Composite Hybrid Keys – Quick Start

Get started with Composite Hybrid Keys in under 10 minutes and protect your data against quantum computer attacks.

What are Composite Hybrid Keys?

Composite Hybrid Keys combine classical cryptography (X25519, RSA, Ed25519) with post-quantum algorithms (ML-KEM, ML-DSA) to provide defense-in-depth security. They protect against:

• Quantum computers breaking classical algorithms (RSA, ECDSA)
• Undiscovered vulnerabilities in new PQC algorithms

Security guarantee: Attackers must break BOTH the classical algorithm AND the post-quantum algorithm to compromise your data. This "AND-decrypt" model provides 1000× better protection than OR-decrypt alternatives.

Zero code changes: Use the same API endpoints as simple keys. The platform handles all complexity transparently.

Prerequisites

Before you begin, ensure you have:

• AnkaSecure SDK 3.0.0 or later (download)
• API credentials (JWT token or API key)
• Java 17+ for SDK examples

REST API users: This guide walks through the Java SDK. For curl/HTTP examples, authentication, and the interactive reference, see the API Portal.

Step 1: Generate a COMPOSITE_KEM_COMBINE Key

Hybrid Key Encapsulation Mechanism (COMPOSITE_KEM_COMBINE) combines classical and PQC encryption with AND-decrypt semantics.

import co.ankatech.ankasecure.sdk.AnkaSecureSdk;
import co.ankatech.ankasecure.sdk.model.GenerateCompositeKeySpec;
import co.ankatech.ankasecure.sdk.model.ComponentSpec;

AnkaSecureSdk sdk = AnkaSecureSdk.builder()
    .baseUrl("https://api.ankatech.co")
    .bearerToken("YOUR_JWT_TOKEN")
    .build();

GenerateCompositeKeySpec spec = new GenerateCompositeKeySpec()
    .setKid("my-hybrid-encryption-key")
    .setMode(GenerateCompositeKeySpec.Mode.COMPOSITE_KEM_COMBINE)
    .addComponent(ComponentSpec.classical("X25519"))
    .addComponent(ComponentSpec.pqc("ML-KEM-768"))
    .setKdf("HKDF-SHA256");

ExportedKeySpec result = sdk.generateCompositeKey(spec);
System.out.println("✅ Composite key generated: " + result.getKid());

Step 2: Encrypt Data (Transparent API)

Key insight: Encrypting with composite keys uses the same API as simple keys. The platform automatically detects the key type and applies hybrid encryption. The response uses Content-Type: application/jose+json (General JSON Serialization) rather than the compact format used for simple keys.

EncryptResult result = sdk.encrypt("my-hybrid-encryption-key", plaintext);

// Composite keys return JSON object (not compact string)
Map<String, Object> jweJson = result.getJweAsMap();
System.out.println("✅ Data encrypted with hybrid key");
System.out.println("Format: " + result.getContentType()); // application/jose+json

Step 3: Decrypt Data (AND-Requirement Verified)

Decryption requires BOTH classical and PQC components. If either is compromised, decryption fails. The platform returns andDecryptVerified: true to confirm both components were used.

DecryptResult decrypted = sdk.decryptJwe(jweJson);

System.out.println("✅ Data decrypted successfully");
System.out.println("Plaintext: " + new String(decrypted.getPlaintext()));
System.out.println("AND-decrypt verified: " + decrypted.isAndDecryptVerified());

Step 4: Generate a COMPOSITE_SIGNATURE Key

Dual signature mode creates two independent signatures for defense-in-depth. Generation uses the same SDK entry point as Step 1, changing only the mode and swapping KEM algorithms for signature algorithms:

GenerateCompositeKeySpec spec = new GenerateCompositeKeySpec()
    .setKid("my-dual-signature-key")
    .setMode(GenerateCompositeKeySpec.Mode.COMPOSITE_SIGNATURE)
    .addComponent(ComponentSpec.classical("Ed25519"))
    .addComponent(ComponentSpec.pqc("ML-DSA-65"))
    .setVerificationPolicy("ALL");

ExportedKeySpec result = sdk.generateCompositeKey(spec);
System.out.println("✅ Dual signature key generated: " + result.getKid());

Step 5: Sign and Verify with Dual Signatures

Signing with a COMPOSITE_SIGNATURE key produces a JWS containing two independent signatures — one from the classical component and one from the PQC component. Verification applies the policy set at key creation:

• ALL – both signatures must be valid (strictest)
• ANY – at least one signature must be valid (most lenient)
• CLASSICAL_REQUIRED – classical signature must be valid
• PQC_REQUIRED – PQC signature must be valid

For a full runnable sign/verify example, see Flow 29 – Composite Hybrid Keys Usage.

Expected Output Summary

After completing these steps, you have:

✅ Generated a COMPOSITE_KEM_COMBINE key (X25519 + ML-KEM-768)

✅ Encrypted data with quantum-resistant hybrid

✅ Decrypted data with AND-decrypt verification

✅ Generated a COMPOSITE_SIGNATURE key (Ed25519 + ML-DSA-65)

✅ Signed and verified with dual signatures (ALL policy)

Quantum Protection: Your data is now protected against both classical and quantum attacks.

Troubleshooting Common Issues

Issue: "Security level mismatch"

Cause: Classical and PQC components have different NIST security levels.

Solution: Match security levels:

• Level 1: X25519 + ML-KEM-512
• Level 3 (recommended): X25519 + ML-KEM-768, Ed25519 + ML-DSA-65
• Level 5: RSA-4096 + ML-KEM-1024

Issue: "Verification policy not satisfied"

Cause: Not all required signatures are valid.

Solution: Check verification policy:

• ALL: All signatures must be valid (strictest)
• ANY: At least one signature must be valid (most lenient)
• CLASSICAL_REQUIRED: Classical signature must be valid
• PQC_REQUIRED: PQC signature must be valid

Issue: Response format confusion

Symptom: Expecting compact JWE string, receiving JSON object.

Solution: Composite keys use General JSON Serialization (RFC 7516 §7.2):

• Simple keys: Compact format (eyJhbGciOi...)
• Composite keys: JSON format ({"protected": "...", "recipients": [...]})

Detection: Check Content-Type header:

• application/jose → Simple key (compact)
• application/jose+json → Composite key (JSON)

Where Next?

Deep Dive

• Flow 29 – Complete SDK Example – Full Java implementation with ~200 lines of runnable code
• Best Practices – Algorithm selection, lifecycle management, performance optimization

Use Cases

• Quantum Protection Use Cases – Government, financial, healthcare, critical infrastructure scenarios

Help & Support

• Troubleshooting Guide – Common errors and solutions
• Email: [email protected]
• API Reference: Key Management API

Congratulations! You've successfully implemented quantum-resistant composite hybrid cryptography in under 10 minutes. Your data is now protected against both classical and quantum computer attacks.

Document Version 3.0.0 -- updated December 2025

© 2025 ANKATech Solutions INC. All rights reserved.