How They Work (Hybrid Certificates)

- One certificate which includes additional fields (extensions) containing the PQC signature and keys. - Legacy systems ignore the additional PQC fields; modern systems use both.

Benefits (Hybrid Certificates)

- Backward compatibility: legacy systems continue to function without modification. - Incremental PQC adoption: PQC‑aware systems can begin validating PQC signatures immediately. - Simplified testing: rollback is trivial because the classical signature remains valid. - Single certificate footprint: no need to manage parallel inventories.

Drawbacks (Hybrid Certificates)

- Lack of standardisation: hybrid certificates are no longer being advanced as a formal IETF standard. - Increased certificate size: PQC signatures and metadata significantly inflate certificate size. - Operational complexity: PKI teams must manage two validation paths and two algorithm lifecycles. - Migration complacency: organisations may delay full PQC adoption because “everything still works”.

How They Work (Composite Certificates)

- The public key, algorithm ID and signature fields are altered, allowing multiple versions to be included (e.g., RSA + ML-DSA). - This is an ASN.1 change from the X.509 standard.

Benefits (Composite Certificates)

- Standards‑driven: composite certificates are being actively developed in IETF drafts - Flexible trust models: They allow for validation policies: AND (all signatures must validate), OR (any of the signatures must validate) or Threshold policies (E.g. 2 of 3) allowing fine‑grained security controls. - Cryptographic agility: supports more than two algorithms (if needed) and changes to algorithms. - Cleaner design: avoids ad‑hoc embedding of PQC data into classical structures.

Drawbacks (Composite Certificates)

- Not supported by Legacy Systems: Unlike hybrid certificates, these utilise new formats which will not be understood by legacy systems. - Not widely implemented: vendor and platform support is still emerging. - Larger and more complex: composite structures can be significantly larger than hybrids. - Validation overhead: multi‑signature verification increases computational cost.

How They Work (Related Certificates)

- Two certificates are produced - a classical certificate and a PQC certificate. - Each certificate contains a new extension (RelatedCertificate) which contains a hash of the opposing certificate, creating the association. - Systems choose which certificate to use based on their capabilities.

Benefits (Related Certificates)

- Standards‑based: RFC 9763 provides a formal, stable specification. - Clean separation: classical and PQC certificates remain independent. - No size explosion: each certificate contains only one signature. - Clear migration path: PQC‑only systems can eventually drop the classical certificate entirely.

Drawbacks (Related Certificates)

- Two certificates to manage: inventory, issuance, and lifecycle complexity increases. - Endpoint logic required: systems must choose which certificate to use (and understand the new extension). - Chain management complexity: two chains, two trust paths, two revocation states.

PQC Transition Mechanisms

support43101
Apr 10
3 min read

Updated: 1 hour ago

The transition to post‑quantum cryptography (PQC) presents a fundamental challenge: organisations must adopt PQC algorithms while maintaining the operation of a vast ecosystem of systems, devices, and protocols that may only understand classical cryptography.

Although, no single certificate format solves this problem universally. Three main certificate‑based approaches have emerged, each offering different trade‑offs between backward compatibility, security, and long‑term architectural cleanliness:

Hybrid Certificates - classical + PQC signatures in a single certificate.
Composite Certificates - structured multi‑algorithm certificates.
Related Certificates - separate classical and PQC certificates linked together.

Together, these mechanisms form a spectrum of migration strategies. Hybrid and related certificates enable PQC adoption without breaking existing systems, while composite certificates offer a forward‑looking architecture for environments ready to embrace multi‑algorithm cryptography.

This paper provides an overview of each approach, evaluates their benefits and drawbacks, and offers guidance on when each is most appropriate.

Hybrid Certificates

Hybrid certificates embed both a classical and a PQC signature within a single certificate.

The classical signature ensures backward compatibility, while PQC‑aware systems can validate the PQC signature.

How They Work

One certificate which includes additional fields (extensions) containing the PQC signature and keys.
Legacy systems ignore the additional PQC fields; modern systems use both.

Benefits

Backward compatibility: legacy systems continue to function without modification.
Incremental PQC adoption: PQC‑aware systems can begin validating PQC signatures immediately.
Simplified testing: rollback is trivial because the classical signature remains valid.
Single certificate footprint: no need to manage parallel inventories.

Drawbacks

Lack of standardisation: hybrid certificates are no longer being advanced as a formal IETF standard. An IETF draft was produced:

https://datatracker.ietf.org/doc/draft-truskovsky-lamps-pq-hybrid-x509/

This has now expired.

Increased certificate size: PQC signatures and metadata significantly inflate certificate size.
Operational complexity: PKI teams must manage two validation paths and two algorithm lifecycles.
Migration complacency: organisations may delay full PQC adoption because “everything still works”.

Status

Hybrid certificates were initially popular but are now considered a transitional idea with limited long‑term standardisation prospects.

Composite Certificates

Composite certificates combine multiple public keys and signatures into a single structured object.

Unlike hybrids, composites are designed as a formal, standardisable multi‑algorithm framework.

How They Work

The public key, algorithm ID and signature fields are altered, allowing multiple versions to be included (e.g., RSA + ML-DSA).
This is an ASN.1 change from the X.509 standard.

Benefits

Standards‑driven: composite certificates are being actively developed in IETF drafts: https://www.ietf.org/archive/id/draft-ounsworth-pq-composite-sigs-13.html
Flexible trust models: They allow for validation policies: AND (all signatures must validate), OR (any of the signatures must validate) or Threshold policies (E.g. 2 of 3) allowing fine‑grained security controls.
Cryptographic agility: supports more than two algorithms (if needed) and changes to algorithms.
Cleaner design: avoids ad‑hoc embedding of PQC data into classical structures.

Drawbacks

Not supported by Legacy Systems: Unlike hybrid certificates, these utilise new formats which will not be understood by legacy systems.
Not widely implemented: vendor and platform support is still emerging.
Larger and more complex: composite structures can be significantly larger than hybrids.
Validation overhead: multi‑signature verification increases computational cost.

Status

Composite certificates are the most promising long‑term multi‑algorithm solution, but adoption is still early.

Related Certificates

Related certificates take a different approach: instead of combining algorithms into one certificate, they issue two separate certificates - one classical and one PQC. These certificates are then cryptographically linked.

How They Work

Two certificates are produced - a classical certificate and a PQC certificate.
Each certificate contains a new extension (RelatedCertificate) which contains a hash of the opposing certificate, creating the association.
Systems choose which certificate to use based on their capabilities.

Benefits

Standards‑based: RFC 9763 (https://datatracker.ietf.org/doc/rfc9763/) provides a formal, stable specification.
Clean separation: classical and PQC certificates remain independent.
No size explosion: each certificate contains only one signature.
Clear migration path: PQC‑only systems can eventually drop the classical certificate entirely.

Drawbacks

Two certificates to manage: inventory, issuance, and lifecycle complexity increases.
Endpoint logic required: systems must choose which certificate to use (and understand the new extension).
Chain management complexity: two chains, two trust paths, two revocation states.

Status

Related certificates are currently the most standardised and most future‑proof approach.

Conclusions: Choosing the Right Approach

No single approach is universally superior. The right choice depends on organisational constraints, ecosystem maturity, migration timelines and the long-term cryptographic strategy.

When Hybrid Certificates Are Best

Required to begin supporting PQC certificates but need immediate backward compatibility with minimal endpoint changes.
You want a simple, single-certificate footprint.
You are in the early stages of PQC experimentation.
You accept that hybrids are a temporary bridge, not a final state.

When Composite Certificates Are Best

You want a structured, standards‑aligned multi‑algorithm solution.
You can tolerate larger certificates and higher validation cost.
You are building systems that will remain in service for decades.
Crypto agility is critical.

When Related Certificates Are Best

You want a fully standardised, long‑term approach.
You prefer clean separation between classical and PQC certificates.
You can manage two certificates per identity.
Your endpoints can choose between certificates based on capability.

PQC Transition Mechanisms

Hybrid Certificates

Composite Certificates

Related Certificates

Conclusions: Choosing the Right Approach

Recent Posts

Comments