ML-DSA is standardized and roadmaps are accelerating — but beware the shortcut. NIST allows the deployment of "pure" post-quantum cryptography, and the NSA, through CNSA 2.0, ultimately targets that same endpoint. In France, and more broadly in Europe, the doctrine is different: ANSSI recommends hybridization — a classical mechanism and a post-quantum mechanism, combined — throughout the transition phase, for signatures as well as for key establishment. The direct consequence for PKI: a product that can only do pure ML-DSA does not meet ANSSI expectations in regulated contexts. This article explains the divergence between the two doctrines, the technical rationale for hybrid schemes, and closes with an actionable compliance checklist.
The context: post-quantum migration is no longer optional
NIST's standardization of the first post-quantum algorithms — including ML-DSA for signatures, standardized in FIPS 204 (August 2024) and derived from CRYSTALS-Dilithium — has turned a technology-watch topic into an engineering project. Vendors are announcing support, certification authorities are testing post-quantum trust chains, and CIOs are starting to receive audit questionnaires that explicitly mention crypto-agility.
For a PKI, the stakes are twofold. First, key establishment: data encrypted today with classical mechanisms (RSA, ECDH) can be captured now and decrypted later by an attacker with a cryptographically relevant quantum computer — the "store now, decrypt later" scenario. Second, signatures: unlike encryption, a signature is not retroactively threatened in the same way, but long-lived trust anchors — root CAs, intermediate CAs, code signing, timestamping — commit the security of an entire ecosystem for ten or twenty years. A root CA issued today must still be trustworthy at the horizon where the quantum threat becomes credible.
Faced with this, the temptation is strong to reason by simple substitution: swap RSA/ECDSA for ML-DSA and consider the matter closed. That is precisely the shortcut the European doctrines urge us to avoid.
Two doctrines, two risk strategies: ANSSI vs the NSA
It is worth laying this out clearly, because the confusion is common in RFPs and sales pitches.
On the American side, the NSA has published the CNSA 2.0 suite (Commercial National Security Algorithm Suite 2.0), which defines the cryptographic target for US national security systems. This doctrine aims at a migration to pure post-quantum: eventually, the post-quantum algorithms standardized by NIST replace classical mechanisms, with no hybridization requirement. The CNSA 2.0 timeline (published by the NSA in 2022) calls, for example, for post-quantum software and firmware signing to be preferred as early as 2025 and used exclusively by 2030, and targets fully quantum-resistant national security systems by 2035.
On the French side, ANSSI has published views on the transition to post-quantum cryptography that recommend a different approach: during the transition phase, post-quantum mechanisms must be deployed in hybridization with proven classical mechanisms. This recommendation is formalized in the document "ANSSI views on the Post-Quantum Cryptography transition" (position of January 4, 2022, follow-up of March 30, 2022, updated in 2023) and applies to key establishment as well as signatures; hybridization is required there during the early phases of the transition.
It is important to say this without caricature: this is not a contradiction, these are two risk-management strategies. The NSA favors migration simplicity and bets on the maturity of the NIST-standardized algorithms, whose selection process it followed closely. ANSSI favors defense in depth against young cryptographic schemes, even at the cost of extra implementation effort during the transition. Both positions are well argued; but for any organization subject to the French or European frameworks, it is the latter that governs.
Why hybrid, technically: two distinct risks, one countermeasure
The rationale for hybridization is not bureaucratic — it is cryptographic. A PKI in transition faces two risks of a different nature:
-
The quantum risk: a cryptographically relevant quantum computer breaks the classical mechanisms based on factorization and the discrete logarithm — RSA and elliptic curves. This is the risk driving the entire migration.
-
The classical cryptanalytic risk against the post-quantum schemes themselves: ML-DSA and its cousins rest on lattice problems (and in particular assumptions of the MLWE type, Module Learning With Errors). These constructions are promising and survived a long, public selection process — but they remain young by the standards of cryptanalytic history. RSA and ECC benefit from several decades of unsuccessful public attacks; lattice-based schemes do not yet have that track record. The recent history of the NIST process — where candidates were broken late by purely classical attacks — is a reminder that this risk is not theoretical: SIKE, a round 4 finalist of the NIST process, was broken in 2022 on an ordinary laptop (the Castryck-Decru attack), and the multivariate scheme Rainbow fell the same year. Neither of these schemes relies on lattices the way ML-DSA does — but they are a reminder that a long-studied candidate can collapse overnight, under a purely classical attack.
A hybrid mechanism covers both risks at once: the construction combines a classical mechanism and a post-quantum mechanism such that overall security holds as long as either one of the two holds. To forge a hybrid signature, an attacker would have to break both ECDSA (or RSA) and ML-DSA. This is the very definition of defense in depth applied to cryptography: the hybrid falls only if both components fall.
This insurance has a cost — larger signatures and certificates, validation complexity, two key lifecycles to manage — but it is bounded in time: hybridization is a transitional measure, not an end state. The day the agencies judge the cryptanalytic track record of lattice-based schemes sufficient, the classical component can be retired.
The European level: the ECCG advises against standalone MLWE
The French position is not an outlier. At the European level, the ECCG, in version 2 (May 2025) of its document "Agreed Cryptographic Mechanisms" (edited by ANSSI), explicitly advises against standalone use of MLWE-based mechanisms during the transition period. In other words: at the EU level too, an ML-DSA or ML-KEM type mechanism used on its own, without a classical component, is not considered compliant with the agreed cryptographic mechanisms for the transition.
For organizations pursuing European certifications — Common Criteria under a member state's scheme, national qualifications, upcoming European cybersecurity certification schemes — this position carries direct weight: it feeds into the evaluation frameworks that laboratories and certifiers apply. A "pure ML-DSA only" product presenting itself for evaluation in Europe during the transition starts out with an identified compliance gap from day one.
What "hybrid" actually means in a PKI
The word "hybrid" covers several implementation realities, and this is where PKI projects are won or lost. Without going into every detail — the topic deserves a dedicated "hybrid vs composite" article, coming soon — let us lay out the two main families:
-
Parallel (dual) certificates: the end entity holds two certificates and two keys — a classical pair (RSA or ECDSA) and a post-quantum pair (ML-DSA). The two trust chains coexist, optionally linked to each other. Advantage: each chain remains standard and interoperable with the installed base; clients that do not yet understand post-quantum continue to validate the classical chain. Drawback: you must orchestrate two lifecycles — issuance, renewal, revocation — coherently, and define the validation policy on the application side.
-
Composite certificate: a single certificate carries both public keys and both signatures, combined according to formats currently being specified at the IETF (work of the LAMPS group, still at the drafts stage). Advantage: a single object to manage, with a "both or nothing" validation semantic closer to the spirit of hybridization. Drawback: interoperability depends on unfinalized standards, and the behavior of existing TLS stacks, HSMs and middleware when confronted with these objects must be verified case by case.
Each of these approaches has distinct implications for interoperability, the size of cryptographic objects, HSM compatibility and compliance with the applicable frameworks. The choice is far from trivial and must be made early in the migration project — ideally when designing the future CA hierarchy, not afterwards.
The qualification stakes: RGS, eIDAS, ANSSI security visa
In France, the question goes beyond good practice: it conditions access to certain markets. Organizations subject to the RGS (Référentiel Général de Sécurité), trust service providers pursuing eIDAS qualification, and vendors seeking an ANSSI security visa (qualification or certification of their products) operate in a framework where the agency's doctrine is not one opinion among others: it is the binding reference for the evaluation.
Concretely, this means that the post-quantum strategy of a product or service evaluated in France during the transition will have to follow the hybridization doctrine. A vendor offering only pure ML-DSA — however compliant with the NIST standards — risks failing the evaluation, or seeing the post-quantum part carved out of its qualification scope. For a CIO building a roadmap, the practical conclusion is simple: contractually require hybridization capability from your PKI suppliers, and do not settle for an "ML-DSA: yes" checkbox in an RFP grid.
It is also an effective filter against the ambient post-quantum marketing: the question to ask a vendor is not "do you support ML-DSA?" but "how do you support the coexistence and combination of classical and post-quantum mechanisms, and along what trajectory toward the standardized hybrid formats?". The difference between the two answers measures the product's real maturity.
Where the tooling stands
Editor's note, in the interest of transparency. ZetaCA, our post-quantum-oriented certification authority, supports the hybrid approach via dual certificates: classical + ML-DSA pairs have been validated end-to-end, with the ML-DSA operations performed on the HSM side. ZetaCA also implements the composite mode (a single certificate combining both mechanisms, following the IETF LAMPS pq-composite-sigs drafts), tracking their evolution — thereby covering both hybridization strategies, dual and composite, under a single authority. PKIFactor, our CLM orchestrator, handles classical/post-quantum coexistence at fleet scale: inventory, issuance, renewal and revocation of both certificate families within a single lifecycle.
No tool exempts you from the architecture work described above — but having a chain able to issue, track and keep both worlds coexisting is the price of entry. To assess where your own estate stands, a starting point: audit.zetacert.com.
ANSSI compliance checklist
For a CIO or CISO preparing a post-quantum migration in a French or European regulated context:
- Map cryptographic usages and their lifetimes: identify the data and signatures whose security must hold beyond the quantum-threat horizon (root CAs, code signing, archiving, long-retention encrypted data). These are your migration priorities.
- Set hybridization — not pure PQ — as the transition target in the roadmap, for key establishment and for signatures, in line with ANSSI's views ("ANSSI views on the Post-Quantum Cryptography transition", 2022, updated 2023).
- Require hybrid capability in RFPs: ask PKI/CLM/HSM suppliers how they combine classical and post-quantum (dual certificates, composite trajectory), not merely whether they "support ML-DSA".
- Verify the hardware chain: ensure that post-quantum operations (key generation, ML-DSA signing) can be performed inside the HSM, at the same assurance level as classical keys, and not in software alongside it.
- Test interoperability under real conditions: validate the behavior of TLS clients, middleware, directories and validation tools against post-quantum and hybrid certificates (larger sizes, unknown algorithms) before any production rollout.
- Build crypto-agility as a permanent requirement: the transition will involve several stages (eventual retirement of the classical component, evolution of the IETF composite formats); the architecture must allow switching algorithms or formats without a redesign.
- Align the timeline with the applicable frameworks: if you are targeting RGS, eIDAS or an ANSSI security visa, get your hybridization strategy validated with your evaluator or the agency upfront, not at submission time.



