Go checkout the master branch of wolfSSH. Two new hybrid KEX methods have been added. Both are defined in draft-ietf-sshm-mlkem-hybrid-kex:
- mlkem768x25519-sha256 — ML-KEM-768 paired with X25519
- mlkem1024nistp384-sha384 — ML-KEM-1024 paired with NIST P-384
This joins mlkem768nistp256-sha256 which has been there for a long time.
Why hybrid
The “harvest now, decrypt later” threat model means ciphertext captured today will be decrypted whenever a cryptographically relevant quantum computer arrives. Hybrid KEX defends against that without betting the farm on a young algorithm: each side runs a classical ECDH (X25519 or P-384) and ML-KEM, then concatenates the two shared secrets into one. Break one, the other still holds.
What’s on the wire
Per the draft, the client sends C_INIT = C_PK2 || C_PK1 — its ML-KEM public key followed by its ECDH public key. The server replies with S_REPLY = S_CT2 || S_PK1 — the ML-KEM ciphertext followed by its ECDH public key. Both sides derive K_CL from ECDH and K_PQ from ML-KEM decapsulation, then combine them into the SSH shared secret K.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now