CONCEPT Cited by 2 sources
Hybrid vs replacement PQC deployment¶
The decision axis¶
When integrating post-quantum cryptography into a protocol or system, there are two deployment paths:
| Path | Shape | Example |
|---|---|---|
| Hybrid | Layer PQ primitive on top of the established classical primitive. Both run; both must be broken to compromise the session. | SSH sntrup761x25519-sha512, TLS X25519MLKEM768, hybrid ML-DSA + Ed25519 cert chains. |
| Replacement | Swap classical for PQ directly. Only the PQ primitive runs. | PQ-only ML-KEM TLS, PQ-only ML-DSA certificates. |
Meta's 2026-04-16 migration-strategy post names this as an explicit design-time decision:
The deployment of PQC-based solutions generally follows one of two paths: replacement (swapping classical for PQC) or hybrid (combining both). (Source: sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson)
The case for replacement¶
Replacement is attractive because it:
- Reduces bandwidth: only one primitive's key/ciphertext on the wire.
- Reduces complexity: no composite-algorithm negotiation, no two-halves-must-verify logic.
- Simplifies audit surface: one primitive to review, not a composition.
The argument for replacement is "once PQ primitives are sufficiently mature AND FIPS-compliant versions are deployed, protocols will likely eventually deprecate the classical halves." — hybrid is transition-era, replacement is the end state.
The case for hybrid — SIKE is the lesson¶
Hybrid is safer during the transition window because PQ primitives are newer than the classical ones they replace, and cryptanalysis is ongoing. Meta's explicit argument:
While replacement reduces bandwidth and complexity, it relies entirely on newer PQC standards that are still maturing. The recent cryptanalysis (and invalidation) of algorithms like SIKE (final-round candidate running in the NIST PQC standardization process) underscores the importance of relying on thoroughly time-vetted, standardized algorithms during this period of transition to maintain robust security. (Source: sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson)
SIKE (Supersingular Isogeny Key Encapsulation) was a Round-4 NIST PQC candidate. In July 2022, Castryck and Decru published an attack that breaks SIKE in polynomial time on classical hardware — no quantum computer needed. An entire class of isogeny-based schemes was eliminated overnight. Any deployment of SIKE-only would have had its confidentiality destroyed at that moment; any hybrid (SIKE + ECDH) would still have had the ECDH half protecting classical-attacker security.
The broader principle:
To mitigate this, we prioritize the hybrid approach by layering a PQC primitive on top of an established classical one, designed so that the combined system should remain at least as secure as the current standard. An adversary would need to break both layers to compromise the system, providing a critical safety net.
This is the canonical hybrid key encapsulation argument on the confidentiality axis and the parallel argument on the signature axis.
Trade-offs table¶
| Axis | Hybrid | Replacement |
|---|---|---|
| Wire size | Classical + PQ | PQ only |
| CPU cost per op | Classical + PQ | PQ only |
| Algorithm negotiation | Composite name | PQ name |
| Safety if PQ broken classically | Intact (classical half) | Compromised |
| Safety if classical broken by CRQC | Intact (PQ half) | Intact (PQ only) |
| Standards maturity required | PQ as new additive | PQ as sole reliance |
| FIPS constraint | Both halves must be FIPS-approved | Only PQ primitive FIPS-approved |
| Operational complexity | Higher (two algorithms) | Lower (one algorithm) |
When to choose replacement¶
Despite Meta's hybrid default, replacement is rational when:
- The PQ primitive has multiple years of deployed scrutiny and no cryptanalytic developments.
- Bandwidth is the binding constraint (embedded systems, IoT, narrow-band radio).
- The classical primitive is already broken or deprecated and keeping it creates more risk than it mitigates.
- FIPS policy mandates a single approved primitive.
Meta's own framing allows eventual replacement once "PQ primitives are sufficiently mature" — the hybrid posture is time-bounded.
When to choose hybrid¶
Hybrid is the safer default when:
- The PQ primitive is newly standardised (< 5 years post- standardisation).
- Cryptanalysis is ongoing — NIST's Round 4, for instance, was ongoing through SIKE's break.
- The deployment is long-lived — classical-break risk over deployment lifetime is non-trivial.
- Both halves are FIPS-approved — hybrid without FIPS for both halves is usually not acceptable in regulated contexts.
Meta's position: hybrid as the default until the PQ primitive is mature, FIPS-approved, and broadly deployed.
The orthogonal signature-side decision¶
The same hybrid-vs-replacement decision applies to PQ signatures:
- Hybrid signatures = ML-DSA + Ed25519 side by side, both must verify.
- Replacement = ML-DSA only.
Cloudflare's Mid-2026 Cloudflare→origin ML-DSA deployment takes advantage of controlled endpoints on both sides to consider replacement (enable then disable classical). Most public-facing deployments stay hybrid through at least 2028 per the 2029 full-PQ roadmap.
Seen in¶
- sources/2026-04-16-meta-post-quantum-cryptography-migration-at-meta-framework-lesson — canonical Meta statement naming the decision axis explicitly and choosing hybrid-by-default with SIKE's 2022 invalidation as the precedent.
- sources/2025-09-15-github-post-quantum-security-for-ssh-access-on-github —
GitHub deploys
sntrup761x25519-sha512(hybrid) — the canonical implementation of the hybrid posture on SSH.
Related¶
- concepts/hybrid-key-encapsulation — the KEM-side composition mechanism.
- concepts/post-quantum-cryptography — umbrella concept.
- concepts/post-quantum-authentication — the signature-side decision.
- patterns/disable-legacy-before-rotate — the three-step discipline that sits on top of hybrid rollout if eventual replacement is intended.
- systems/ml-kem — the PQ KEM being layered in hybrid.
- systems/ml-dsa-signature — the PQ signature being layered in hybrid.