[cm3]

I've read that, but can't find the details or make concrete sense of the scheme involved.

    will use a post-quantum key-exchange algorithm in addition to the
    elliptic-curve key-exchange algorithm that would typically be
    used. By adding a post-quantum algorithm on top of the existing
    one, we are able to experiment without affecting user security.
    The post-quantum algorithm might turn out to be breakable even
    with today's computers, in which case the elliptic-curve
    algorithm will still provide the best security that today’s
    technology can offer.

I mean, I can't answer the question with the info found in the blog.

Hanno commented this is a well known scheme without mentioning the name. If someone knows the name, I'll look that up. In the meantime, I'll dig through the code to understand what they're actually doing.

[Ar-Curunir]

The new key exchange is based on lattice cryptography, which is conjectured to be quantum resistant. The precise assumption is RLWE.

[cm3]

Thanks, and yes, I've read about what hardness assumption is used.

My confusion is about what pieces are concatenated. Is the same input processed twice (different ciphers) and then concatenated, which is then the generated key?

[tptacek]

The outputs of an RLWE and ECDH handshake are both fed into the TLS KDF.

[cm3]

Thanks for the info. May I ask if you figured that out from the blog or BoringSSL code?

[pbsd]

The hybrid ciphersuite idea comes from [1, Section 5.2], though you could also chalk it up to common sense. I don't think the blog spells out how it's done.

[1] https://eprint.iacr.org/2014/599

[wolf550e]

Adam Langley answered this on HN: https://news.ycombinator.com/item?id=12051438