Is hybrid encryption the answer to post-quantum security?
For some internal classified work, the NSA also pushes multiple layers of encryption. Their guidelines for using commercially available software in classified environments frequently encourage using multiple “layers” of independent packages.
How much security does hybrid encryption provide?
One of the biggest debates is how much security hybridization offers. Much depends on the details and the algorithm designers can take any number of approaches with different benefits. There are several models for hybridization and not all the details have been finalized.
Encrypting the data first with one algorithm and then with a second combines the strength of both, essentially putting a digital safe inside a digital safe. Any attacker would need to break both algorithms. However, the combinations don’t always deliver in the same way. For example, hash functions are designed to make it hard to identify collisions, that is two different inputs that produce the same output: (x_1 and x_2, such that h(x_1)=h(x_2)).
If the input of the first hash function is fed into a second different hash function (say g(h(x))), it may not get any harder to find a collision, at least if the weakness lies in the first function. If two inputs to the first hash function produce the same output, then that same output will be fed into the second hash function to generate a collision for the hybrid system: (g(h(x_1))= g(h(x_2)) if h(x_1)=h(x_2)).
Digital signatures are also combined differently than encryption. One of the simplest approaches is to just calculate multiple signatures independently from each other. They can be tested independently afterwards. Even this basic approach raises many practical questions. What if one private key is compromised? What if one algorithm needs to be updated? What if one signature passes but one fails?
Cryptography is a complex subject where many areas of knowledge are still shrouded in a deep cloud of mystery. Many algorithms rest upon assumptions that some mathematical chores are too onerous to accomplish but there are no rock-solid proofs that the work is impossible.
Many cryptographers who embrace hybrid approaches are hoping that the extra work more than pays off should a weakness appear. If it’s worth putting in the time to get one layer right, it’s often worth it to do it again. The high-performance applications can turn it off, but those that need it want extra assurance.
“We’re stuck with an argument from ignorance and an argument from knowledge,” explains Jon Callas, distinguished engineer at VATIK security. “It’s taken us decades just to get padding right. You can say RSA [cryptography] is broken, but we don’t know anything about the new algorithms.”
