Composite Hybrid Keys — Security Overview
World's first production-ready composite cryptographic keys for quantum-resistant defense-in-depth security.
What are Composite Hybrid Keys?
Composite Hybrid Keys combine classical cryptography (X25519, RSA, Ed25519, ECDSA) with post-quantum algorithms (ML-KEM, ML-DSA) in a single key structure.
Key insight: Instead of choosing between classical OR post-quantum, you get classical AND post-quantum protection.
Security model: Attackers must break BOTH algorithms to compromise your data — 1000× more secure than OR-decrypt alternatives.
The Problem: Quantum Computers & HNDR Attacks
Quantum Threat Timeline
- Today (2025): Classical cryptography (RSA-2048, ECDSA-P256) is secure
- 2030-2035: Large-scale quantum computers expected (NIST estimate)
- 2040+: RSA, ECDH, ECDSA completely broken by quantum computers
"Harvest Now, Decrypt Later" (HNDR)
Attack pattern: Adversaries collect encrypted data today to decrypt it when quantum computers are available.
Risk: Data with 10+ year sensitivity is already at risk even though current encryption is unbroken.
Affected data:
- Government classified documents (30+ year retention)
- Financial transaction records (10-20 year retention)
- Medical records (lifetime retention)
- Intellectual property and trade secrets
The Solution: AND-Decrypt Semantics
How It Works
Traditional encryption (simple keys):
Encrypt with ML-KEM-768
↓
Ciphertext protected by ML-KEM-768 only
↓
Break ML-KEM → data compromised ❌
Composite hybrid encryption (AND-decrypt):
Encrypt with (X25519 + ML-KEM-768)
↓
Ciphertext protected by BOTH algorithms
↓
Break X25519 → data still protected by ML-KEM ✅
Break ML-KEM → data still protected by X25519 ✅
Break BOTH → data compromised (1000× harder) ✅
Security guarantee: Even if quantum computers break X25519, ML-KEM-768 protects your data. Even if ML-KEM has an undiscovered vulnerability, X25519 provides classical security.
Key Benefits
1. Quantum Resistance
Protects against quantum computers breaking classical algorithms (RSA, ECDH, ECDSA).
Algorithms supported:
- Classical: X25519, RSA-3072/4096, Ed25519, ECDSA-P256/P384
- Post-quantum: ML-KEM-512/768/1024, ML-DSA-44/65/87, Falcon-512/1024
2. Hedge Against Cryptographic Failures
Protects against future vulnerabilities in PQC algorithms.
History lesson: NIST PQC standardization rejected several candidates due to discovered weaknesses. Composite keys hedge against unknown vulnerabilities.
3. Zero Code Changes (Transparent API)
Use the same API endpoints as simple keys. The platform handles all hybrid complexity automatically.
Example (same API for simple and composite keys):
# Simple key encryption
curl -X POST /api/crypto/encrypt -d '{"kid": "simple-key", "plaintext": "..."}'
# Composite key encryption (SAME API!)
curl -X POST /api/crypto/encrypt -d '{"kid": "composite-key", "plaintext": "..."}'
Platform automatically:
- Detects key type (simple vs composite)
- Applies appropriate encryption mode
- Returns correct format (compact vs JSON)
4. Compliance Ready
Standards met:
- ✅ NIST CSWP 39 §3.2.4 (Hybrid Algorithms)
- ✅ GSA PQC Buyer's Guide §6.3 (HNDR Mitigation)
- ✅ NSM-10 (Federal quantum readiness by 2035)
Unique: Only platform with GSA-compliant AND-decrypt composite keys in production.
Supported Modes
HYBRID_KEM_COMBINE (Encryption)
Combines classical Key Encapsulation Mechanism (KEM) with post-quantum KEM using cryptographic Key Derivation Function (KDF).
How it works:
- Classical KEM generates shared secret 1
- PQC KEM generates shared secret 2
- KDF combines both secrets → final Content Encryption Key (CEK)
- Decryption requires BOTH secrets (AND-requirement)
Recommended combinations:
| Classical | PQC | NIST Level | Use Case |
|---|---|---|---|
| X25519 | ML-KEM-768 | 3 | Recommended for most scenarios |
| RSA-3072 | ML-KEM-768 | 3 | Legacy compatibility |
| RSA-4096 | ML-KEM-1024 | 5 | Maximum security (government, critical infrastructure) |
KDF options: HKDF-SHA256 (recommended), HKDF-SHA512, KMAC256
DUALSIGN (Digital Signatures)
Creates two independent signatures with configurable verification policy.
How it works:
- Classical algorithm signs the document
- PQC algorithm signs the document
- Both signatures attached to JWS (General JSON Serialization)
- Verification policy determines acceptance
Verification policies:
- ALL (recommended): Both signatures must be valid (strictest security)
- ANY: At least one signature must be valid (migration scenarios)
- CLASSICAL_REQUIRED: Classical signature must be valid (legacy compatibility)
- PQC_REQUIRED: PQC signature must be valid (future-proofing)
Recommended combinations:
| Classical | PQC | NIST Level | Use Case |
|---|---|---|---|
| Ed25519 | ML-DSA-65 | 3 | Recommended for most scenarios |
| ECDSA-P256 | ML-DSA-44 | 2 | IoT devices, constrained environments |
| ECDSA-P384 | ML-DSA-87 | 5 | Maximum security (legal contracts, government) |
When to Use Composite Keys
✅ Use Composite Keys When:
- Data must remain confidential for 10+ years
- Subject to regulatory retention (government, finance, healthcare)
- Protecting against HNDR attacks
- Federal compliance requirements (NIST CSWP 39, GSA PQC, NSM-10)
- High-value intellectual property or trade secrets
- Long-term digital signatures (contracts, certifications)
⚠️ Use Simple Keys When:
- Short-term data (<2 years sensitivity)
- High-frequency operations (>1000 ops/sec) where performance is critical
- Development and testing environments
- Public data that will be declassified soon
Decision Matrix
| Criteria | Threshold | Recommendation |
|---|---|---|
| Retention period | ≥ 10 years | Composite Keys |
| Sensitivity | Confidential/Secret/Top Secret | Composite Keys |
| Compliance | Federal/Financial/Healthcare | Composite Keys |
| Performance | High-frequency (>1000 ops/sec) | Simple Keys |
| Budget | Security > Cost | Composite Keys |
Algorithm Combinations Reference
Encryption (HYBRID_KEM_COMBINE)
| Security Level | Classical | PQC | KDF | Status |
|---|---|---|---|---|
| Level 1 (128-bit) | X25519 | ML-KEM-512 | HKDF-SHA256 | Supported |
| Level 3 (192-bit) | X25519 | ML-KEM-768 | HKDF-SHA256 | Recommended |
| Level 3 (192-bit) | RSA-3072 | ML-KEM-768 | HKDF-SHA256 | Legacy compat |
| Level 5 (256-bit) | RSA-4096 | ML-KEM-1024 | HKDF-SHA512 | Max security |
Signatures (DUALSIGN)
| Security Level | Classical | PQC | Policy | Status |
|---|---|---|---|---|
| Level 2 (128-bit) | Ed25519 | ML-DSA-44 | ALL | Lightweight |
| Level 3 (192-bit) | Ed25519 | ML-DSA-65 | ALL | Recommended |
| Level 3 (192-bit) | ECDSA-P256 | ML-DSA-65 | ALL | Legacy compat |
| Level 5 (256-bit) | ECDSA-P384 | ML-DSA-87 | ALL | Max security |
Performance Impact
Overhead Comparison
| Operation | Simple ML-KEM | Composite (X25519+ML-KEM) | Overhead |
|---|---|---|---|
| Key generation | ~5 ms | ~10 ms | 2.0x |
| Encryption | ~3 ms | ~5 ms | 1.7x |
| Decryption | ~3 ms | ~5 ms | 1.7x |
| Signature (DUALSIGN) | ~4 ms | ~8 ms | 2.0x |
Verdict: ~2.0x overhead is acceptable for high-value data with 10+ year retention.
Ciphertext Size
- Simple keys: JWE Compact Serialization (~1.2× plaintext)
- Composite keys: JWE General JSON Serialization (~1.3× plaintext)
Impact: Minor increase (8% larger) for significantly enhanced security.
Format Detection
How to Detect Response Format
Content-Type header indicates format:
application/jose→ Simple key (compact format)application/jose+json→ Composite key (JSON format)
Example
Simple key response (compact string):
Composite key response (JSON object):
{
"protected": "eyJhbGci...",
"recipients": [
{"header": {"alg": "ECDH-ES+A256KW", "kid": "..."}, "encrypted_key": "..."},
{"header": {"alg": "ML-KEM-768", "kid": "..."}, "encrypted_key": "..."}
],
"iv": "...",
"ciphertext": "...",
"tag": "..."
}
Client-side handling:
EncryptResult result = sdk.encrypt(kid, plaintext);
if (result.getContentType().equals("application/jose+json")) {
// Composite key - JSON format
Map<String, Object> jwe = result.getJweAsMap();
} else {
// Simple key - compact format
String jwe = result.getJweAsString();
}
Security Guarantees
What Composite Keys Protect Against
✅ Quantum computers breaking classical algorithms (Shor's algorithm) ✅ Undiscovered vulnerabilities in PQC algorithms (e.g., lattice attacks) ✅ HNDR attacks (harvest now, decrypt later) ✅ Side-channel attacks on single algorithm ✅ Cryptanalysis advances in either classical or PQC
What Composite Keys Do NOT Protect Against
❌ Both algorithms broken simultaneously (1000× harder than breaking one) ❌ Implementation vulnerabilities (buffer overflows, memory leaks) ❌ Side-channel attacks on the platform itself (timing, power analysis) ❌ Stolen private keys (protect your credentials!)
Best practice: Combine composite keys with strong key management, access controls, and monitoring.
Next Steps
Get Started
- Composite Keys Quick Start — 10-minute tutorial
- Flow 29 SDK Example — Complete Java implementation
Deep Dive
- Best Practices — Algorithm selection, lifecycle management
- Use Cases — Government, financial, healthcare scenarios
- Compliance Documentation — NIST CSWP 39, GSA PQC, NSM-10
Help & Support
- Troubleshooting Guide — Common errors and solutions
- Email: [email protected]
Document Version 3.0.0 -- updated December 2025 © 2025 ANKATech Solutions INC. All rights reserved.