Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of contents

What Is Hybrid Cryptography? | The Bridge to Post-Quantum Security

7 min. read
Table of contents

Hybrid cryptography combines two or more cryptographic algorithms—typically one classical and one post-quantum—to protect data using the strength of both. Each algorithm performs its own operation, and their outputs are mathematically merged to stay secure if one fails.

Using approved key-combiners or key-derivation functions, it bridges classical and post-quantum systems.

 

Why are organizations turning to hybrid cryptography?

Chart titled 'Why organizations are turning to hybrid cryptography' divided into four colored quadrants surrounding a central circular icon with an abstract network symbol. The top left orange box is labeled 'Redundancy & resilience' with the text 'Remains secure if one algorithm fails or is broken.' The top right blue box reads 'Migration readiness' with the text 'Enables a gradual shift toward post-quantum cryptography.' The bottom left light blue box is labeled 'Interoperability' with the text 'Bridges classical and post-quantum systems without disruption.' The bottom right teal box reads 'Protection from harvest now, decrypt later' with the text 'Keeps sensitive data secure against future quantum decryption.'

Organizations are turning to hybrid cryptography because it offers a practical bridge between today's classical systems and the post-quantum algorithms of the future. It's a transitional layer within quantum security.

More specifically:

Hybrid solutions make it possible to begin migration toward post-quantum cryptography (PQC) now, before it's fully standardized or deployed at scale. They allow encryption systems to evolve safely instead of waiting for a single, definitive cutover point.

Here's how it works.

Essentially, hybrid cryptography helps maintain security if one algorithm fails or is later broken.

So when a classical and post-quantum algorithm work together, each acts as a safeguard for the other. If the classical algorithm eventually becomes vulnerable to quantum attacks, the post-quantum algorithm continues to protect the data.

It also supports interoperability.

Many systems, devices, and protocols still depend on classical cryptography. Hybrid deployments let organizations upgrade gradually without breaking existing integrations or disrupting operations. And that makes them a practical choice for organizations and governments managing long, complex supply chains.

Finally, hybrid cryptography reduces exposure to the harvest-now, decrypt-later threat.

Horizontal process diagram titled 'Harvest now, decrypt later (HNDL)' showing five sequential steps connected by arrows. Step 1, in a blue square, reads 'Data exfiltration' with subtext 'Steals encrypted traffic or files.' Step 2, in a lighter blue square, reads 'Cold storage' with subtext 'Keeps ciphertext for years.' Step 3, in an orange square, reads 'Advances in quantum computing' with subtext 'Waits for quantum systems.' Step 4, in a white square with a blue lock icon, reads 'Decrypt later' with subtext 'Shor's breaks RSA/ECC.' Step 5, in a purple square, reads 'Use the plaintext' with subtext 'Read, sell, or forge identities.' Small text under several steps notes 'Years can pass' to indicate elapsed time between stages.

Attackers can already collect encrypted data today and wait until quantum computers are powerful enough to break it. With hybrid encryption, sensitive information remains secure even if decryption capabilities advance faster than expected.

In short:

Hybrid cryptography buys time. It keeps data protected, systems compatible, and transitions manageable while new post-quantum standards mature.

| Further reading:

 

How does hybrid cryptography actually work?

Hybrid cryptography works by combining two or more cryptographic algorithms into a single coordinated operation.

Each algorithm performs its own task—one classical, one post-quantum—and their outputs are merged to form a shared result. This allows systems to use the strengths of both without relying on either one completely.

Here's how it breaks down.

Hybrid key establishment uses classical and post-quantum key encapsulation mechanisms (KEMs) together.

Each KEM generates its own shared secret. The two secrets are then combined through an approved key-derivation function (KDF), creating one unified encryption key. This ensures that if one KEM is compromised, the other still protects the session.

Architecture diagram titled 'Example: Hybrid key establishment using classical and post-quantum KEMs' showing two horizontal layers labeled 'LEIA' and 'LUKE'. In the top layer, two labeled blocks—'KEM #1' and 'KEM #2'—each display paired elements marked 'secret s₁' and 'ciphertext c₁' in purple, and 'secret s₂' and 'ciphertext c₂' in green. Lines connect both ciphertexts to a gray box labeled 'KDF', which outputs a blue rectangle labeled 'Encryption key'. A small white box between the layers reads 'Send to Luke'. In the lower layer, two boxes labeled 'decrypt #1' and 'decrypt #2' each show recovered secrets 's₁' and 's₂' flowing into another 'KDF' box that produces a matching blue 'Encryption key'. At the bottom, a caption states: 'Two KEMs—one classical and one post-quantum—each generate shared secrets that are combined through a key-derivation function to form a single encryption key.'

Hybrid digital signatures take a similar approach.

A system can sign the same message with two algorithms—such as ECDSA and ML-DSA—and validate both signatures. In some cases, the signatures are stored separately. In others, they're merged into a single “composite” signature that behaves like one cryptographic object.

Hybrid protocols implement these techniques in real systems.

Examples include TLS, SSH, and MACsec, which can negotiate both algorithm types at the start of a secure connection. The protocol handles which combinations are used and how keys are exchanged.

Important: combining methods must follow approved key combiners or KDFs. That ensures the hybrid design remains mathematically sound and secure.

 

What kinds of hybrid cryptography exist?

Chart titled 'Types of hybrid cryptography' showing five categories connected under a central heading box labeled 'Hybrid cryptography' with text explaining that it 'combines multiple algorithms to maintain security and compatibility during the transition to post-quantum cryptography.' Each category is represented by an icon and short description. From left to right: a red hexagon labeled 'Post-quantum/traditional (PQ/T) hybrids' with text stating 'Combines one classical and one post-quantum algorithm. Most common model for gradual migration.' Next, a blue circle labeled 'Post-quantum/post-quantum (PQ/PQ) hybrids' reads 'Uses multiple post-quantum algorithms for redundancy. Adds resilience if one algorithm is later weakened.' A purple square labeled 'Composite hybrids' says 'Integrates algorithms into a single cryptographic object. Behaves as one scheme for simpler validation.' A teal circle labeled 'Non-composite hybrids' notes 'Keeps algorithms separate but merges results at the protocol layer. Common in hybrid TLS and SSH prototypes.' Finally, a yellow circle labeled 'PQC + QKD hybrids' includes text reading 'Combines post-quantum cryptography with quantum key distribution. Provides both computational and information-theoretic security.'

Hybrid cryptography takes several forms. Each is defined by how algorithms are combined and how their outputs are used together.

Recent standards define the main categories that have emerged as organizations transition from classical to post-quantum encryption.

Let's look at each type and how it works in practice.

Post-quantum/traditional (PQ/T) hybrids

A PQ/T hybrid combines one classical algorithm and one post-quantum algorithm in the same operation. Each performs its own key generation or signature process. Their results are then merged into a single shared secret or combined signature.

This is the most common model today because it maintains compatibility with legacy systems while adding quantum-resistant protection.

Note:
PQ/PQ hybrids are being studied as a fallback strategy for the long term. If one family of post-quantum algorithms—like lattice-based schemes—faces future cryptanalysis, pairing it with a different class, such as code- or hash-based cryptography, ensures diversity of security assumptions.

Post-quantum/post-quantum (PQ/PQ) hybrids

A PQ/PQ hybrid uses two or more post-quantum algorithms from different mathematical families.

The goal is redundancy. If one algorithm is later weakened, the other still provides protection.

This approach helps future-proof systems against unknown vulnerabilities in newly standardized post-quantum schemes.

Composite hybrids

A composite hybrid integrates multiple algorithms into one combined cryptographic object. Basically, the algorithms are bound together at the implementation level.

The resulting key, signature, or ciphertext behaves as if it were generated by a single algorithm, simplifying validation and integration.

Note:
Composite designs simplify key management but complicate certification and lifecycle maintenance. If one algorithm in a composite fails, replacing it may require re-validating the entire composite object. Which is an operational challenge for regulated environments.

Non-composite hybrids

Non-composite hybrids keep the algorithms separate but merge their results at the protocol layer.

For example, hybrid TLS or SSH sessions can negotiate both a classical and post-quantum key exchange, then combine the resulting secrets through a key-derivation function.

It's a modular approach that allows incremental deployment without changing underlying cryptographic libraries.

PQC + QKD hybrids

PQC + QKD hybrids represent the next frontier. They combine post-quantum cryptography (PQC) with quantum key distribution (QKD).

PQC protects data using computational hardness assumptions, while QKD provides information-theoretic security based on quantum physics. Used together, they offer layered defense for high-assurance environments.

Note:
Recent experiments such as Toshiba's FPGA-based “Muckle++” system show how QKD and post-quantum algorithms can run together on the same hardware, demonstrating a path toward integrated, end-to-end quantum-safe networks.

 

How secure are hybrid schemes in practice?

"The desired property of hybrid techniques is that derived keys remain secure if at least one of the component schemes is secure. Security properties can be complex, and for composite key establishment schemes they will need to be analyzed on a case-by-case basis with the requirements of the application in mind."
- NIST IR 8547, Transition to Post-Quantum Cryptography Standards

Hybrid cryptography is designed to maintain security even if one of its component algorithms is compromised.

A properly implemented hybrid cryptographic scheme remains secure as long as at least one algorithm continues to hold. That's the foundational principle—redundancy through independence.

Each algorithm, whether classical or post-quantum, performs its own operation.

Their outputs are then combined to form a single shared secret or digital signature. If one algorithm is later broken, the other continues to protect the data. In other words, hybrid design provides a safety margin during transition, without forcing an abrupt switch to post-quantum methods.

Security depends heavily on how those outputs are combined.

Only robust combiners—typically hash-based or key-derivation functions—can provide formal assurance. These mechanisms set strict rules for how keys are joined so that the result remains unpredictable even if one component fails. Without such safeguards, the hybrid's theoretical guarantees weaken.

However:

Adding algorithms increases complexity.

"Hybrid solutions add complexity to implementations and architectures, which can increase security risks and costs during the transition to PQC."
- NIST IR 8547, Transition to Post-Quantum Cryptography Standards

More moving parts mean more surface for implementation error. Early hybrid TLS and SSH prototypes showed that message sizes increased, negotiations slowed, and handshake logic introduced new downgrade-attack risks.

In short: hybrid cryptography improves resilience, but its real-world security depends as much on careful engineering and protocol design as on the mathematics behind it.

 

Where is hybrid cryptography already being deployed?

Diagram titled 'Hybrid cryptography in early deployment' showing three labeled sections arranged horizontally. On the left, a section titled 'Transport security' contains two stacked black and gray server icons labeled 'OpenSSL' and 'AWS' beside text reading 'Hybrid TLS 1.3 & SSH. OpenSSL and AWS s2n are running hybrid handshakes that combine X25519 and Kyber to validate post-quantum performance in real protocols.' In the center, a section titled 'Network infrastructure' displays a black network switch connected to two small devices labeled 'ML-DSA', 'ML-KEM', and 'QKD'. Beneath it, text reads 'Quantum-safe MACsec. The VMuckle framework integrates ML-KEM, ML-DSA, and QKD to deliver authenticated, quantum-safe Ethernet key exchange without changing existing IEEE standards.' On the right, a section titled 'Cloud & content delivery networks' shows a stylized graphic of cloud storage icons labeled 'KEMs' above text that reads 'Cloudflare, AWS, and NIST testbeds are piloting hybrid post-quantum KEMs to measure latency, packet size, and interoperability at scale.' A footer label below this section reads 'Cloud & CDN pilots.'

Hybrid cryptography is moving from research into early, real-world testing.

Most deployments today are experimental, but they already validate how hybrid algorithms interoperate and perform under production conditions.

Hybrid TLS 1.3 and SSH implementations

Early hybrid adoption has focused on transport security.

Projects like OpenSSL and AWS s2n have implemented hybrid versions of TLS 1.3 and SSH, pairing the classical elliptic-curve algorithm X25519 with the post-quantum scheme Kyber.

These pairings allow two endpoints to exchange both a classical and post-quantum key in the same handshake. And the results show that hybrid handshakes can run efficiently without major changes to existing protocol logic.

Quantum-safe MACsec

The VMuckle framework, developed by researchers at the Universidad Politécnica de Madrid and partners, extends hybrid cryptography to Ethernet.

It integrates ML-KEM, ML-DSA, and quantum key distribution (QKD) to create authenticated, quantum-safe key exchange for MACsec networks.

In testing, VMuckle provided long-term confidentiality and integrity without modifying the IEEE 802.1X or 802.1AE standards.

Cloud and CDN pilots

Cloud and content delivery providers are also experimenting with hybrid key exchange.

Cloudflare, AWS, and NIST testbeds have deployed hybrid post-quantum KEMs in select environments to assess latency, packet size, and reliability.

These trials demonstrate that hybrid configurations can protect traffic today while maintaining forward secrecy against future quantum attacks.

Note:
Most of these implementations remain pre-standard and are intended for evaluation. But they show that hybrid cryptography is practical, interoperable, and ready for phased adoption as NIST's post-quantum standards mature.

 

How does hybrid cryptography fit into the quantum-security roadmap?

Process diagram titled 'The quantum-security roadmap' showing a horizontal five-step sequence connected by dotted lines with diamond-shaped icons for each stage. Step 1, labeled 'Quantum readiness,' includes an icon of a checklist and text reading 'Inventory cryptographic systems and assess risk.' Step 2, labeled 'Crypto-agility,' has an icon of gears with text 'Build systems that can swap algorithms.' Step 3, labeled 'Hybrid cryptography,' features an icon of interlinked circuits and text 'Run classical and post-quantum algorithms in parallel.' Step 4, labeled 'Post-quantum cryptography (PQC),' shows a shield icon with text 'Migrate fully once standards mature.' Step 5, labeled 'Quantum key distribution (QKD),' contains a quantum-wave icon and text 'Add information-theoretic security through quantum physics.'

The path to quantum-safe security unfolds in stages.

It begins with quantum readiness—the process of identifying where classical cryptography is used and assessing what will need replacement. After that comes crypto-agility, which ensures systems can swap algorithms without major redesigns.

Hybrid cryptography sits at the midpoint of that journey.

As discussed, it allows classical and post-quantum algorithms to operate in parallel, maintaining protection during the transition. It's a temporary but expected step toward full post-quantum adoption by 2035.

Once post-quantum cryptography (PQC) is standardized and validated across major protocols, organizations can migrate entirely to PQC.

The final stage, quantum key distribution (QKD), extends security even further by introducing information-theoretic protection based on quantum physics.

Ultimately, hybrid cryptography bridges today's classical systems with the quantum-resistant future.

| Further reading:

 

What's next for hybrid cryptography?

"Hybrid cryptography combines multiple cryptographic primitives to allow security to be based on a wide range of hard problems, helping to mitigate against unknown possible attacks. … In the context of PQC migration, the use of hybrid schemes … is already advocated, as they can guarantee inter-operability during the transition phase."
- Lydia Garms et al., Experimental Integration of Quantum Key Distribution and Post-Quantum Cryptography in a Hybrid Quantum-Safe Cryptosystem

Hybrid cryptography is entering a period of standardization and early adoption.

NIST SP 800-227 and RFC 9794 are stabilizing the definitions and implementation rules that will guide how hybrids are built and validated. This marks the shift from research-driven prototypes to formal, production-ready standards.

Proof-of-concepts are also moving into operational pilots.

Major vendors and research networks are now testing hybrid deployments across TLS, SSH, and MACsec. These trials help refine interoperability and performance before large-scale rollout begins.

Long-term, hybrid cryptography will give way to fully post-quantum systems.

Once PQC algorithms are standardized and widely deployed, hybrids will no longer be needed. But their legacy will remain. Hybrid designs are teaching the industry how to modernize encryption safely by evolving rather than replacing trust models outright.

Get your quantum readiness assessment
The assessment includes:
  • Overview of your cryptographic landscape
  • Quantum-safe deployment recommendations
  • Guidance for securing legacy apps & infrastructure

Get my assessment

 

Hybrid cryptography FAQs

Hybrid post-quantum cryptography (PQC) combines classical and post-quantum algorithms in a single operation. Each algorithm generates its own key or signature. Their outputs are joined—typically through a key-derivation function—so that the system remains secure if at least one algorithm resists quantum or classical attacks.
Quantum cryptography secures communication using quantum-mechanical principles rather than mathematical assumptions. The most common form, quantum key distribution (QKD), transmits encryption keys through quantum states of light. Any eavesdropping disturbs these states, allowing detection of interception and ensuring information-theoretic security independent of computational power.
A hybrid encryption system might pair elliptic-curve Diffie-Hellman (X25519) with the post-quantum algorithm Kyber. Both produce shared secrets that are combined into one session key. This approach, used in hybrid TLS 1.3 experiments, maintains compatibility with existing systems while adding quantum-resistant protection.
Related content
YouTube playlist: A CISO's Guide to Quantum Security
Binge a 6-video series breaking down why quantum computing is closer than you think but not as difficult.
Podcast: Threat Vector | Is the Quantum Threat Closer Than You Think?
Hear how to start your transition to quantum-resistant cryptography now.
TechDocs: Quantum Security Concepts
Get the facts on resisting the quantum computing threat straight from PANW’s solutions documentation.
Blog: Palo Alto Networks Announces New Quantum Security Innovations
Learn about the new crypto inventory tool, quantum-optimized firewalls and PAN-OS 12.1 enabled quantum readiness.

Get the latest news, invites to events, and threat alerts