Post-Quantum Cryptography in the Real World: How We’re Using ML-KEM, HQC, and Dilithium

If you've spent more than five minutes thinking about the cryptographic landscape post-quantum, you've probably realized: almost everything you use isn't ready. Most systems pretending to be "secure" rely on public key infrastructure that's dangerously outdated in a world with looming quantum capabilities.

We’ve taken a practical approach using standardized post-quantum primitives like ML-KEM (formerly known as Kyber), HQC, and Dilithium to replace brittle X.509 and traditional key exchange.

What’s the Problem?

Symmetric cryptography (AES, ChaCha20) is relatively safe—even in the quantum era, Grover’s algorithm only halves their effective key length. But public key cryptography? That’s where things fall apart.

We’ve all seen it: TLS, S/MIME, PGP—still leaning heavily on RSA, ECDSA, and their curve-based cousins. These won’t survive a quantum future. But you still need a way to establish shared secrets securely.

Our Approach

Rather than relying on a single key encapsulation mechanism, we combine three:

Here’s how it works: we derive a symmetric key using three seeds. Each seed is encrypted with one of the KEMs above. The final symmetric key is the result of an HKDF(seed1, seed2, seed3) operation. We then sign the bundle using Dilithium.

Why It Works

This structure ensures:

We use this scheme for both messaging and secure transfer workflows. The fingerprints are verified out-of-band, removing the certificate authority middleman from the trust equation.

Closing Thoughts

We didn’t invent multi-KEM + post-quantum signature stacks. But we’re implementing them in real workflows, today, for systems that care about future-proof confidentiality. It’s not academic—it’s operational.