"Combination of Classical and PQC Security: The secure implementation of PQC mechanisms, especially with regard to side-channel security, avoidance of implementation errors and secure implementation in hardware, and also their classical cryptanalysis are significantly less well studied than for RSA- and ECC-based cryptographic mechanisms. In addition, there are currently no standardised versions of these mechanisms. Their use in productive systems is currently only recommended together with a classic ECC- or RSA-based key exchange or key transport. In this case, one speaks of a so-called hybrid mechanism. Parallel to a PQC key transport, an ECC-based key exchange using Brainpool or NIST curves with at least 256 bits key length should be performed. The two shared secrets generated in this way should be combined with the mechanism given in Section B.1.1 of this Technical Guideline. Here, the standard [96] in its current version explicitly provides the possibility to combine several partial secrets. A hybrid approach, as proposed here, is further described for example in [5] as the most feasible alternative for a use of PQC mechanisms in the near future. Provided that the restrictions of the stateful mechanisms XMSS and LMS recommended in this TechnicalGuideline are carefully considered, these hash-based signatures can in principle also be used alone (i.e., not hybrid), see Chapter 6"

[0]: English version: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicat...

[1]: German version: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikat...