Getting Ready For The Quantum Computing Era: Thoughts On Hybrid Cryptography

Using a classical cryptographic algorithm alongside its quantum safe equivalent.


Once quantum computers, more specifically Cryptographically Relevant Quantum Computers (CRQCs), have become powerful and reliable enough, they will enable adversaries to break current asymmetric encryption, placing important data and assets at risk. New digital signatures and key encapsulation mechanisms (KEMs) are needed, and while considerable progress has been made in recent years to develop new quantum-resistant algorithms, there is still ongoing discussions in the industry about the best way to implement them in the various security protocols that the industry requires.

The concept of “hybrid cryptography” is to use two or more fundamentally different algorithms that offer similar cryptographic functionality. In the context of Quantum Safe Cryptography more specifically, it refers to using a combination of classical cryptographic algorithms, for example, X25519 elliptic curve key exchange or ECDSA, in combination with Quantum Safe equivalents such as ML-KEM / FIPS 203 and ML-DSA / FIPS 204.

Hybrid cryptography comes in two flavors, which are sometimes referred to as “AND hybrid” and “OR hybrid”. The latter, as the name suggests, means that both algorithms are supported, and protocols can choose which of the two algorithms they prefer. This minimizes performance impact and is important to ensure mission continuity during the transition to Quantum Safe algorithms in heterogenous systems where not all components can transition at the same time.

On the other hand, it also means that communications protected only by classical ECC / RSA cryptography are vulnerable to CRQCs, and communications protected by Quantum Safe algorithms suffer from the much newer, less tested code base for these algorithms. On top of that, “OR hybrid” applications need to be designed specifically to prevent downgrade attacks. “OR hybrid” is more often simply subsumed within crypto agility discussions.

More often, when people talk about hybrid cryptography in the context of Quantum Safe algorithms, they refer to the “AND hybrid” model where both a classical and a Quantum Safe algorithm are combined to ensure security even if one of the algorithms or its implementation are broken. In the case of a key exchange, for example, this means that the session key will be derived in equal parts from a classical method such as X25119 and a Quantum Safe algorithm such as ML-KEM / FIPS 203. One example of this can be found in the provision of NIST SP800-56C Rev 2 that allows concatenation of two session secrets into a combined session secret from which the session key is derived. Also, there are various RFC proposals such as, for example, draft-tls-westerbaan-xyber768d00-0314 that are actively being worked on to support AND hybrid key exchanges for use in TLS. In terms of signatures, an AND hybrid scheme would only return valid if both classical and Quantum Safe signatures are successfully verified.

The Rambus Quantum Safe IP Portfolio allows for the implementation of hybrid cryptography. The Rambus QSE-IP-86 Quantum Safe Engine is a standalone cryptographic core that supports the NIST draft standards FIPS 203 ML-KEM and FIPS 204 ML-DSA and provides SHAKE-128 and SHAKE-256 acceleration. It can be combined with an accelerator for traditional asymmetric cryptography such as the Rambus PKE-IP-85 core that accelerates classic public key cryptography and a TRNG-IP-76 core that generates true random numbers. The Rambus RT-600 family of Root of Trust cores provides a robust integrated solution embedding engines and firmware that support both the full suite of CNSA 1.0 classic and CNSA 2.0 Quantum Safe algorithms (including NIST SP 800-208 XMSS/LMS hash-based verification) that can be used to implement AND hybrid solutions, offering system security management for use cases like secure boot, secure debug, secure firmware upgrade, lifecycle and SKU management, platform attestation and authentication.

Join me for my webinar “Protecting Devices and Data in the Quantum Era” on January 10, 2024 to learn about all the latest developments in Quantum Safe Cryptography and how you can protect your past, current, and future data in the quantum computing era.

Additional resources

Leave a Reply

(Note: This name will be displayed publicly)