Composite Hybrid Keys – Quick Start

Get started with Composite Hybrid Keys in under 10 minutes and protect your data against quantum computer attacks.

What are Composite Hybrid Keys?

Composite Hybrid Keys combine classical cryptography (X25519, RSA, Ed25519) with post-quantum algorithms (ML-KEM, ML-DSA) to provide defense-in-depth security. They protect against:

Quantum computers breaking classical algorithms (RSA, ECDSA)
Undiscovered vulnerabilities in new PQC algorithms

Security guarantee: Attackers must break BOTH the classical algorithm AND the post-quantum algorithm to compromise your data. This "AND-decrypt" model provides 1000× better protection than OR-decrypt alternatives.

Zero code changes: Use the same API endpoints as simple keys. The platform handles all complexity transparently.

Prerequisites

Before you begin, ensure you have:

AnkaSecure SDK 3.0.0 or later (download)
API credentials (JWT token or API key)
Java 17+ for SDK examples
curl for REST API examples

Step 1: Generate a HYBRID_KEM_COMBINE Key

Hybrid Key Encapsulation Mechanism (HYBRID_KEM_COMBINE) combines classical and PQC encryption with AND-decrypt semantics.

Via REST API (curl)

curl -X POST https://api.ankatech.co/api/key-management/composite-keys \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "kid": "my-hybrid-encryption-key",
    "mode": "HYBRID_KEM_COMBINE",
    "components": [
      {
        "role": "classical",
        "algorithm": "X25519"
      },
      {
        "role": "pqc",
        "algorithm": "ML-KEM-768"
      }
    ],
    "kdf": "HKDF-SHA256"
  }'

Response:

{
  "kid": "my-hybrid-encryption-key",
  "mode": "HYBRID_KEM_COMBINE",
  "components": [
    {
      "role": "classical",
      "algorithm": "X25519",
      "publicKey": "MCowBQYDK2VuAyEA..."
    },
    {
      "role": "pqc",
      "algorithm": "ML-KEM-768",
      "publicKey": "MIIDMDAKBggr..."
    }
  ],
  "kdf": "HKDF-SHA256",
  "status": "active",
  "createdAt": "2025-12-28T10:30:00Z"
}

Via Java SDK

import co.ankatech.ankasecure.sdk.AnkaSecureSdk;
import co.ankatech.ankasecure.sdk.model.GenerateCompositeKeySpec;
import co.ankatech.ankasecure.sdk.model.ComponentSpec;

AnkaSecureSdk sdk = AnkaSecureSdk.builder()
    .baseUrl("https://api.ankatech.co")
    .bearerToken("YOUR_JWT_TOKEN")
    .build();

GenerateCompositeKeySpec spec = new GenerateCompositeKeySpec()
    .setKid("my-hybrid-encryption-key")
    .setMode(GenerateCompositeKeySpec.Mode.HYBRID_KEM_COMBINE)
    .addComponent(ComponentSpec.classical("X25519"))
    .addComponent(ComponentSpec.pqc("ML-KEM-768"))
    .setKdf("HKDF-SHA256");

ExportedKeySpec result = sdk.generateCompositeKey(spec);
System.out.println("✅ Composite key generated: " + result.getKid());

Step 2: Encrypt Data (Transparent API)

Key insight: Encrypting with composite keys uses the same API as simple keys. The platform automatically detects the key type and applies hybrid encryption.

Via REST API (curl)

curl -X POST https://api.ankatech.co/api/crypto/encrypt \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "kid": "my-hybrid-encryption-key",
    "plaintext": "Q29uZmlkZW50aWFsOiBRNCBFYXJuaW5ncyBSZXBvcnQ="
  }'

Response (notice Content-Type: application/jose+json for composite keys):

{
  "jwe": {
    "protected": "eyJhbGciOiJIWUJSSUQtS0VNLUNPTUJJTkUi...",
    "recipients": [
      {
        "header": {
          "alg": "ECDH-ES+A256KW",
          "kid": "my-hybrid-encryption-key#classical"
        },
        "encrypted_key": "Xh3kF8bL2vP9..."
      },
      {
        "header": {
          "alg": "ML-KEM-768",
          "kid": "my-hybrid-encryption-key#pqc"
        },
        "encrypted_key": "Y9mQ2nK3sT5..."
      }
    ],
    "iv": "dF3bK8pL2vM9...",
    "ciphertext": "Zx4jK9mP2qN...",
    "tag": "Wc5gH7nL3sF..."
  },
  "contentType": "application/jose+json"
}

Via Java SDK

EncryptResult result = sdk.encrypt("my-hybrid-encryption-key", plaintext);

// Composite keys return JSON object (not compact string)
Map<String, Object> jweJson = result.getJweAsMap();
System.out.println("✅ Data encrypted with hybrid key");
System.out.println("Format: " + result.getContentType()); // application/jose+json

Step 3: Decrypt Data (AND-Requirement Verified)

Decryption requires BOTH classical and PQC components. If either is compromised, decryption fails.

Via REST API (curl)

curl -X POST https://api.ankatech.co/api/crypto/decrypt-jwe \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/jose+json" \
  --data-binary @encrypted.json

Response:

{
  "plaintext": "Q29uZmlkZW50aWFsOiBRNCBFYXJuaW5ncyBSZXBvcnQ=",
  "kid": "my-hybrid-encryption-key",
  "mode": "HYBRID_KEM_COMBINE",
  "componentsUsed": ["X25519", "ML-KEM-768"],
  "andDecryptVerified": true
}

Notice: andDecryptVerified: true confirms both components were required.

Via Java SDK

DecryptResult decrypted = sdk.decryptJwe(jweJson);

System.out.println("✅ Data decrypted successfully");
System.out.println("Plaintext: " + new String(decrypted.getPlaintext()));
System.out.println("AND-decrypt verified: " + decrypted.isAndDecryptVerified());

Step 4: Generate a DUALSIGN Key

Dual signature mode creates two independent signatures for defense-in-depth.

Via REST API (curl)

curl -X POST https://api.ankatech.co/api/key-management/composite-keys \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "kid": "my-dual-signature-key",
    "mode": "DUALSIGN",
    "components": [
      {
        "role": "classical",
        "algorithm": "Ed25519"
      },
      {
        "role": "pqc",
        "algorithm": "ML-DSA-65"
      }
    ],
    "verificationPolicy": "ALL"
  }'

Response:

{
  "kid": "my-dual-signature-key",
  "mode": "DUALSIGN",
  "components": [
    {
      "role": "classical",
      "algorithm": "Ed25519",
      "publicKey": "MCowBQYDK2VwAyEA..."
    },
    {
      "role": "pqc",
      "algorithm": "ML-DSA-65",
      "publicKey": "MIIFMDAKBggr..."
    }
  ],
  "verificationPolicy": "ALL",
  "status": "active"
}

Step 5: Sign and Verify with Dual Signatures

Via REST API (curl) – Sign

curl -X POST https://api.ankatech.co/api/crypto/stream/sign \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "kid": "my-dual-signature-key",
    "payload": "Q29udHJhY3QgQWdyZWVtZW50IC0gdjMuMC4w"
  }'

Response (JWS with two signatures):

{
  "payload": "Q29udHJhY3QgQWdyZWVtZW50IC0gdjMuMC4w",
  "signatures": [
    {
      "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Im15LWR1YWwtc2lnbmF0dXJlLWtleSNjbGFzc2ljYWwifQ",
      "signature": "Xh3kF8bL2vP9..."
    },
    {
      "protected": "eyJhbGciOiJNTC1EU0EtNjUiLCJraWQiOiJteS1kdWFsLXNpZ25hdHVyZS1rZXkjcHFjIn0",
      "signature": "Y9mQ2nK3sT5..."
    }
  ]
}

Via REST API (curl) – Verify

curl -X POST https://api.ankatech.co/api/crypto/stream/verify \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @signed.json

Response:

{
  "valid": true,
  "verificationPolicy": "ALL",
  "signaturesVerified": 2,
  "algorithms": ["Ed25519", "ML-DSA-65"],
  "policyMet": true
}

Notice: With verificationPolicy: ALL, both signatures must be valid. Perfect for high-security scenarios.

Expected Output Summary

After completing these steps, you have:

✅ Generated a HYBRID_KEM_COMBINE key (X25519 + ML-KEM-768) ✅ Encrypted data with quantum-resistant hybrid encryption ✅ Decrypted data with AND-decrypt verification ✅ Generated a DUALSIGN key (Ed25519 + ML-DSA-65) ✅ Signed and verified with dual signatures (ALL policy)

Quantum Protection: Your data is now protected against both classical and quantum attacks.

Troubleshooting Common Issues

Issue: "Security level mismatch"

Cause: Classical and PQC components have different NIST security levels.

Solution: Match security levels:

Level 1: X25519 + ML-KEM-512
Level 3 (recommended): X25519 + ML-KEM-768, Ed25519 + ML-DSA-65
Level 5: RSA-4096 + ML-KEM-1024

Issue: "Verification policy not satisfied"

Cause: Not all required signatures are valid.

Solution: Check verification policy:

ALL: All signatures must be valid (strictest)
ANY: At least one signature must be valid (most lenient)
CLASSICAL_REQUIRED: Classical signature must be valid
PQC_REQUIRED: PQC signature must be valid

Issue: Response format confusion

Symptom: Expecting compact JWE string, receiving JSON object.

Solution: Composite keys use General JSON Serialization (RFC 7516 §7.2):

Simple keys: Compact format (eyJhbGciOi...)
Composite keys: JSON format ({"protected": "...", "recipients": [...]})

Detection: Check Content-Type header:

application/jose → Simple key (compact)
application/jose+json → Composite key (JSON)

Where Next?

Deep Dive

Flow 29 – Complete SDK Example – Full Java implementation with ~200 lines of runnable code
Composite Keys Overview – Security architecture and AND-decrypt model
Best Practices – Algorithm selection, lifecycle management, performance optimization

Use Cases

Quantum Protection Use Cases – Government, financial, healthcare, critical infrastructure scenarios
Compliance Documentation – NIST CSWP 39, GSA PQC, NSM-10 alignment

Help & Support

Troubleshooting Guide – Common errors and solutions
Email: [email protected]
API Reference: Key Management API

Congratulations! You've successfully implemented quantum-resistant composite hybrid cryptography in under 10 minutes. Your data is now protected against both classical and quantum computer attacks.