for quantum safety.
How did it go? The transition was smooth. OpenSSH’s approach smartly ensured backwards compatibility: if the remote side didn’t understand the hybrid KEX, SSH would negotiate a fallback like pure X25519. But since the OpenSSH team shipped the support widely, most servers and clients quickly ended up speaking the hybrid by default.
Users generally didn’t notice any difference – which is what you want. Performance-wise, sntrup761 is fast and its added data (a 1KB public key) is negligible for an SSH session. A study by Cisco found that a hybrid SSH handshake with NTRU and ECDH was only ~1ms slower than a normal one. Even adding a post-quantum signature (SPHINCS+ in their test) was workable, though SPHINCS’s huge signature did slow SSH handshakes by ~30% (due to its 17KB size causing extra network round trips).
OpenSSH didn’t go as far as changing signatures – they only addressed key exchange for now. Host and user authentication in SSH can use RSA or Ed25519 as before (the identity keys), which is fine since forging those isn’t a record-now/decrypt-later issue – but expect that in coming years we’ll see options for PQC-based host keys too.
3. VPN and IPsec – Post-Quantum IKEv2
Many enterprises and government agencies rely on IPsec VPNs (which use the IKEv2 protocol for key management) to protect site-to-site and remote access communications. IKEv2, like TLS, traditionally uses Diffie-Hellman (often elliptic-curve) to derive shared secrets. To incorporate PQC, the IETF has developed standards to allow multiple key exchanges in IKEv2 (which is a form of hybrid). In fact, RFC 9370 (published in 2023) updates IKEv2 to permit doing up to seven additional key exchanges during the handshake, beyond the initial one. This extension was motivated precisely by the need to bolt on a quantum-safe KEM without removing the existing one.
Concretely, there’s an Internet-Draft (by Kampanakis et al.) on using ML-KEM (Kyber) in IKEv2 alongside the classical DH. The draft outlines two approaches: either fit the PQC key exchange into the main IKE_SA_INIT message (if small enough), or use the new IKE_INTERMEDIATE messages (from RFC 9242) to carry large post-quantum key shares without IP fragmentation. Because some PQC keys won’t fit in a single UDP packet, these extensions were crucial – they allow IKEv2 to fragment and handle bigger messages at the protocol level.
The NSA in its CNSA 2.0 guidance explicitly calls out an example: in certain constrained systems, you might combine a 256-bit ECDH with a Kyber-1024 (ML-KEM) in IKEv2 to meet size limits and still be quantum-safe. This hybrid is allowed for National Security Systems with NSA approval, but the preference is clearly to move to pure ML-KEM when possible. In any case, the tooling is falling into place – vendors like Cisco, Palo Alto Networks, and others have been prototyping PQC in IPsec. For instance, Cisco reported preliminary results showing that a hybrid IKEv2 using NTRU-HRSS for key exchange plus classical DH performed well, with only minimal latency added (comparable to the TLS results).
On the standards front, aside from RFC 9370, there’s also RFC 8784 which defines a different “hybrid” approach: using pre-shared keys (PSK) as a quantum-resistant addition. That was more of a stopgap (mixing in a long random pre-shared secret to foil quantum attacks), but now with real PQC KEMs available, the focus is on true algorithmic hybrids. I anticipate that in the next couple of years, IPsec products will roll out official support for hybrid key exchanges – likely X25519+Kyber or P-256+Kyber as default options for “Quantum Resistant VPN”. Some vendors have already advertised compliance with draft standards or offered experimental modes.
The challenge, as always, will be interoperability – both sides of a VPN need to agree on algorithms. Thankfully, IKEv2 was designed with flexibility in algorithm negotiation. Enterprises planning a VPN refresh might soon start seeing “CNSA 2.0 compliant” or “PQC-ready” labels, which imply these hybrid capabilities. Given that government users (who often drive VPN requirements) are under directives to start migrating (the U.S. government aims to have its systems quantum-safe by 2035, with incremental deadlines before then), IPsec and TLS will likely lead the way in broad adoption of hybrid cryptography.
4. Encrypted Data & Other Protocols – HPKE and more
While TLS, SSH, and IPsec cover the main transport security, hybrid cryptography is also finding its way into other layers:
HPKE (Hybrid Public Key Encryption)
Interestingly, Hybrid PKE here refers to combining asymmetric and symmetric techniques (not PQC per se). However, the RFC 9180 HPKE scheme, which is used in scenarios like secure messaging and the coming TLS Encrypted Client Hello, is KEM-agnostic. It can plug in different KEM algorithms. Efforts are underway to define HPKE modes with post-quantum KEMs. For example, MLS (the Messaging Layer Security protocol) could use HPKE with X25519 and Kyber to encrypt messages to groups in a quantum-safe way. Because HPKE already supports multiple KEMs, doing a hybrid in HPKE might simply mean performing two HPKE encapsulations – one with a classical KEM, one with a PQ KEM – and combining the results.
There isn’t a finalized standard for “hybrid HPKE” yet, but conceptually it’s straightforward, and developers can already experiment using libraries like Open Quantum Safe (libOQS) which provide PQC primitives to integrate. Expect to see hybrid approaches in secure email (S/MIME or PGP could adopt a similar dual-encryption strategy) and in confidential data storage (e.g., encrypting a file’s key under both RSA and a PQC KEM).
Cryptographic Agility Protocols
Some new frameworks are emerging to manage multiple algorithms. For example, the concept of a composite key or composite signature (being standardized in the IETF PQUIP working group) allows bundling two public keys (one classical, one PQC) into one identity, and similarly two signatures into one construct. This is particularly relevant for PKI, which we discuss next.
In summary, nearly any protocol that establishes keys or uses digital signatures is getting a PQC infusion. The strategy is remarkably consistent: don’t rip out the old – just add the new and use both. This crypto co-existence will be the norm for the next decade. Now, one of the thorniest areas remains: public key infrastructure (PKI) and the world of certificates, signatures, and identities. How do we handle those in a hybrid world?
Evolving PKI and Signatures: Certificates, Identities, and Code Signing in a Hybrid World
Upgrading our encryption protocols is one thing; upgrading PKI (Public Key Infrastructure) is another beast entirely. Certificates and digital signatures are embedded everywhere – in browsers, applications, documents, firmware. I wrote more about digital signatures specifically here The Future of Digital Signatures in a Post-Quantum World. Here’s how hybrid crypto is being applied to identity and authenticity:
Hybrid Certificates and Dual Signatures
A major concern is how to transition certificate chains (like those used in TLS/SSL, code signing, etc.) to quantum-safe algorithms without breaking compatibility. One elegant approach is the hybrid certificate (also called composite or alternate certificates). In essence, a hybrid X.509 certificate includes two public keys and two signatures: one of each from a classical scheme and one from a PQC scheme. For example, a web server’s cert might have an RSA public key with an RSA signature from the CA, and a Dilithium public key with a Dilithium signature from the CA – all referring to the same subject. A browser that understands PQC can validate the PQC signature and be happy, while an older browser that only knows RSA will ignore the PQ parts and just validate the RSA signature. This technique ensures there’s no “flag day” where you must choose one or the other. Both old and new clients can interoperate with the same cert.
The IETF and industry groups have been working on standards for these hybrid certificates. Typically, the PQC public key and signature are placed in extensions of the X.509 certificate that are marked non-critical, so legacy software can safely ignore them Already, some proof-of-concept implementations exist and certain government CAs are testing internally. We can expect in the next couple of years that public Certificate Authorities may start offering hybrid certs as an option – especially once browsers signal readiness. In fact, one of the earliest likely adopters are VPN and government authentication systems, where both sides (client and server) can be upgraded in sync. We might also see document signing standards (PDF, XML signatures) allow inclusion of multiple signature formats for the same document, again to ease migration.
An alternative to including two separate signatures is a composite signature, where mathematically the signature only verifies if both underlying signatures (classical and PQ) are valid. This produces a single blob that encodes both. It’s another form of hybrid, but with stricter semantics (if either part is tampered, the whole signature fails). Standards and libraries for composite signatures are in development. Regardless of format, the idea is that for a transition period, CAs and signing tools will issue signatures in both worlds. Yes, this increases sizes – a chain of hybrid certificates can be significantly larger (tens of KB), which might slightly slow handshakes or require tuning servers to handle larger certs. But this is seen as an acceptable price for continuity. Once the ecosystem fully trusts PQC, we can drop the classical part and trim the fat.
Software and Firmware Signing (LMS, XMSS, and PQ Signatures)
One area the NSA prioritized early for quantum-safe protection is software/firmware signing. Why? Because if quantum computers emerge, they could potentially be used to forge code signatures, enabling malware to impersonate legitimate software updates – a nightmare scenario. But unlike the “harvest now, decrypt later” threat, signature forging can’t reach backwards in time (you can’t fake a signature that was made in the past without breaking it at that time). Still, for long-lived software (think Windows updates, SCADA firmware, satellite control code), we do need to start signing with quantum-safe algorithms well before quantum machines arrive, to ensure those signatures remain trustworthy for decades.
The U.S. Department of Defense and NSA have already issued guidance to move to hash-based signatures (which are quantum-safe) for high-assurance code signing by 2025. Specifically, two stateful hash-based schemes, LMS and XMSS, are recommended (they’re standardized in NIST SP 800-208). These schemes have the drawback of a limited number of uses per key (and require careful state management so you never reuse a one-time signature key), but they are mature and believed secure. For example, LMS with a 20-bit height can sign about 1 million binaries, which is plenty for many devices. Companies are already incorporating these: for instance, Cisco, VMware, and others have tested LMS for firmware signing. The NSA’s CNSA 2.0 explicitly lists LMS/XMSS as the approved methods for software & firmware integrity going forward.
How does this relate to hybrids? In practice, many organizations might use a hybrid signing approach in the near term: sign software with both a classical signature (like RSA or ECDSA, for compatibility with existing validators) and a hash-based or Dilithium signature for quantum safety. The signatures could be distributed as separate signature files, or potentially one could use a composite certificate as discussed. Microsoft, for example, could sign a Windows update with an ECDSA signature and an LMS signature; old Windows versions would check the ECDSA, while new versions (post-patch) could prefer the LMS. This pattern can apply to package managers, firmware update systems, container signing (e.g., Docker images), you name it.
One interesting twist is the role of timestamping and cryptographic archiving. As noted by security architects, if you have data signed today by a classical algorithm, you can mitigate future quantum risk by timestamping that signature with a trusted timestamp authority (TSA). The timestamp – which can itself be later re-timestamped – provides evidence the signature was valid at a time when the algorithm was secure. This, combined with archive schemes like ETSI’s PAdES for PDFs, can extend trust in old signatures even if the algorithms become obsolete. Of course, this is complex and not a real-time protection, so it’s more of a backup plan for things like legal documents, logs, etc. The better solution is to move to PQC signatures well before 2030 for anything that needs long-term validity.
Key Management Considerations
Migrating to hybrid and PQC introduces new headaches in key management. Keys and certs are bigger; HSMs (Hardware Security Modules) need firmware updates to handle new algorithms; and some PQC keys have different lifecycle aspects (e.g., stateful hash keys require careful use). Some considerations and strategies:
Crypto-Agility and Inventory
A top recommendation is to start with a cryptographic inventory – identify where all your keys and certs are, what algorithms they use, and where you’ll need to swap in PQC or hybrids. Many organizations are doing this now under mandates like U.S. Executive Order 14028. Once you know what you have, you can prioritize: maybe your VPN and public website get hybrid TLS first (high exposure), whereas an internal app’s PKI can wait a bit but you’ll pilot it.
Parallel PKI Infrastructures
We might see a period where companies run parallel CA hierarchies – one classical, one PQC – or a unified hierarchy that issues hybrid certs. Root CAs themselves may go hybrid: e.g., a root certificate could be cross-signed by an existing RSA root and a new Dilithium root, or the root key could be a composite of RSA+Dilithium such that verifying the root requires both signatures.
Designing such a system requires care to avoid confusion, but it can be done. Tools like crypto-agility frameworks and libraries (Google’s Tink, AWS’s AWS-LC, OpenSSL 3.0’s provider mechanism, etc.) are critical so that applications can handle new key types without massive rewrites.
Hardware and Performance
PQC operations, particularly signatures, can be CPU-intensive and memory-hungry (though many are comparable to RSA in speed). If you’re using smart cards, TPMs, or IoT microcontrollers, check if the PQ algorithm can run acceptably on them.
For now, many constrained devices might rely on hybrid approaches where the heavy lifting is done by a server. For example, a sensor might not be able to do Dilithium itself, but perhaps it can retain an ECDSA key and perform a handshake where the server’s side is PQC and the device’s side is classical (not perfectly quantum-safe, but mitigates the main risk channel).
Over time, we expect optimized hardware support – even CPU instructions – to accelerate lattice math. Already, researchers are looking at FPGA and ASIC implementations of Kyber, Dilithium, etc., and early results show they can be quite efficient with the right optimizations.
Certificate Size Management
Larger certs may mean tweaking protocol settings. TLS, for instance, might need enabling TLS 1.3’s “post-handshake certificate” options or compression (there’s an extension for compressing certificates in flight) to reduce overhead.
Also, fragmentation in low-level protocols (like the IP fragmentation issue for IKEv2 we discussed) needs careful handling.
These are largely implementation details, but an operational team should be aware that turning on PQC might require updating some buffer sizes, timeouts, or extension settings in various servers, load balancers, and clients.
Cloudflare’s experience was instructive: simply adding a few kilobytes to the ClientHello in TLS exposed brittle assumptions in network infrastructure.
Thus, one best practice is to test your systems with simulated large certificates or handshakes now, to catch any such issues early.
In short, upgrading PKI is probably the most complex part of the quantum transition, but hybrid solutions provide a bridge. Expect a period where, say, your browser has a trust store with some classical roots and some PQC roots, and many certificates carry dual signatures. This will gradually tilt toward all-PQC as old algorithms are phased out – likely by the mid 2030s per government timelines.
Now, with an understanding of how hybrid cryptography is implemented and managed, let’s consider the bigger picture: official guidance and strategies for moving from this hybrid interim state to a fully quantum-safe ecosystem.
Guidance and Strategy: From Hybrid Today to PQC-Only Tomorrow
Both industry and government bodies have been actively issuing guidance to ensure a smooth (and timely) transition to post-quantum cryptography. Here we compile key recommendations and insights that help illuminate how long we’ll rely on hybrids and how to eventually phase out the classical components.
NSA’s CNSA 2.0 Timeline
The U.S. National Security Agency’s Commercial National Security Algorithm Suite 2.0 lays out a road map for U.S. National Security Systems to adopt quantum-resistant crypto. They’re targeting completion by 2035, with intermediate goals such as quantum-safe software signing by 2025 and key establishment (TLS/IPsec) by 2033.
Notably, NSA emphasizes hybrids are a temporary measure – a means to an end. Their recommendation is to transition to single-algorithm (quantum-safe only) implementations as soon as practical, and require explicit approval for using hybrids in the interim. Essentially, if a system can use a stand-alone PQC algorithm reliably, NSA prefers that for its simplicity and avoidance of potential new interop issues.
Hybrids are allowed mainly where needed for compatibility (e.g., if a device can’t handle a full-size PQ key, or two systems have a mismatch and need a common ground). The NSA expects that by 2035, hybrids will be phased out entirely – meaning we should design systems now with crypto-agility so that the classical parts can be cleanly removed or disabled when the time comes. This is a clear message to vendors: don’t bake in permanent dual-crypto if you don’t need to.
NIST SP 800-227 and NIST Guidance
NIST’s draft SP 800-227 “Recommendations for KEMs” is more general, but it underscores the importance of proper implementation and understanding of KEM properties. While not a policy document, we can infer that NIST will provide best practices for using hybrids securely (for instance, how to derive a single key from two KEM outputs without introducing weaknesses).
NIST has also set up a Migration to PQC project at NCCoE (National Cybersecurity Center of Excellence) that is producing example implementations and playbooks for organizations. Their guidance so far echoes the advice to inventory crypto systems, test PQC in labs, and ensure vendor solutions support hybrid modes.
One specific angle NIST has highlighted is crypto agility: organizations should invest in architectures that allow swapping cryptography more easily (like abstraction layers, centralized crypto services, etc.), to facilitate not just this PQC upgrade but any future ones.
International and Regulatory Moves
Outside the U.S., countries are also gearing up. The German BSI and French ANSSI, for example, have been evaluating NIST’s algorithms and in some cases recommending their own combinations or calling for additional analysis (initially France was more cautious about Kyber).
The consensus in Europe, per ENISA’s report, is to start integrating PQC via hybrids now, especially in critical infrastructure, to learn and prepare.
We see regulatory hints: for instance, the U.S. SEC in 2023 asked large financial institutions how they’re addressing quantum risks, and in sectors like healthcare and energy, standards bodies are drafting quantum-readiness guidelines. While not law yet, it’s plausible that within a few years, compliance regimes (like PCI-DSS for payment, or HIPAA for health data) could require “quantum-safe encryption for sensitive data” – which practically will mean using hybrid solutions during the transition, since outright replacing RSA might not be feasible immediately. Organizations should watch for these developments to avoid scrambling later.
Transition Strategy – A Phased Approach
Experts often describe the transition in waves:
- Experimentation/Preparation (Now – 2025): Pilot hybrids in non-production or limited environments. For example, enable optional PQC ciphersuites on an internal TLS endpoint and measure performance, or test a hybrid VPN between two offices. Simultaneously, upgrade libraries (OpenSSL, BoringSSL, AWS-LC, etc. all have PQC support in progress) and ensure hardware support (plan for new HSM firmware, etc.).
- Initial Deployment (2025 – 2030): Start using hybrids in production for high-value or long-lived data first. This might include enabling hybrid TLS on public-facing services once browsers support it (which looks to be 2024-2025 timeframe), requiring vendors to use PQC in new VPN products, issuing some employee or device certificates as hybrids, and so on. At this stage, the classical algorithms are still there alongside, ensuring nothing breaks. Monitor for any interop issues or performance concerns; share lessons in industry groups.
- Broad Rollout & Tuning (2030 – 2035): As confidence in PQC grows (say, by 2030 we’ve had years of cryptanalysis on Dilithium/Kyber with no cracks, and optimized implementations abound), organizations can shift stance. New systems might run PQC-only by default, with the ability to fall back to classical only if needed. For example, an updated browser in 2030 might try a pure Kyber handshake, but if it detects the server can’t, it may fall back to X25519+Kyber hybrid, or worst-case classical. Essentially, we flip the preference order. Also, more legacy systems will have aged out by then.
- PQC-Only World (post-2035): The aim is that well before 2039 (when some predict a CRQC might exist), all sensitive systems use exclusively quantum-resistant crypto. Hybrids will be retired – likely via deprecating the classical algorithms in standards. We might see an event like “TLS 1.4” that doesn’t even include classical cipher suites, or an SSH v2.1 that is PQC-only. At that point, maintaining the dual tracks is unnecessary and we simplify. All users, devices, and software still stuck on RSA/ECC would find themselves unable to communicate securely – similar to how today anything below TLS 1.2 is essentially forbidden for security.
Testing and Education
A soft aspect of strategy: training your teams. Administrators, developers, and security architects need to get familiar with these new algorithms – how key sizes and performance differ, how to properly validate a Dilithium signature, etc.
Many early adopters (AWS, Cloudflare) have noted that contributing to standards and open libraries was invaluable. There are workshops and interoperability tests happening (for example, the IETF has had PQC hackathons). Engaging in those now will prevent unpleasant surprises later.
Also, ensure that your incident response considers quantum threats – e.g., if someone is exfiltrating encrypted traffic from your network, that’s a bigger deal in the quantum context, so maybe you start encrypting even internal links with hybrids if they carry long-term secrets.
To boil it down, the way forward is: start using hybrid crypto in earnest, but design everything for eventual removal of the old algorithms. Crypto-agility isn’t just a buzzword here; it’s a necessity. The next 5-10 years will involve running two worlds in parallel, but if we manage it right, by the time the quantum world truly dawns, we can drop the training wheels of RSA/ECC and ride securely on post-quantum crypto alone.
Conclusion
The advent of quantum computing is often compared to a looming storm on the horizon – we’re not exactly sure when it will make landfall, but we can see it coming. Hybrid cryptography is our shelter during this stormy transition. It lets us reinforce the cryptographic walls of our infrastructure now, rather than waiting until the downpour is upon us. By deploying combinations of classical and post-quantum algorithms, organizations gain immediate protection against future threats (no more sleeping uneasily about harvested data being decrypted in a few years) while retaining trust in battle-tested protocols. Just as importantly, hybrids enable a graceful upgrade path – one that doesn’t break the internet or our devices, but rather evolves them gradually.
We’ve seen that this evolution is already underway in TLS connections securing the web, in the OpenSSH sessions used by administrators worldwide, and in the VPN tunnels guarding corporate networks. The technology works – real-world trials show the performance is acceptable and the integration challenges, while non-trivial, are surmountable. Early adopters have blazed the trail, uncovering the gotchas (like packet size quirks and CPU spikes) so that standards and implementations can address them. Now, with NIST’s standards in hand and government mandates gathering, the path is clear for the broader community to follow.
Hybrid cryptography is not a permanent state; it’s a means to an end. It buys us confidence and continuity. As the implementations mature and the post-quantum algorithms prove themselves (or if any don’t, we have alternatives thanks to our hybrid hedges), we will gradually turn off the old schemes. The ultimate destination is a simpler one where only PQC remains – leaner and elegant. But to get there without compromising security in the interim, hybrid is the name of the game.
