Blog

Hybrid ML-KEM for TLS and SSH: useful, but not a migration plan by itself

  • Published
  • Reading time 2 min
  • Editorial Quanten Security

Hybrid post-quantum key exchange is becoming a practical topic, not just a conference slide. IETF work in 2026 includes hybrid ECDHE-MLKEM mechanisms for TLS 1.3 and hybrid ML-KEM key exchange for SSH. That is good news for operators who need a transition path that keeps classical assurance while adding post-quantum protection.

It is also easy to overread the news. A hybrid handshake is a component. It is not a complete migration plan.

What hybrid key exchange does well

Hybrid designs combine a traditional key exchange with a post-quantum mechanism such as ML-KEM. The aim is straightforward: the session should not depend on only one assumption during the transition. If one side of the hybrid is later weakened, the other can still contribute security.

For TLS and SSH, that gives infrastructure teams a way to test post-quantum key establishment without flipping a whole estate to a single new primitive overnight.

What it does not solve

  • It does not inventory where TLS and SSH are actually used.
  • It does not update old clients, embedded devices, proxies, or inspection points.
  • It does not decide which systems need protection first.
  • It does not address signatures, certificates, code signing, or secure boot.
  • It does not prove that larger handshakes fit your latency, packet-size, and middlebox environment.

How to run a serious pilot

Start with a narrow service class: internal APIs, administrative SSH, or a test edge endpoint. Measure handshake size, CPU cost, failure rates, client compatibility, logs, and fallback behavior. The fallback point is important. If the platform silently drops back to classical-only behavior, the dashboard may look clean while the risk picture is not.

A strong pilot produces three artifacts: a compatibility matrix, a rollback rule, and a change record that explains which data or service risk the pilot is meant to reduce.

The operational lesson

Hybrid ML-KEM can lower transition risk, but only when it sits inside a broader crypto-agility program. The team still needs policy, ownership, vendor commitments, monitoring, and a route for retiring weak algorithms later. Without that, hybrid becomes a feature flag with no finish line.

Further reading: IETF draft: hybrid ECDHE-MLKEM for TLS 1.3, IETF draft: hybrid ML-KEM key exchange for SSH, NIST SP 800-227 on KEMs.