| ▲ | pseudohadamard a day ago | |
It's actually extremely trivial in the most common usage of hybrids so far, TLS: You concatenate the output from the PQC (ML-KEM) and non-PQC (ECDH, 25519) and run it through the TLS PRF. It's one line of additional code (a memcpy() to get the extra data across) compared to taking just the output of one of the two and running them through the PRF. For signatures, you do the same thing, have the PQC sig next to the non-PQC one. Unfortunately cryptographers want to apply every possible bell, gong, and whistle to things, which creates the mess we're in with hybrids. With (say) ECDSA you hash with SHA-256 and sign with P256, and you're done. With the PQC stuff they've used different hash functions (no problems with the old ones but they're so five minutes ago so we need to use all new ones that do the same thing but aren't compatible), non-hashed sigs (because djb doesn't like them and everyone else cargo-culted that even though it turns what should have been a standard signing operation into a giant headache), and a massive amount of other unnecessary complexity. So it's not so much that hybrids are a pain, it's that cryptographers have gone out of their way to make hybrids a pain. They could be completely straightforward if they just applied them the same way as standard algorithms have been applied for decades. | ||