The hybrid approach combines classic cryptographic methods with post-quantum-secure algorithms and thereby enables controlled and secure migration to post-quantum cryptography (PQC). This article explains why hybrid processes are currently recommended, how hybrid PQC mechanisms work and what role they play in a future-proof migration strategy.
Migrating to post-quantum-safe processes involves risks, as post-quantum cryptography (PQC) processes have only recently been standardized. The hybrid approach, i.e. the targeted combination of classical and PQC methods, provides the same level of security as classical methods, while also offers protection against quantum adversaries. This approach is the currently recommended way to implement a migration to post-quantum cryptography.
With technological progress in the field of quantum computers, there is a growing threat that current cryptographic algorithms could be broken in the future. With the standardization of post-quantum-safe algorithms, there are now alternatives that are also resistant to quantum computers. However, relying exclusively on these newly standardised algorithms during a migration introduces its own risks. For this reason, a hybrid approach is recommended when migrating to post-quantum cryptography. This article explains the advantages of this approach and outlines the mechanisms used in hybrid PQC algorithms.
Today, we face a fundamental dilemma. On the one hand, classical cryptography, when implemented correctly, provides robust protection against classical adversary models. These algorithms are widely deployed and have been used in practice for decades. Due to their extensive use since the 1990s, classical cryptographic schemes have been thoroughly analysed both in practice and in academic research, significantly reducing the likelihood of successful attacks by classical adversaries. However, these algorithms are not resistant to quantum attacks.
On the other hand, there are cryptographic methods that are also safe against quantum attackers. Since 2016, the National Institute of Standards and Technology (NIST) has been running a selection process to identify suitable post-quantum cryptographic algorithms. As a result, the first PQC procedures have now been standardized ([1], [2], [3]). Compared to classical algorithms, however, these new schemes have undergone less extensive analysis and do not yet have decades of proven security in real-world deployments.
For this reason, migrating exclusively to new algorithms may be a major risk per se. An even greater risk, however, is to rely solely on classical algorithms, thereby underestimating an attacker’s capabilities. MModern threat models must take into account the potential emergence of quantum adversaries in the foreseeable future.
To mitigate these risks, the hybrid approach is currently recommended. It combines classical cryptographic algorithms with post-quantum-secure methods. The key advantage of this approach is that it provides at least the same level of security against classical adversaries as classical cryptography alone, while also offering protection against quantum attacks in line with the current state of the art.
Experts define hybrid encryption as the combination of two independent cryptographic schemes. The most well-known example is hybrid encryption in classical cryptography, where asymmetric algorithms are combined with symmetric algorithms to achieve efficient encryption with high throughput.
In the context of post-quantum cryptography, hybrid approaches combine classical cryptographic algorithms with post-quantum-secure methods in order to achieve robust protection against both classical and quantum adversaries.
The combination of methods is such that both methods would would need to be broken independently in order to compromise the security of the entire communication. This approach is also being pursued by the developers of the TLS standard. The document “Hybrid Key Exchange in TLS 1.3” specifies how such combinations can be implemented within the TLS protocol. [4].
Benefits of a hybrid design:
The hybrid encryption approach can be implemented schematically as follows:
1. Encryption: The data is first encrypted using a classical cryptographic algorithm. The resulting ciphertext is then encrypted again using a post-quantum cryptographic algorithm.
2. Decryption: The encrypted data is first decrypted using the post-quantum algorithm and subsequently decrypted using the classical algorithm.
The hybrid signature approach can be implemented schematically as follows:
1. Signature generation: The data is signed using both a classical signature algorithm and a post-quantum signature algorithm. The resulting signature is the tuple of both computed signatures.
2. Verification: The signed data is verified using both the classical and the post-quantum verification algorithms. The signature is only valid if both checks are successful.
Important: If only one of the two verifications succeeds, the signature must be treated as invalid.
The hybrid key exchange approach typically consists of the following steps:
The hybrid approach is currently the recommended way to ensure a secure migration to post-quantum cryptography. It combines the proven strength of classical cryptographic algorithms with the long-term security of post-quantum-secure methods, enabling a controlled and resilient transition into the post-quantum era.
[1] https://csrc.nist.gov/pubs/fips/203/final
[2] https://csrc.nist.gov/pubs/fips/204/final
[3] https://csrc.nist.gov/pubs/fips/205/final
[4] https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
FortIT enables secure digital business, supporting companies with innovative digitalization projects and strategic initiatives. With deep expertise in modern technologies, FortIT delivers fast, visible results and lasting impact.
