At the PKI Consortium’s 2025 PQC Conference in Kuala Lumpur, one topic dominated nearly every hallway conversation and audience question: hybrid cryptography. Everyone agrees that post-quantum migration must start now, but when it comes to how, the path forward looks different depending on where you sit.
Some governments encourage hybrid approaches; others ban them outright. Some industries can test and migrate today, while others are blocked by tooling gaps, hardware dependencies, or conflicting rules. This confusion leads to hesitation at the very moment when momentum should be building.
My colleague and Keyfactor CSO Chris Hickman shared his thoughts on how the conversations at the event shifted from theory to implementation.
In this post, I’ll unpack my key takeaways from the event, including insights about hybrids vs. composites, why some organizations can act now while others can’t, and how crypto-agility is becoming the deciding factor in navigating this evolving landscape.
A World Divided on Hybrid Cryptography
During my “ask me anything” presentation alongside my colleagues David Hook, Tony Chen, and Sven Rajala, almost half the audience questions focused on one issue: hybrid cryptography.
Acting as a bridge, hybrids combine classical and post-quantum algorithms in certificates and handshakes to ease migration or calm worries about the security of the new algorithms. But today, that bridge varies by country:
- The U.S. National Security Agency (NSA) has publicly stated that it does not recommend hybrid encryption for national security systems, preferring “pure” post-quantum algorithms once they are ready.
- France’s National Cybersecurity Agency (ANSSI) takes the opposite stance: it recommends hybrid approaches for now, ensuring backward compatibility and layered protection during the transition.
- Germany’s BSI and other European regulators sit somewhere in between, allowing hybrid use in certain contexts while preparing to shift toward post-quantum-only solutions.
For global industries like telecommunications, this patchwork poses a real problem. Some regional standards—such as those emerging from the EU’s ENISA guidance—lean hybrid, while others, including certain U.S. telecom and export-control frameworks, currently restrict dual-algorithm implementations. A single provider operating in multiple jurisdictions could, paradoxically, be required to deploy hybrid cryptography in one country and forbidden to use it in another.
No one has a clear answer yet on how to reconcile those contradictions. For now, organizations are left navigating uncertainty while trying to keep long-term interoperability intact.
Complexity Is the Cost of Flexibility
From an engineering standpoint, every new option introduces additional configuration and increased risk.
At Keyfactor, our products already support thousands of configuration permutations to meet diverse policy, platform, and regulatory requirements. Hybrid certificates, with their multiple algorithm combinations and cross-compatibility layers, multiply that complexity.
While Keyfactor supports hybrid PQC configurations, broader industry adoption remains uneven. Hybrid implementations for signatures and PKI are still being standardized, meaning full interoperability across vendors is limited today.
That means even organizations eager to start their post-quantum migration find themselves hitting walls. As I told several customers after the conference: You can secure your backend systems with PQC today, but the rest of your stack may not yet be ready to join the journey.
Pure PQC is the least complex option, and currently the one most ready for usage with support in widely deployed tooling. So, if you need to move fast, or are unsure which path to take, look at pure PQC as the first option to investigate.
Now, let’s dive into yet another option: composite cryptography.
Hybrid vs. Composite: Untangling the Terminology
Even for practitioners, the terminology can be confusing and is not fully defined, and has changed over time. For example, hybrid, as noted in the table below, has also been known under the name Catalyst, and more recently, Chimera, and also X.509 Alternatives.
Both hybrid, as it started out being referred to, and composite approaches use multiple algorithms—typically one classical and one post-quantum—but they differ in structure and compatibility.
Here’s a simple way to think about it:
| Term | Definition | Compatibility | Status |
| Hybrid PKI | Combines classical + PQC algorithms but remains backward compatible with existing systems | Backward compatible | Widely discussed, limited implementations |
| Composite PKI |
Combines classical + PQC algorithms into a single cryptographic object, without backward compatibility |
Not backward compatible | Nearing standardization by IETF |
As my colleagues David Hook and Sven Rajala discussed in our Keymasters episode on composites, composites are effectively the next evolution of hybrid cryptography. They enable multiple keys—like a PQC key and an RSA or ECDSA key—to be represented together within one standard certificate and used jointly or individually, depending on policy.
David put it best: composites began as an “and/or” model—either algorithm could sign or verify—but have matured into a “do both” standard now entering final review by Internet Engineering Task Force (IETF).
At Keyfactor, we have supported X.509 hybrid PKI for a year now, and we already have proof-of-concepts running on composite certificates with enterprise clients. The first Request for Comments (RFC)—the official standardization document published by IETF—is expected soon.
This marks a significant step toward establishing usable post-quantum PKI standards.
Why Some Can Move Now and Others Can’t
For all the excitement, the hard truth is that implementation readiness still varies widely.
- Ready today: Organizations using PKI, not relying on formal certification, and flexible cryptographic libraries (like Bouncy Castle) can already begin testing PQC algorithms and even deploy hybrid TLS configurations in limited environments.
- Not ready yet: Those dependent on certified hardware security modules (HSMs), smartcards, or firmware-bound devices may need to wait. Certification backlogs—particularly under FIPS and Common Criteria—mean some post-quantum algorithms can’t yet be used in production systems requiring certifications.
This divergence leads to what I call the “crypto-agility gap.”
But the key message from the PQC Conference was clear: don’t wait for the market to be perfect.
Start preparing your inventory, policies, and architecture now, so when those certifications and libraries arrive, you’re ready to move. And don’t forget to test, test, test, and contribute your findings.
From Theory to Action: Practical Recommendations
Throughout the event, three recommendations have consistently emerged for PQC readiness:
- Build a complete cryptographic inventory
You can’t protect what you don’t know. Organizations need visibility into where and how cryptography is used: certificates, APIs, embedded systems, devices, and applications. Automated discovery and classification tools are crucial for mapping this landscape and identifying which assets are impacted by post-quantum migration. - Prioritize by business impact and technical feasibility
Not all systems are created equal. Identify which cryptographic components protect your most sensitive data or have the longest lifespan; think data exposure and IoT devices or industrial systems expected to remain in service for a decade or more. Those are prime candidates for early migration planning. - Begin migration planning and testing now
Even if hybrid or composite standards are still maturing, begin proof-of-concept work. Start small. Test algorithms in your development environment, validate interoperability, and document where integrations fail. The insights you gain will inform a smoother transition when production-ready solutions arrive. Where you rely on open–source components, this also gives you a chance to contribute your findings, fix bugs, and close gaps in the ecosystem.
At the same time, recognize that the right approach varies by organization. Some can begin migrating now, others must wait—but all can prepare.
The more you understand your current cryptographic posture, the more agile you’ll be when external dependencies catch up.
Crypto-Agility: Bridging Today and Tomorrow
The conversations in Kuala Lumpur underscored one truth: crypto-agility is no longer optional.
It’s the foundation that lets you evolve with emerging standards, swap algorithms as guidance changes, and stay compliant amid regional contradictions. The only sustainable path forward is flexibility.
As we’ve seen firsthand at Keyfactor, crypto-agility empowers organizations to:
- Rapidly update trust anchors, certificates, and policies as standards evolve
- Support pure, hybrid, and composite implementations as needed
- Maintain interoperability across diverse platforms and ecosystems
- Minimize disruption from future regulatory or technological shifts
Those who invest in agility today will weather the turbulence of PQC migration far more smoothly than those who wait.
Start Now, Even If the Finish Line Isn’t Visible
The PQC transition is a long-term program of continuous evolution. Starting now is the only way to shorten the learning curve and identify the obstacles that still remain.
As we’ve seen in our own testing, the gaps you find today are often filled within months. Every iteration brings the industry closer to usable, interoperable post-quantum systems.
Explore how Keyfactor’s flexible architecture enables crypto-agility from day one, helping enterprises stay ahead of quantum disruption.
