FIPS 140-3 Hybrid

PQC and classical solution providing hybrid, FIPS-compliant connection

FIPS 140-3

FIPS 140-3 is a mandatory requirement for cryptographic modules used in US federal agencies. It includes provides a high level of security for online information, and is increasingly becoming adopted by the private sector and other organizations. With the advent of quantum computing, adopting a hybrid solution of PQC and classical cryptography could affect compliance, and yet might also be necessary to defend against the threat of harvest-now-decrypt-later.

PQCryptoLib – Hybrid TLS 1.3

As of September 2024, PQCryptoLib supports FIPS 140-3 (interim certification) under the NIST CMVP program. It includes support for hybrid key derivation, combining the output of a classical key exchange mechanism (such as ECDH) with the output from the NIST-approved key encapsulation standard, FIPS 203 ML-KEM. This approach can be useful for resisting harvest-now-decrypt-later attacks, while also observing compliance. An example application could be achieved in the TLS 1.3 key schedule.