Run classical and post-quantum cryptography simultaneously. Ed25519 + ML-DSA signatures. ECDH + ML-KEM key exchange. Full backward compatibility with every downstream system while adding quantum resistance from day one.
Hybrid post-quantum migration means running classical and post-quantum cryptographic algorithms simultaneously on the same operations. Every signature carries two (or more) independent cryptographic proofs. Every key exchange establishes shared secrets through two independent mechanisms. Every attestation is verifiable through both classical and post-quantum algorithms.
This is not a transitional hack. It is the recommended migration strategy endorsed by NIST, NSA (in CNSA 2.0 guidance), and the IETF (in RFC drafts for hybrid TLS). The logic is straightforward: classical algorithms are mature and well-understood but will eventually be broken by quantum computers. Post-quantum algorithms are quantum-resistant but are newer and less battle-tested. Running both simultaneously means you are protected against both scenarios: quantum attacks and classical cryptanalysis that may discover weaknesses in PQ algorithms.
In practical terms, when your application authenticates a user through H33 in hybrid mode, the authentication event carries an Ed25519 signature (classical, 64 bytes) and an ML-DSA-65 signature (post-quantum, approximately 2,420 bytes). Downstream systems that understand PQ validate both signatures and verify they cover the same payload. Systems that only understand classical cryptography validate the Ed25519 signature and ignore the PQ extension. No system breaks. Every system is protected to the maximum extent it can verify.
The most dangerous moment in any cryptographic migration is the transition itself. Cold cutover — turning off classical algorithms and turning on post-quantum ones at a specific moment — creates a single point of failure. If the new algorithms have an implementation bug, your authentication system is down. If a downstream partner hasn't updated their verification code, their integration breaks. If a regulatory auditor questions the maturity of PQ algorithms, you have no fallback.
Hybrid mode eliminates all three risks. The classical layer provides a fallback for every operation. If ML-DSA verification fails on a downstream system, Ed25519 verification succeeds and the operation completes. If a bug is discovered in a PQ implementation, you disable the PQ layer and continue operating on classical algorithms while the fix is deployed. If an auditor questions PQ maturity, you can demonstrate that classical protection is still in place.
Hybrid mode also provides a validation window. Before you trust post-quantum algorithms with your production traffic exclusively, you can run them in parallel with known-good classical algorithms for months. Compare outputs. Monitor for anomalies. Build confidence. Only when hybrid operation has been stable for a sustained period — H33 recommends a minimum of 6 months — should you consider dropping the classical layer.
Four phases from classical-only to PQ-only, with hybrid as the stable operating state for 2-5 years.
Your infrastructure runs exclusively on classical algorithms (Ed25519, ECDSA, ECDH, RSA). All downstream systems verify classical signatures. This is where most organizations are today. Vulnerable to harvest-now, decrypt-later attacks on data with long-term confidentiality requirements.
H33 API adds post-quantum signatures and key exchange alongside existing classical operations. Both layers are active on every operation. Downstream systems validate whichever layer they understand. HNDL threat is neutralized because PQ layer protects long-term data. This is the recommended operating state for 2-5 years.
Post-quantum algorithms become the primary verification layer. Classical algorithms remain active as a fallback but are no longer the primary trust anchor. Downstream systems are validated for PQ support. Crypto agility monitoring confirms all endpoints are PQ-capable. Classical layer is preserved but deprioritized.
Classical algorithms are removed. All operations are exclusively post-quantum. This phase should only be reached when regulatory guidance supports PQ-only operation, all downstream systems are confirmed PQ-capable, and hybrid mode has been stable for at least 12 months. CNSA 2.0 targets 2035 for this state in federal systems.
There is no rush to reach Phase 04. Hybrid mode (Phase 02) provides full quantum protection while maintaining backward compatibility. Most organizations should plan to operate in hybrid mode for 2-5 years. The drop-classical decision is a policy decision, not a technical one.
Dropping the classical cryptographic layer is a significant decision that should be driven by confidence thresholds, not arbitrary timelines. H33 recommends evaluating five criteria before moving from hybrid to PQ-only operation.
| Dimension | Cold Cutover | Hybrid Migration (H33) |
|---|---|---|
| Downtime | Required (maintenance window) | Zero |
| Backward Compatibility | Breaks systems that don't understand PQ | Classical layer maintains all existing integrations |
| Rollback Path | Requires another cutover (more downtime, more risk) | Disable PQ layer; classical continues uninterrupted |
| Validation Period | None; PQ is trusted from the moment of cutover | Months of parallel operation before PQ becomes primary |
| Risk Profile | Single point of failure at cutover moment | Dual-layer protection throughout transition |
| Compliance During Transition | Gap between classical and PQ certification | Both classical and PQ compliance met simultaneously |
| Partner Impact | All partners must be PQ-ready at cutover date | Partners upgrade at their own pace |
| Quantum Protection Start | Only after cutover completes | From first hybrid API call |
Hybrid post-quantum migration runs classical and post-quantum cryptographic algorithms simultaneously on the same operations. For example, an authentication event carries both an Ed25519 signature (classical) and an ML-DSA signature (post-quantum). Systems that understand PQ verify both. Systems that don't can still verify the classical signature. This provides backward compatibility during the transition period.
Direct cutover creates risk in two directions. First, not all downstream systems may be ready to validate PQ signatures, so a cold cutover breaks integrations. Second, post-quantum algorithms are newer than classical ones. Hybrid mode means you are protected by both: if the classical algorithm is broken by a quantum computer, the PQ algorithm protects you; if a flaw is discovered in a PQ algorithm, the classical algorithm still provides security.
H33 supports Ed25519 + ML-DSA-65 for signatures, ECDH P-256 + ML-KEM-768 for key exchange, RSA-2048 + ML-DSA-65 for legacy environments, and Ed25519 + FALCON-512 for compact hybrid signatures. The three-key signer supports triple combinations across three independent hardness assumptions for maximum resilience.
Drop the classical layer when all downstream systems validate PQ signatures, hybrid mode has been stable for at least 6 months, and regulatory guidance supports PQ-only operation. CNSA 2.0 mandates full classical deprecation by 2035 for federal systems. Most enterprises should plan to run hybrid for 2-5 years. See the migration guide for the full framework.
Hybrid mode approximately doubles the cryptographic computation for signatures and adds 15-30% overhead for key exchange. On H33's production hardware, this still delivers over 1 million authentications per second in hybrid mode with per-authentication latency under 100 microseconds, well within enterprise SLA requirements. See benchmarks for detailed numbers.
Add post-quantum cryptography alongside your existing classical algorithms. Zero downtime. Full backward compatibility. Protected from day one.