Papers
Topics
Authors
Recent
Search
2000 character limit reached

Hybrid Key Growing (HKG) Overview

Updated 8 July 2026
  • Hybrid Key Growing (HKG) is a cryptographic framework that combines heterogeneous key-generation techniques such as QKD, PQC, and classical methods to produce and refresh secure key material.
  • HKG employs methodologies including hybrid QKD protocols, extractor-based key combiners, and network-level key delivery to balance trade-offs in rate, reach, and security.
  • Research in HKG focuses on performance trade-offs, composability issues, and practical deployment challenges, driving innovation in adaptive and robust security architectures.

Hybrid Key Growing (HKG) denotes a family of constructions in which multiple secret-bit generation or key-establishment mechanisms are combined into a single coordinated process for producing, refreshing, transporting, or strengthening usable key material. The term is not yet standardized. In the most direct sense, HKG refers to protocols that jointly grow key material from heterogeneous physical or cryptographic sources; in adjacent senses, it includes hybrid QKD key-generation frameworks, extractor-based PQC–QKD key combiners, batch hybrid KEM schemes that deliver many session keys at once, and network architectures that extend the usable reach of locally generated QKD keys across wider infrastructures (Farré et al., 8 Aug 2025, Sykot et al., 2024, Giestinhas et al., 27 Mar 2026, Kim et al., 5 May 2025, Barral et al., 22 Apr 2026).

1. Scope and meanings

Across the relevant literature, HKG is best treated as an umbrella notion rather than a single primitive. Some works define hybridity inside QKD itself by mixing two quantum key-generation modes; some combine QKD with post-quantum or classical mechanisms at the key-combination stage; some treat HKG as service-level growth of QKD usability across domains; and some offer closely related dynamic group-rekeying mechanisms rather than formal key-growth constructions (Sykot et al., 2024, Kim et al., 5 May 2025, Barral et al., 22 Apr 2026, Lei et al., 2013).

Interpretation Representative work Core mechanism
Hybrid QKD key generation (Sykot et al., 2024) Probabilistic switching between GHZ-based QKD and B92
Direct HKG protocol (Farré et al., 8 Aug 2025) Bipartite photon-number/time-bin encoding with coherence witnessing
Hybrid physical-layer distribution (Basar, 14 May 2026) BB84-type QKD coordinated with a parallel KLJN link
Hybrid key combination (Giestinhas et al., 27 Mar 2026) Strong seeded extractors for PQC–QKD or QKD–QKD combination
Batch hybrid key exchange (Kim et al., 5 May 2025) Coding across many session keys and one encapsulation per KEM
Hybrid key delivery (Barral et al., 22 Apr 2026) Inter-domain relay of QKD-originated keys with Kyber-secured transport

A recurrent source of ambiguity is acronym overload. In other arXiv literatures, HKG also denotes Harbater–Katz–Gabber curves, hyper-relational knowledge graphs, and healthcare knowledge graphs; these are unrelated to Hybrid Key Growing and must be separated by context (Kontogeorgis et al., 2020, Liu et al., 2024, Cui et al., 2023).

2. Quantum-native HKG inside and around QKD

One important line of work treats HKG as hybridization within quantum key generation. In “Combining Entangled and Non-Entangled Based Quantum Key Distribution Protocol With GHZ State,” the protocol mixes a three-particle GHZ-state method with B92 under a measured selector qubit prepared in an equal superposition, so that P(C1)=P(C2)=12P(C_1)=P(C_2)=\frac{1}{2} (Sykot et al., 2024). The GHZ branch uses multipartite correlations such as

σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +1

and

σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,

while the B92 branch uses the non-orthogonal states

ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},

with conclusive probability

P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.

Its expected combined key length is written as

CPL=5n(1h(δ))16.CPL=\frac{5n(1-h(\delta))}{16}.

This architecture is hybrid in a strict round-by-round sense, but the switching rule is a fixed 50/50 probabilistic choice rather than an adaptive controller.

The clearest direct use of the name appears in “Secure Hybrid Key Growing via Coherence Witnessing and Bipartite Encoding,” which proposes a protocol that jointly exploits the photon-number and photon-time-bin degrees of freedom (Farré et al., 8 Aug 2025). Alice samples a key string K{0,1}β\mathbf K\in\{0,1\}^{\beta} with β=νω\beta=\nu\omega, and a pre-shared string F{0,1}β\mathbf F\in\{0,1\}^{\beta} decides which degree of freedom carries the key bit in each position. The companion degree of freedom carries a coherent superposition used for authentication and eavesdropping detection. The coherence witness is defined as

WσΔ(σ)σ,W_\sigma \equiv \Delta(\sigma)-\sigma,

and acceptance thresholds are based on a QBER bound σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +10 and a witness threshold σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +11. The protocol’s distinctive claim is that it removes basis reconciliation and therefore “approximately” doubles the bit-per-pulse rate relative to basis-sifting QKG schemes, while integrating entity authentication.

A related but differently motivated architecture appears in “Quantum Meets Statistical-Physical Secrecy: A Novel Hybrid Key Distribution Architecture,” where an optical BB84-type QKD link is coordinated with a parallel wired KLJN link (Basar, 14 May 2026). Three KLJN-assisted protocols are introduced. Protocol I uses KLJN only for secure basis matching and retains the same normalized secure key rate as BB84,

σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +12

Protocols II and III convert basis information or KLJN mixed-resistance events into additional secret bits, yielding

σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +13

Under the reported parameters, the hybrid throughput significantly exceeds BB84 below about σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +14, crosses below BB84 at around σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +15, and remains on the order of σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +16 over the considered σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +17 MAN range. This suggests that some HKG constructions are fundamentally short-haul and bottlenecked by the slower auxiliary mechanism.

3. Extractor-based and KEM-based hybrid key combination

A second major interpretation of HKG focuses on the combination of independently established keys. “Information-Theoretic Solutions for Seedless QRNG Bootstrapping and Hybrid PQC-QKD Key Combination” treats universal hash functions as strong seeded extractors and uses the Quantum Leftover Hash Lemma as the security foundation (Giestinhas et al., 27 Mar 2026). In the public-seed setting, concatenated secure sources can be compressed into a shorter output whose length satisfies a QLHL-style bound; in the private-seed setting, the seed/input split incurs a seed-length penalty. The central HKG consequence is post-compromise residual entropy: if the final output and one initial key are revealed, the remaining key retains quantified smooth min-entropy,

σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +18

The paper positions this as a substantive alternative to XOR, especially when transcript information must be bound to the combined key material.

“An Efficient Hybrid Key Exchange Mechanism” proposes CHOKE, which is not a standard hybrid KEM combiner for one shared secret but a mechanism for transporting many independent session keys simultaneously (Kim et al., 5 May 2025). Alice starts with

σxAσxBσxC=+1\langle \sigma_{xA}\sigma_{xB}\sigma_{xC}\rangle = +19

encodes it via an individually secure linear code,

σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,0

encapsulates each coded symbol σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,1 under a different σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,2, and Bob recovers the original keys by

σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,3

Its security notion is computational individual security, formalized by

σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,4

for any σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,5 outputs and any single message σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,6. The construction reduces computational and communication costs by an σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,7-fold factor relative to naively protecting each of σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,8 keys under each of σxAσyBσyC=σyAσxBσyC=σyAσyBσxC=1,\langle \sigma_{xA}\sigma_{yB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{xB}\sigma_{yC}\rangle = \langle \sigma_{yA}\sigma_{yB}\sigma_{xC}\rangle = -1,9 KEMs, but the trade-off is that the key vector is not jointly hidden under partial compromise.

A more deployment-oriented combination appears in “Hybrid Schemes of NIST Post-Quantum Cryptography Standard Algorithms and Quantum Key Distribution for Key Exchange and Digital Signature,” where the QKD-derived random number ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},0 and the ML-KEM-derived random number ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},1 are fed into a KMAC-based KDF to produce a 32-byte shared secret (Chen, 30 Sep 2025). In the two-source variant, ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},2 is used as the KDF key and ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},3 as the message; in the three-way variant, ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},4 is the message and ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},5 remains the KDF key. This is a concrete hybrid key-establishment pattern, but it is not a formal long-run key-growing model.

An adjacent architecture, HOQS+, uses repeated BBM92 sessions, a fresh PQC-derived symmetric key per cycle, and a PSK-protected instruction sequence that determines the order of OTP, AES, and Ascon layers (Gupta et al., 4 Dec 2025). Its novelty is not a conventional combiner but a secret control plane: confidentiality is intended to survive side-channel leakage of QKD and PQC keys because the adversary still lacks the instruction sequence. This is HKG-adjacent rather than canonical HKG, but it illustrates a broader design pattern in which multiple fresh keys and a small information-theoretic control secret jointly determine the effective encryption state.

4. Network-level and hardware-level HKG

At the network level, HKG often means extending the reach or availability of QKD-originated key material rather than increasing entropy in the information-theoretic sense. “Interconnecting Regional QKD Networks: Hybrid Key Delivery Across Quantum Domains” presents a distributed architecture of KMSTNs that relay QKD-generated keys between isolated regional QKD domains over classical WAN links protected by Kyber and AES (Barral et al., 22 Apr 2026). The most explicit hybrid relay formula is

ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},6

where ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},7 is a local adjacent-link QKD key and ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},8 is the Kyber-established secret. The system is standards-driven, uses ETSI GS QKD 014 and 020, and was deployed in an operational testbed with three regional subnetworks and eight KMSTNs. Reported pairwise key rates are generally in the ψ0=0,ψ1=0+12,|\psi_0\rangle = |0\rangle,\qquad |\psi_1\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}},9 range, with around P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.0 on the weakest 120 km link. This is HKG as service-footprint growth rather than end-to-end information-theoretic expansion.

“Hybrid Implementation for Untrusted-node-based Quantum Key Distribution Network” demonstrates another network-level hybridization: a unified untrusted-node platform that can run both SNS-TF-QKD with AOPP and MDI-QKD with double-scanning (Liu et al., 7 Mar 2025). The system uses a shared time-bin phase-encoding hardware stack and a common Charlie node, with a repeaterless benchmark

P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.1

Finite-size secure key rates are reported for MDI-QKD over 150–241 km and for SNS-TF-QKD over 241–431 km, with the TF-QKD data surpassing the absolute repeaterless bound over 310–431 km. This is HKG through protocol hybridity at the hardware and calibration layers: one infrastructure, multiple key-growing modes.

At the device level, “A Hybrid Integrated Quantum Key Distribution Transceiver Chip” demonstrates a hybrid photonic transceiver based on SiN interferometers and InP electro-optic modulators (Dolphin et al., 2023). The result is not a new HKG protocol, but it is directly relevant to practical key growth because it provides active encoding and decoding at P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.2, bidirectional secure bit rates of P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.3 over P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.4 channel attenuation, and positive finite-key secure rates at 250 km of fibre. The hybridization here is material-platform hybridization, but it improves the physical rate-security envelope available to higher-level HKG constructions.

A precursor outside quantum networking is the HSK scheme for MANET group key agreement (Lei et al., 2013). It combines pairwise public-key agreement on selected graph edges with symmetric distribution of a fresh group/session key over the resulting secure links, while using an extended Kruskal algorithm to reuse precomputed secure links during dynamic events. This is not HKG in the strict modern sense, but it anticipates a central HKG theme: reuse inherited cryptographic state and inject fresh randomness only where necessary.

5. Security models, guarantees, and recurrent misconceptions

A central misconception is that all HKG constructions provide the same security guarantee. They do not. The GHZ–B92 hybrid protocol gives a weighted-sum key-yield model and fidelity-based abort conditions, but it does not provide a complete composable proof for the joint hybrid system, nor explicit thresholds for all attack classes (Sykot et al., 2024). The direct photon-number/time-bin HKG protocol likewise depends on a classical physical-layer assumption—that intercept-resend induces detectable delay in time bins—so its security is not purely information-theoretic in the usual QKD sense (Farré et al., 8 Aug 2025). The KLJN-assisted architecture also assumes ideal KLJN operation and a simplified asymptotic BB84 model, with “a more sophisticated threat model” left open (Basar, 14 May 2026).

A second misconception is that hybridization automatically implies “secure if at least one survives.” That guarantee is highly construction-dependent. CHOKE gives individual secrecy of each delivered key if one underlying KEM remains IND-CPA secure, but it does not guarantee full joint secrecy of the key vector under partial compromise (Kim et al., 5 May 2025). By contrast, the extractor-based approach explicitly quantifies residual min-entropy under reveal of the final output and one component key, and can preserve the information-theoretic contribution of QKD when public-seed extraction is used (Giestinhas et al., 27 Mar 2026).

A third misconception is that network-level HKG preserves end-to-end quantum security. Inter-domain hybrid key delivery reintroduces computational assumptions on Kyber and AES over non-QKD segments, and it requires trust in intermediate KMSTNs that decrypt, re-encrypt, store, and forward key material (Barral et al., 22 Apr 2026). Similarly, hybrid QKD–PQC key exchange schemes that feed QKD and ML-KEM outputs into a KDF are hybrid key-establishment protocols, but not necessarily formal key-growth systems with composable long-term state-evolution proofs (Chen, 30 Sep 2025).

6. Performance trade-offs and open directions

The dominant performance pattern across HKG research is that hybridization usually improves a trade-off, not every metric simultaneously. The GHZ–B92 system is explicit: it generates more keys than standalone entanglement-based protocols such as E91 and GHZ QKD, but fewer than standalone B92, which is exactly what its weighted-average formula predicts (Sykot et al., 2024). CHOKE offers an P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.5-fold reduction in computational and communication costs for transporting P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.6 keys with P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.7 heterogeneous KEMs, but only under the weaker goal of computational individual security (Kim et al., 5 May 2025). KLJN-assisted QKD can add a constant P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.8 normalized key-rate term in Protocols II and III, yet absolute throughput becomes KLJN-limited as distance increases, and the hybrid advantage disappears around P(conclusive)=12.P(\text{conclusive})=\frac{1}{2}.9 in the reported setup (Basar, 14 May 2026).

At the systems level, rate-security trade-offs become infrastructural. Regional QKD federation extends reach much more effectively than it extends rate; the empirical profile is that reach scales better than rate, with congestion and buffer exhaustion appearing under 100 concurrent requests (Barral et al., 22 Apr 2026). Multi-protocol untrusted-node networks show the opposite asymmetry: MDI-QKD is practical in the lower-loss regime, while TF-QKD becomes decisive in the high-loss regime and can surpass the absolute repeaterless bound (Liu et al., 7 Mar 2025). Device-level hybridization changes the feasible envelope again: the SiN–InP transceiver shows that low loss and fast active basis choice can coexist on one chip, which directly raises practical secure-bit throughput (Dolphin et al., 2023).

The most persistent open directions are therefore architectural rather than purely algebraic. Several papers point toward adaptive protocol selection instead of fixed switching probabilities, stronger finite-key and composable analyses, better handling of related-key exposure under partial compromise, dynamic routing based on real-time key pools, and more explicit accounting of authentication-key consumption in net key growth (Sykot et al., 2024, Giestinhas et al., 27 Mar 2026, Barral et al., 22 Apr 2026, Basar, 14 May 2026). A plausible synthesis is that mature HKG will require three layers at once: a high-rate physical generator, a rigorously analyzed combiner or extractor, and a network controller that treats heterogeneous key sources as schedulable resources rather than isolated primitives.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Hybrid Key Growing (HKG).