### Background / Overview As the world prepares for the upcoming quantum era, work is underway globally to prepare for its potential impact on cryptography. The advent of powerful quantum computers able to run known quantum algorithms will threaten the cryptography in use today. This preparation work is underway among international, regional and national standards bodies, as well as the global information and communications technology (ICT) industry and community. For example, the Post-Quantum Cryptography Standardization project by the U.S. National Institute of Standards and Technology (NIST) will select and standardize post-quantum cryptography (PQC) algorithms. Not only is there a need to standardize and implement these PQC algorithms, but also to provide guidance for the transition from the current cryptographic paradigms for the current ICT protocols, tools, and processes, to a future PQC paradigm for ICT protocols, tools and processes. Two topics related to the upcoming transition to a PQC future are cryptographic agility and hybrid cryptography. These topics are receiving attention from stakeholders including academia, standards bodies, the ICT supply chain providing cryptographic products, services, and solutions, and enterprises and governments. While at a high level the term ‘hybrid cryptography’ has been used globally, there is not yet a consensus on the best-detailed approaches related to hybrid cryptography. Alternative terminology is sometimes used, such as dual signatures, composite cryptography and multiple encryption. The term hybrid cryptography might not be ideal, but so far there is not yet a consensus on a better alternative. ### What is Hybrid Cryptography? Hybrid cryptography is defined as the usage of a post-quantum cryptographic system combined with another public-key cryptographic system (whether post-quantum or traditional) that contributes to the same cryptographic objective. The cryptographic objectives that rely upon public-key cryptography most commonly involve the use of digital signatures or key-establishment methods. The goal of hybrid cryptography is for the cryptographic objective to achieve the security of the strongest of all cryptographic methods used in the combination. This goal may be achieved over time depending on how hybrid is employed. For example, a hybrid digital signature might enable backwards compatibility for verifiers that do not yet support PQC, but the ultimate goal will be that all verifiers will validate the stronger PQC signature at the end of the migration. Strictly speaking, during the migration, legacy verifiers may or may not support hybrid cryptography produced by the signer during the migration, but the system does. ### Why is Hybrid Cryptography important to understand? Some threat actors may already be storing encrypted information that they have intercepted and copied, with a view to decrypting it in the future using quantum computers. Any information that needs to be protected for a long time (e.g., corporate trade secrets, classified government documents, personal health information) may already be at risk if traditional cryptography, such as ECC and RSA, is used to safeguard that information today. Both ECC and RSA are known to be at risk from quantum computer attacks. Organizations should therefore transition to using post-quantum cryptography (PQC) to protect their information. However, the transition itself has its own costs and risks to consider. ### Relevant considerations - **Migration:** A total transition to using PQC may take several years or even decades. Business requirements need to be maintained throughout the duration of this transitional state. - **Resiliency:** Post-quantum cryptography systems are relatively new. PQC uses mature designs and has been intensively evaluated over the past five years, but it has still not been subjected to as many years of cryptanalysis as the current public-key cryptography (ECC and RSA). So, there remains a risk that a particular PQC system—or even cryptographic family of PQC systems—could be broken by some unforeseen cryptanalytic attack. However, the risk to systems that do not transition to PQC is generally considered to be greater. ### Advantages of hybrid cryptography - Facilitating migration: - Testing post-quantum cryptography in real world settings before the quantum threat materializes, and before we rely entirely on post-quantum cryptography. - Continuing to comply with existing cryptography requirements or certifications, while also defending against quantum attacks. - Providing backwards compatibility with legacy applications, in the context of digital signature cryptography. - Improving resiliency: - Reducing the cryptographic risk of an unknown classical or quantum attack on a single cryptographic system (or family of cryptographic systems). - Support defence-in-depth by providing redundant cryptographic systems. - Compatibility: - Allowing parties with differing policies on required cryptography to comply with both policies by applying both required kinds of cryptography. ### Applicability of Hybrid Cryptography in cryptographic systems The quantum threat to cryptographic systems predominantly targets public-key cryptography in its two most common use cases: digital signatures and key establishment. It is in these use cases that new post-quantum cryptography is being proposed and where system owners may wish to use hybrid cryptography. Hybrid key establishment combines keys from two or more different key-establishment methods in such a way that a weakness in any individual method will not be sufficient to expose the resulting shared key. Typically, we would measure the security of the hybrid key establishment to be at least that of the strongest key-establishment method used in the combination. In particular, combining a traditional key-establishment method (e.g. Elliptic Curve Diffie Hellman (ECDH) or RSA key transport) with a post-quantum method would result in hybrid key establishment that maintains its security against the quantum threat only if the PQC method remains strong. Therefore, resiliency use cases may require hybrid to combine multiple PQC methods to ensure security against the quantum threat. A hybrid digital signature combines two or more digital-signature methods in such a way that validation requires verification of some or all of the signatures, based on policy. If the verifier's policy requires all the included signatures to pass verification, the resulting security of the hybrid digital signature would be considered to be equal to the strongest signature. In the case where a policy requires only a subset to be verified, the policy could be specific to which signature(s) must be verified or only specify the size of the subset to be verified. The verifier’s policy might be configurable or imposed by the signer. Hybrid digital signatures that combine a traditional digital signature (e.g., Elliptic Curve DSA or RSA) and a PQC signature with a policy that one signature must be valid may allow for backwards compatibility to assist in system migrations. In such a use case, the policy must be configurable and should specify which signature must be valid in order to achieve the migration end-state where the post-quantum algorithms must be valid. The security of hybrid digital signatures must be carefully assessed based upon the verifier policy and the strength of the underlying signatures. For example, if a policy allows any signature and does not specify which signatures must be valid, the security of that hybrid digital signature would be considered to be equal to the weakest of the signature methods; therefore, if a traditional digital signature is included, the hybrid cryptography would not be secure against the quantum threat under that policy. It is important for system administrators to understand the policy applied by the hybrid cryptography in use. ### Implementation Hybrid is a very complex topic, from cryptanalysis and implementation perspectives. Thus, additional time and effort will be required during some phases, such as risk analysis, migration and testing, so this should be factored into the overall plans and strategy for quantum readiness. General considerations: - Avoid in-house development; strongly prefer a standardized method when that becomes available. - Prefer a solution that allows for cryptographic agility. Cryptographic agility describes a system, architecture or state where cryptography is planned, built and operated to ensure that replacing an algorithm does not significantly change the functioning of the application, protocol or system. The goal is to minimize the impact of changing cryptographic functions in terms of cost, time, resources, and information security risk. Cryptographic agility can assist in the transition to using hybrid cryptography, or from hybrid cryptography if a different end state is desired. If the motivation to use hybrid is to improve resiliency by reducing cryptographic risk, then one should choose the component methods in the hybrid solution to satisfy cryptographic diversity. **Cryptographic diversity** is the availability of cryptographic methods from different families which are unlikely to be vulnerable to the same cryptanalytic attack. Hybrid cryptography employing cryptographic diversity will mitigate a broader cryptographic risk. Cryptographic diversity can also be of benefit to cryptographic agility, allowing a vulnerable method to be replaced with a different cryptographic family in a timely manner. With a plan to standardize a PQC portfolio that has cryptographic diversity, NIST has made initial PQC algorithm selections and is expected to select an alternate PQC key establishment algorithm from Round 4 candidates of the PQC Standardization Process,^[https://csrc.nist.gov/News/2022/pqc-candidates-to-be-standardized-and-round-4] as well as considering additional PQC digital signature candidates submitted under a separate call. ^[https://csrc.nist.gov/News/2023/additional-pqc-digital-signature-candidates#:~:text=In%20September%202022%2C%20NIST%20issued,submission%20was%20June%201%2C%202023.] It is important to consider the availability of a proposed hybrid solution, whether and/or how a third-party vendor provides the solution, and whether the solution has intellectual property restrictions. It is also important to assess the suitability of a hybrid solution for the desired use case. In a migration use case, the hybrid solution will combine a traditional method with a post-quantum method. In a resiliency use case, the hybrid solution should combine more than one post-quantum method. Parameters to consider include processing time, memory requirements, bandwidth requirements, certification (regulations, standards), backwards compatibility, forwards compatibility, upgrade complexity, configuration complexity, management/operations. Specific protocols may require the use of hybrid cryptography, since PQC is often not a drop-in replacement for traditional cryptographic methods.