Did you know that, in the Furry Fandom, the most popular choice in species for one’s fursona is actually a hybrid?
Of course, we’re not talking about that kind of hybrid today. I just thought it was an amusing coincidence.
Nor are we talking about what comes to mind for engineers accustomed to classical cryptography when you say Hybrid.
(Such engineers typically envision some combination of asymmetric key encapsulation with symmetric encryption; because too many people encrypt with RSA directly and the sane approach is often described as a Hybrid Cryptosystem in the literature.)
Rather, Hybrid Cryptography in today’s context refers to:
Cryptography systems that use a post-quantum cryptography algorithm, combined with one of the algorithms deployed today that aren’t resistant to quantum computers.
Why Hybrid Cryptosystems?
At some point in the future (years or decades from now), humanity may build a practical quantum computer. This will be a complete disaster for all of the cryptography deployed on the Internet today.
In response to this distant existential threat, cryptographers have been hard at work designing and attacking algorithms that remain secure even when quantum computers arrive. These algorithms are classified as post-quantum cryptography (mostly to distinguish it from techniques that uses quantum computers to facilitate cryptography rather than attack it, which is “quantum cryptography” and not really worth our time talking about).
However, a lot of the post-quantum cryptography designs are relatively new or comparatively less studied than their classical (pre-quantum) counterparts. Several of the Round 1 candidates to NIST’s post quantum cryptography project were broken immediately (PDF). Exploit code referenced in PDF duplicated below.:
#!/usr/bin/env python3
import binascii, struct
def recover_bit(ct, bit):
assert bit < len(ct) // 4000
ts = [struct.unpack('BB', ct[i:i+2]) for i in range(4000*bit, 4000*(bit+1), 2)]
xs, ys = [a for a, b in ts if b == 1], [a for a, b in ts if b == 2]
return sum(xs) / len(xs) >= sum(ys) / len(ys)
def decrypt(ct):
res = sum(recover_bit(ct, b) << b for b in range(len(ct) // 4000))
return int.to_bytes(res, len(ct) // 4000 // 8, 'little')
kat = 0
for l in open('KAT_GuessAgain/GuessAgainEncryptKAT_2000.rsp'):
if l.startswith('msg = '):
# only used for verifying the recovered plaintext.
msg = binascii.unhexlify(l[len('msg = '):].strip())
elif l.startswith('c = '):
ct = binascii.unhexlify(l[len('c = '):].strip())
print('{}attacking known-answer test #{}'.format('n' * (kat > 0), kat))
print('correct plaintext: {}'.format(binascii.hexlify(msg).decode()))
plain = decrypt(ct)
print('recovered plaintext: {} ({})'.format(binascii.hexlify(plain).decode(), plain == msg))
kat += 1
More pertinent to our discussions: Rainbow, which was one of the Round 3 Finalists for post-quantum digital signature algorithms, was discovered in 2020 to be much easier to attack than previously thought. Specifically, for the third round parameters, the attack cost was reduced by a factor of
, 
That security reduction is just a tad bit more concerning than a Round 1 candidate being totally broken, since NIST had concluded by then that Rainbow was a good signature algorithm until that attack was discovered. Maybe there are similar attacks just waiting to be found?
Given that new cryptography is accompanied by less confidence than incumbent cryptography, hybrid designs are an excellent way to mitigate the risk of attack advancements in post-quantum cryptography:
If the security of your system requires breaki
