Hybrid key exchange for TLS 1.3 is here to harden confidentiality against future quantum adversaries. Can organizations deploy TLS 1.3 hybrid KEM today without replacing their public CA certificates? The short answer is yes, and that layered approach is by design.
How TLS 1.3 hybrid KEM works
The result is quantum-robust forward secrecy for confidentiality, while identity verification follows today’s broadly supported path.
TLS 1.3 hybrid KEM focuses on the key agreement step. During the ClientHello/ServerHello, clients can offer and servers can select post-quantum or hybrid groups so that the shared secrets feeding the TLS 1.3 key schedule combine classical (EC)DHE with a PQC KEM. From EncryptedExtensions onward, the handshake is protected with keys derived from those secrets. Crucially, server authentication remains unchanged: the server presents an X.509 chain issued by a public CA and proves possession of the private key with a classical signature. The client validates the chain against its trust store and policies.
Why this makes sense now
The most immediate risk is “harvest now, decrypt later” (HNDL). If an attacker records your traffic today and only classical (EC)DHE is used, future quantum capabilities could expose past sessions. A hybrid KEM prevents that by making the key exchange resilient even against a future quantum attacker. By contrast, forging server identities would require an active man-in-the-middle attack at connection time, with quantum capabilities and browser-accepted PQC authentication. This is a different, important, but less time-critical migration problem that still depends on global standards and ecosystem updates.
What organizations can do today
You can deploy TLS 1.3 hybrid KEM to protect confidentiality against future decryption without changing your publicly trusted certificates. Keep authentication on classical X.509 until browsers and public CAs support PQC signature schemes and profiles. Use controlled pilots to verify client and server behaviour, track emerging standards and vendor enablement, and prepare PKI policies and roots for a future phase where PQC-based authentication becomes viable.
This is the approach Eraneos recommends for enterprises beginning their PQC migration journey in 2025 and 2026: deploy hybrid KEM mechanisms to strengthen confidentiality today while preparing authentication layers for future PQC standards.
Summary
You don’t have to wait for full PQC authentication to get meaningful risk reduction today. TLS 1.3 hybrid KEM already hardens confidentiality against “harvest now, decrypt later” (HNDL), while server identity continues to rely on widely supported classical signatures from public CAs. A man-in-the-middle attack with quantum capabilities becomes a concern once such machines exist and only after global standards and browser/CA policies enable PQC-resistant authentication.
In other words, confidentiality can be strengthened today even while authentication standards continue to evolve.
If you want a concise readiness check, what to enable now, which standards to monitor, and how to phase in PKI changes, let’s connect and map a path that fits your environment.
Further perspectives on PQC and quantum risk
Preparing for Q-Day requires more than technology upgrades. Organizations must address quantum risk across governance, cryptographic agility, migration planning, operational resilience, and post-quantum cryptography (PQC) adoption. The following perspectives explore key building blocks for a structured and scalable PQC transition:
- Preparing for Q-Day: a practical roadmap to quantum-resilient cryptography
- How PQC governance enables scalable migration
- From PoC to production: validating PQC migration readiness
- Crypto agility: turning the PQC transition from uncertainty to routine change
- Clustering, not chaos: turning post-quantum migration into repeatable playbooks
