Hybrid Classical/PQC System Threat Model
Version: 1.0
Last Updated: 2025-01-02
Security Classification: PUBLIC
Author: MetaMUI Security Team
Executive Summary
This document analyzes threats specific to hybrid cryptographic systems that combine classical and post-quantum algorithms. As organizations transition to quantum-resistant cryptography, hybrid systems introduce unique vulnerabilities that must be carefully managed.
Hybrid Architecture Overview
Common Hybrid Configurations
class HybridConfigurations:
"""Common hybrid crypto deployments"""
parallel_mode = {
'description': 'Both algorithms run independently',
'example': 'ECDH + ML-KEM for key exchange',
'security': 'min(classical_security, pqc_security)'
}
concatenated_mode = {
'description': 'Combine outputs of both algorithms',
'example': 'KDF(ECDH_secret || ML-KEM_secret)',
'security': 'max(classical_security, pqc_security)'
}
nested_mode = {
'description': 'One algorithm encrypts the other',
'example': 'PQC_encrypt(classical_signature)',
'security': 'depends_on_construction'
}
Unique Hybrid System Threats
Algorithm Confusion Attacks
class AlgorithmConfusion:
"""Attacks exploiting algorithm selection ambiguity"""
def negotiation_attack(self, protocol: dict) -> dict:
"""Algorithm negotiation manipulation"""
vulnerabilities = []
if not protocol.get('authenticated_negotiation'):
vulnerabilities.append('unauthenticated_algorithm_selection')
if protocol.get('fallback_allowed'):
vulnerabilities.append('forced_downgrade_possible')
if not protocol.get('algorithm_binding'):
vulnerabilities.append('algorithm_substitution')
return {
'vulnerabilities': vulnerabilities,
'risk_level': self.calculate_risk(vulnerabilities),
'mitigation': 'authenticated_cipher_suites'
}
def version_rollback(self, implementation: dict) -> str:
"""Assess version rollback vulnerability"""
if not implementation.get('version_binding'):
return 'critical'
if implementation.get('legacy_compatibility'):
return 'high'
return 'low'
Downgrade Attacks
class DowngradeAttacks:
"""Force use of weaker algorithms"""
attack_vectors = {
'strip_pqc': {
'description': 'Remove PQC from hybrid handshake',
'impact': 'Loss of quantum resistance',
'detection': 'Monitor for missing PQC components'
},
'force_weak_classical': {
'description': 'Downgrade to vulnerable classical algorithm',
'impact': 'Enable quantum attack',
'detection': 'Verify minimum security levels'
},
'exploit_fallback': {
'description': 'Trigger fallback to non-hybrid mode',
'impact': 'Complete security bypass',
'detection': 'Alert on fallback activation'
}
}
def assess_downgrade_resistance(self, protocol: dict) -> dict:
"""Evaluate protocol's downgrade resistance"""
score = 100
issues = []
if protocol.get('allows_non_hybrid'):
score -= 30
issues.append('non_hybrid_mode_allowed')
if not protocol.get('minimum_security_enforced'):
score -= 25
issues.append('no_minimum_security')
if protocol.get('automatic_fallback'):
score -= 20
issues.append('automatic_fallback_enabled')
if not protocol.get('transcript_hash_includes_algorithms'):
score -= 25
issues.append('algorithms_not_in_transcript')
return {
'resistance_score': score,
'vulnerabilities': issues,
'risk_level': 'high' if score < 50 else 'medium' if score < 75 else 'low'
}
Cross-Algorithm Attacks
class CrossAlgorithmAttacks:
"""Attacks leveraging interaction between algorithms"""
def key_reuse_vulnerability(self, system: dict) -> dict:
"""Assess risks of key reuse across algorithms"""
risks = []
if system.get('shared_randomness'):
risks.append({
'type': 'correlated_keys',
'description': 'Same randomness for both algorithms',
'impact': 'Potential key correlation attacks'
})
if system.get('derived_keys'):
risks.append({
'type': 'related_key_attacks',
'description': 'Keys derived from same master',
'impact': 'Break one, potentially break both'
})
return {
'risk_count': len(risks),
'specific_risks': risks,
'recommendation': 'independent_key_generation'
}
def timing_correlation(self, implementation: dict) -> dict:
"""Identify timing correlation vulnerabilities"""
return {
'parallel_execution': {
'risk': 'Combined timing reveals more info',
'mitigation': 'Independent constant-time implementations'
},
'sequential_execution': {
'risk': 'Order-dependent timing leaks',
'mitigation': 'Randomized execution order'
},
'error_handling': {
'risk': 'Different error paths reveal algorithm',
'mitigation': 'Unified error handling'
}
}
Implementation Complexity Threats
Increased Attack Surface
class AttackSurfaceAnalysis:
"""Analyze expanded attack surface in hybrid systems"""
def calculate_attack_surface(self, components: dict) -> dict:
"""Calculate relative attack surface increase"""
base_surface = 1.0
# Each additional algorithm increases surface
algorithm_count = components.get('algorithm_count', 2)
surface_multiplier = 1 + (algorithm_count - 1) * 0.7
# Integration complexity adds risk
if components.get('complex_integration'):
surface_multiplier *= 1.3
# Shared components reduce surface slightly
if components.get('shared_primitives'):
surface_multiplier *= 0.9
return {
'relative_surface': surface_multiplier,
'risk_increase': f"{(surface_multiplier - 1) * 100:.0f}%",
'primary_factors': self.identify_factors(components)
}
def identify_factors(self, components: dict) -> list:
"""Identify primary attack surface factors"""
factors = []
if components.get('multiple_implementations'):
factors.append('implementation_diversity')
if components.get('complex_key_management'):
factors.append('key_management_complexity')
if components.get('algorithm_agility'):
factors.append('negotiation_complexity')
return factors
Performance-Based Attacks
class PerformanceAttacks:
"""Attacks exploiting performance differences"""
def resource_exhaustion(self, hybrid_config: dict) -> dict:
"""Assess resource exhaustion vulnerabilities"""
vulnerabilities = []
# PQC algorithms often have larger resource requirements
if hybrid_config.get('pqc_algorithm') in ['Classic-McEliece', 'Rainbow']:
vulnerabilities.append({
'type': 'memory_exhaustion',
'description': 'Large key/ciphertext sizes',
'impact': 'DoS through memory consumption'
})
# Some PQC operations are computationally intensive
if hybrid_config.get('pqc_algorithm') in ['Falcon', 'NTRU']:
vulnerabilities.append({
'type': 'cpu_exhaustion',
'description': 'Complex mathematical operations',
'impact': 'DoS through CPU consumption'
})
return {
'vulnerabilities': vulnerabilities,
'mitigation': 'rate_limiting_and_resource_quotas'
}
def selective_algorithm_dos(self) -> dict:
"""Target specific algorithm in hybrid system"""
return {
'attack_strategy': 'Force expensive algorithm path',
'example': 'Trigger PQC verification repeatedly',
'impact': 'Asymmetric resource consumption',
'mitigation': 'Balanced rate limiting for all paths'
}
Migration Period Threats
Transition Vulnerabilities
class TransitionPeriodThreats:
"""Threats during classical to PQC migration"""
def backward_compatibility_risks(self, config: dict) -> dict:
"""Assess risks from maintaining compatibility"""
risks = {
'legacy_support': {
'threat': 'Forced use of vulnerable algorithms',
'likelihood': 'high' if config.get('must_support_legacy') else 'low',
'impact': 'Complete quantum vulnerability'
},
'mixed_infrastructure': {
'threat': 'Inconsistent security levels',
'likelihood': 'high',
'impact': 'Weakest link vulnerability'
},
'configuration_complexity': {
'threat': 'Misconfiguration enabling attacks',
'likelihood': 'medium',
'impact': 'Various, potentially critical'
}
}
return risks
def key_management_complexity(self) -> dict:
"""Analyze key management during transition"""
return {
'dual_certificates': {
'challenge': 'Managing both classical and PQC certs',
'risk': 'Certificate confusion attacks',
'mitigation': 'Clear labeling and validation'
},
'key_rotation': {
'challenge': 'Coordinating rotation across algorithms',
'risk': 'Temporary security gaps',
'mitigation': 'Atomic rotation procedures'
},
'trust_chains': {
'challenge': 'Mixed classical/PQC trust chains',
'risk': 'Weak link in chain',
'mitigation': 'Parallel trust chains'
}
}
Protocol-Level Hybrid Threats
TLS Hybrid Mode Threats
class TLSHybridThreats:
"""TLS-specific hybrid mode threats"""
def analyze_tls_hybrid(self, tls_config: dict) -> dict:
"""Analyze TLS hybrid configuration threats"""
threats = []
# Check for proper binding
if not tls_config.get('includes_both_in_transcript'):
threats.append({
'threat': 'transcript_manipulation',
'description': 'Algorithms not bound to handshake',
'severity': 'high'
})
# Check for proper key combination
if tls_config.get('key_combination') == 'concatenation':
threats.append({
'threat': 'weak_key_combination',
'description': 'Simple concatenation may be vulnerable',
'severity': 'medium'
})
# Check for algorithm negotiation
if not tls_config.get('authenticated_negotiation'):
threats.append({
'threat': 'algorithm_stripping',
'description': 'Attacker can remove algorithms',
'severity': 'critical'
})
return {
'threat_count': len(threats),
'threats': threats,
'overall_risk': self.calculate_overall_risk(threats)
}
IPSec Hybrid Threats
class IPSecHybridThreats:
"""IPSec-specific hybrid threats"""
def analyze_ipsec_hybrid(self, ipsec_config: dict) -> dict:
"""Analyze IPSec hybrid configuration"""
vulnerabilities = {
'ike_negotiation': {
'threat': 'IKE protocol downgrade',
'impact': 'Force non-hybrid mode',
'mitigation': 'Strict policy enforcement'
},
'sa_establishment': {
'threat': 'Selective SA manipulation',
'impact': 'Weak security associations',
'mitigation': 'Validate all SA parameters'
},
'rekey_coordination': {
'threat': 'Rekey timing attacks',
'impact': 'Temporary vulnerability windows',
'mitigation': 'Synchronized rekey procedures'
}
}
return vulnerabilities
Side-Channel Considerations
Combined Side-Channel Analysis
class HybridSideChannels:
"""Side-channel attacks on hybrid systems"""
def combined_leakage(self, measurements: dict) -> dict:
"""Analyze combined information leakage"""
# Information from classical algorithm
classical_leakage = measurements.get('classical_side_channel', 0)
# Information from PQC algorithm
pqc_leakage = measurements.get('pqc_side_channel', 0)
# Combined leakage can be more than sum
correlation_factor = measurements.get('correlation', 0.1)
combined_leakage = classical_leakage + pqc_leakage + \
(classical_leakage * pqc_leakage * correlation_factor)
return {
'classical_bits': classical_leakage,
'pqc_bits': pqc_leakage,
'combined_bits': combined_leakage,
'amplification': combined_leakage > (classical_leakage + pqc_leakage)
}
def differential_analysis(self) -> dict:
"""Differential side-channel analysis"""
return {
'timing_differential': {
'description': 'Compare timing between algorithms',
'information': 'Reveals algorithm-specific operations',
'mitigation': 'Equalize execution times'
},
'power_differential': {
'description': 'Compare power consumption',
'information': 'Identifies active algorithm',
'mitigation': 'Power balancing techniques'
},
'error_differential': {
'description': 'Compare error handling',
'information': 'Reveals internal states',
'mitigation': 'Unified error handling'
}
}
Security Degradation Scenarios
Worst-Case Scenarios
class DegradationScenarios:
"""Security degradation in hybrid systems"""
scenarios = {
'classical_break': {
'description': 'Classical algorithm compromised',
'impact_on_parallel': 'Hybrid security reduced to PQC only',
'impact_on_concatenated': 'Minimal if PQC remains secure',
'timeline': 'Possible with quantum computers'
},
'pqc_break': {
'description': 'PQC algorithm compromised',
'impact_on_parallel': 'Hybrid security reduced to classical only',
'impact_on_concatenated': 'Minimal if classical remains secure',
'timeline': 'Unlikely but possible with cryptanalysis'
},
'implementation_break': {
'description': 'Implementation vulnerability',
'impact': 'Could compromise entire hybrid system',
'timeline': 'Possible at any time'
},
'protocol_break': {
'description': 'Protocol-level vulnerability',
'impact': 'Complete bypass of cryptographic protection',
'timeline': 'Possible during design/implementation'
}
}
Mitigation Strategies
Secure Hybrid Design
class HybridMitigations:
"""Mitigation strategies for hybrid systems"""
def design_principles(self) -> list:
"""Core design principles for secure hybrid systems"""
return [
{
'principle': 'Independent Security',
'description': 'Each algorithm provides independent security',
'implementation': 'Avoid shared keys or randomness'
},
{
'principle': 'Authenticated Negotiation',
'description': 'Cryptographically bind algorithm selection',
'implementation': 'Include in handshake transcript'
},
{
'principle': 'No Downgrades',
'description': 'Never allow fallback to weaker modes',
'implementation': 'Strict minimum security policy'
},
{
'principle': 'Consistent Security',
'description': 'All paths provide equivalent security',
'implementation': 'Balance classical and PQC strengths'
},
{
'principle': 'Simple Integration',
'description': 'Minimize complexity in combination',
'implementation': 'Use proven combiners like KDF'
}
]
def implementation_guidelines(self) -> dict:
"""Guidelines for implementing hybrid systems"""
return {
'key_generation': 'Use independent randomness sources',
'key_combination': 'Use KDF for secure combination',
'protocol_design': 'Include both algorithms in transcript',
'error_handling': 'Unified error responses',
'performance': 'Balance resource usage',
'monitoring': 'Track both algorithm metrics'
}
Testing and Validation
class HybridTesting:
"""Testing strategies for hybrid systems"""
def test_categories(self) -> dict:
"""Categories of tests for hybrid systems"""
return {
'interoperability': {
'description': 'Test all algorithm combinations',
'focus': 'Correct operation in all modes'
},
'downgrade_resistance': {
'description': 'Attempt to force weaker algorithms',
'focus': 'Verify policy enforcement'
},
'performance_balance': {
'description': 'Measure resource usage',
'focus': 'Identify DoS vulnerabilities'
},
'side_channel': {
'description': 'Combined leakage analysis',
'focus': 'Information leakage assessment'
},
'fault_injection': {
'description': 'Target hybrid logic',
'focus': 'Robustness of combination'
}
}
Compliance and Standards
Hybrid Standards Status
| Standard | Organization | Status | Timeline |
|---|---|---|---|
| TLS 1.3 Hybrid | IETF | Draft | 2024-2025 |
| IPSec Hybrid | IETF | Development | 2024-2026 |
| X.509 Hybrid | IETF/ITU | Planning | 2025-2027 |
| NIST Guidance | NIST | Published | Current |
Monitoring and Detection
class HybridMonitoring:
"""Monitor hybrid system security"""
def detection_rules(self) -> list:
"""Rules for detecting hybrid-specific attacks"""
return [
{
'rule': 'Algorithm Mismatch Detection',
'trigger': 'Classical without PQC or vice versa',
'action': 'Alert and potentially block'
},
{
'rule': 'Downgrade Attempt Detection',
'trigger': 'Request for non-hybrid mode',
'action': 'Log and review policy'
},
{
'rule': 'Performance Anomaly Detection',
'trigger': 'Unusual algorithm selection pattern',
'action': 'Investigate potential DoS'
},
{
'rule': 'Configuration Change Detection',
'trigger': 'Hybrid settings modified',
'action': 'Require approval and audit'
}
]
Future Considerations
Evolving Threat Landscape
- New cryptanalytic techniques affecting hybrid combinations
- Quantum algorithm improvements
- Implementation vulnerability discoveries
- Protocol standardization changes
Technology Evolution
- Next-generation hybrid protocols
- Automated algorithm selection
- Crypto-agile frameworks
- Hardware acceleration for hybrid modes
References
- NIST PQC Hybrid Modes
- IETF Hybrid TLS Draft
- BSI Hybrid Recommendations
- ETSI Quantum Safe Hybrid
- ENISA Migration Guidelines