Hybrid cryptography: running classical and post-quantum together during the transition
Hybrid schemes sign or encapsulate with both a classical and a post-quantum algorithm, so a record stays secure if either one is later broken.
Hybrid cryptography runs a classical and a post-quantum algorithm together, so a record survives if either one is broken, because two independent guarantees protect it.
The question matters in 2026 because the post-quantum standards are finalised and migration is underway, while attackers already harvest encrypted traffic now to decrypt it later once a quantum computer arrives. Regulators sharpen the pressure: DORA has been in force since January 2025, and NIS2 covers essential and important entities, so operators in regulated sectors must show a credible path off algorithms that a quantum machine would break. Hybrid gives that path without betting everything on cryptography that is only a few years old.
What does hybrid cryptography mean in practice?
In practice, hybrid means every signature or key exchange carries two outputs, one classical and one post-quantum, and a verifier accepts both before trusting anything.
A classical algorithm such as an elliptic-curve or RSA scheme has decades of scrutiny behind it. A post-quantum algorithm resists an attacker holding a large quantum computer. Hybrid does not choose between them. It combines both, so the signature or shared secret is only trusted when both components check out. An attacker must defeat the classical mathematics and the post-quantum mathematics in the same record, at the same time, to win.
Why do standards bodies recommend hybrid during the transition?
Guidance bodies recommend hybrid because post-quantum algorithms are young, so pairing each with a proven classical algorithm means one flaw does not collapse the scheme.
The post-quantum families are new to production, and history shows that young cryptography sometimes hides structural weaknesses that surface years after publication. Guidance from national security agencies and standards groups therefore treats the transition as a period of dual assurance rather than a clean switch. Keeping a proven classical algorithm in the loop means a discovered flaw in a post-quantum scheme is contained, while adding the post-quantum algorithm means the eventual arrival of a quantum computer does not undo the classical one. Neither single failure is catastrophic.
What breaks if we choose classical only or post-quantum only?
Classical only falls to a future quantum computer, post-quantum only falls if a young algorithm has a flaw, and hybrid survives unless both fail together.
The three approaches fail in different ways. The table below sets the outcomes side by side.
| Approach | If classical breaks | If the PQ algorithm has a flaw | Overhead |
|---|---|---|---|
| Classical only | Fully exposed | Unaffected | Lowest, one algorithm |
| Post-quantum only | Unaffected | Fully exposed | Low, one algorithm |
| Hybrid | Still protected | Still protected | Higher, two algorithms |
“During the migration, the safe assumption is that any single algorithm might fail, so we sign and encapsulate with two and require both to hold.”
How does hybrid apply to signing versus key exchange?
Signing and key exchange differ: FIPS 204 and FIPS 205 sign records, while FIPS 203 encapsulates keys and never signs, so hybrid pairs each primitive.
Signatures prove that a record is authentic and unaltered. Key encapsulation establishes a shared secret so two parties can encrypt a channel. These are different primitives with different standards. FIPS 204, the ML-DSA scheme, and FIPS 205, the SLH-DSA scheme, produce signatures. FIPS 203, the ML-KEM scheme, performs key encapsulation and never signs anything. A hybrid design pairs a classical signature with a post-quantum signature for authenticity, and a classical key exchange with a post-quantum encapsulation for confidentiality. Mixing the roles up is a common and costly mistake.
What is the overhead of running two algorithms?
Running two algorithms adds larger keys, bigger signatures and a little more compute, but the overhead scales predictably and buys resilience against two failure modes.
Post-quantum keys and signatures are larger than their classical counterparts, so hybrid records carry more bytes and verification touches two algorithms instead of one. In most systems the extra overhead is modest and scales linearly with the number of signatures and handshakes, not exponentially. The ratio that matters is resilience per byte: a small, predictable increase in storage and compute in exchange for surviving two separate classes of failure. For records that must stay confidential for a decade or more, that trade is straightforward.
How does a sovereign system put hybrid into practice?
A sovereign system signs its audit ledger with post-quantum algorithms, binds identity to hardware, and keeps records verifiable offline, so hybrid strengthens a sealed chain.
Mickai is a Sovereign Intelligence Operating System, a SIOS, built and live, running offline on operator-owned hardware with every action cryptographically sealed. Its audit ledger is signed with post-quantum algorithms, so the record of what the system did stays verifiable even against a future quantum adversary. Identity is hardware-attested and bound to that audit chain, a zero-egress perimeter keeps sensitive data inside the boundary, and offline verifiability means a record can be checked without any external service. Cross-model consensus adds a further check on decisions. Hybrid signing slots naturally into this design, because the ledger already treats cryptographic assurance as something to be layered, not assumed. The estate behind the substrate runs to 104 filed UK patent applications and 2,340 claims, owned by Mickai LTD, Companies House 17166618, filed and patent pending.
Frequently asked questions
Is hybrid cryptography just a temporary measure?
Hybrid is designed for the transition period, when post-quantum algorithms are still maturing and classical ones still hold. Over time, as confidence in the post-quantum schemes grows, some systems may move to post-quantum only. During the migration, though, running both is the conservative choice, and many regulated operators will keep hybrid in place for years.
Will hybrid double my key sizes and slow everything down?
It adds overhead, but not a doubling of the total work. Keys and signatures grow and verification does a little more, yet the increase is predictable and scales with traffic rather than exploding. For most workloads the resilience gained against two failure modes outweighs the extra bytes and cycles.
Which FIPS standard signs and which one exchanges keys?
FIPS 204, ML-DSA, and FIPS 205, SLH-DSA, produce digital signatures. FIPS 203, ML-KEM, performs key encapsulation and never signs. A correct hybrid design uses the signing standards for authenticity and the encapsulation standard for confidentiality, and never confuses the two roles.
Can I use a public cloud AI service for our most sensitive data?
Services such as ChatGPT, Copilot and Gemini are strong for many tasks, and for general work they are often the right pick. For the most sensitive data, though, regulated buyers face a hard limit: the US CLOUD Act can compel a US-based provider to hand over data regardless of where its servers sit. A sovereign system that runs offline on your own hardware avoids that exposure entirely.
Does hybrid protect against harvest-now-decrypt-later attacks?
Yes. Harvest-now-decrypt-later means an attacker stores encrypted traffic today to break it once a quantum computer exists. Hybrid key encapsulation places a post-quantum algorithm alongside the classical one, so captured traffic stays protected after a quantum machine arrives, provided the post-quantum component holds. That is the main reason to migrate confidential, long-lived data first.




