You do not have to choose between classical and post-quantum cryptography. Hybrid encryption lets you use both simultaneously, protecting data against both classical and quantum attackers during the transition period.
Migrating from classical to post-quantum cryptography is not a switch you flip. It is a multi-year process involving protocol updates, library upgrades, certificate authority changes, and hardware security module replacements. During this transition, you need to maintain compatibility with systems that have not yet migrated while also protecting against future quantum attacks.
Hybrid encryption solves this by combining a classical key encapsulation mechanism (like X25519 or ECDH P-256) with a post-quantum KEM (like ML-KEM from NIST FIPS 203). The shared secret is derived from both — typically by concatenating the outputs and hashing them. An attacker needs to break both algorithms to decrypt the data.
Hybrid KEM construction
classical_secret = X25519(ephemeral_key, recipient_public_key)
pq_secret = ML-KEM-768.Decaps(ciphertext, recipient_pq_key)
shared_secret = HKDF(classical_secret || pq_secret)
This construction is secure as long as either algorithm is secure. If ML-KEM turns out to have an undiscovered vulnerability, the classical X25519 still protects you. If a quantum computer breaks X25519, the ML-KEM still protects you. You get defense in depth.
NIST FIPS 203 standardizes ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism), formerly known as CRYSTALS-Kyber. It comes in three parameter sets: ML-KEM-512, ML-KEM-768, and ML-KEM-1024, offering increasing security levels at the cost of larger key and ciphertext sizes.
| Parameter Set | Security Level | Public Key | Ciphertext |
|---|---|---|---|
| ML-KEM-512 | AES-128 equivalent | 800 bytes | 768 bytes |
| ML-KEM-768 | AES-192 equivalent | 1,184 bytes | 1,088 bytes |
| ML-KEM-1024 | AES-256 equivalent | 1,568 bytes | 1,568 bytes |
For most applications, ML-KEM-768 is the recommended choice — it provides AES-192 equivalent security with reasonable key and ciphertext sizes. ML-KEM-1024 is appropriate for applications that need to protect data for 30+ years or that face nation-state adversaries.
Implementing hybrid encryption correctly requires careful handling of key generation, encapsulation, shared secret derivation, and symmetric encryption. Getting any of these steps wrong can create subtle vulnerabilities that are difficult to detect.
The MainState Labs hybrid encryption endpoint handles the entire flow. You provide the recipient's public key bundle (X25519 + ML-KEM-768) and the plaintext. The API returns the ciphertext, the classical KEM output, and the PQ KEM ciphertext — everything the recipient needs to decrypt. The symmetric encryption uses AES-256-GCM with a randomly generated nonce.
This is the same construction that Signal, Apple, and Google are deploying in their messaging applications. The difference is that those implementations are baked into their specific protocols. The MainState Labs API makes the same construction available as a general-purpose endpoint for any application.
Quantum-safe encryption for your application, starting today.
Try the PQC API →