[timenova]

There was a post a few days ago about how the NSA is wrong in not recommending hybrid quantum+classical cryptography algorithms [0].

And here is Mullvad, using two quantum algorithms together, presumably on top of classical cryptography.

> We use two quantum-secure key encapsulation mechanisms (Kyber and Classic McEliece) and mix the secrets from both. This means that both algorithms must have exploitable vulnerabilities before the security of the VPN tunnel can become affected.

[0] https://news.ycombinator.com/item?id=38844117

[bradknowles]

Seems to me like this would actually be much more likely to double their chances of being vulnerable, in that a break in either algorithm would lead to a weakness in their system.

I'd need to see some extraordinary evidence for that claim.

[rainworld]

Appears to be a hybrid: https://www.wireguard.com/protocol/

If an additional layer of symmetric-key crypto is required (for, say, post-quantum resistance), WireGuard also supports an optional pre-shared key that is mixed into the public key cryptography. When pre-shared key mode is not in use, the pre-shared key value used below is assumed to be an all-zero string of 32 bytes.